Paul's Security Weekly - Episode 377 for Thursday June 19th, 2014
And now, from the dark corners of the Internet, where exploits run wild, packets aren’t the only things getting sniffed, and the beer flows steady its Paul’s Security Weekly!
- This segment is sponsored by Palo Alto Networks creators of THE next-generation firewalls, helping you enforce network security policies based on applications, users, and content. Visit them on the web at www.paloaltonetworks.com
- and by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
- and by Tenable Network Security, the creators of Nessus, the worlds best vulnerability scanner. Check out the new Nessus Enterprise and Nessus Enterprise cloud, engage your IT department in the vulnerability management process today!
"Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet..."
"Here's your host, a man who is never truly satisfied, either manualy, artificially, with a flesh light, Paul Asadoorian!"
- Security Weekly Updates::
- Be sure to check out our new 4 day Active Defense and Offensive Countermeasures class at Black Hat Vegas!
- SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Stay tuned for updates, registration, discount codes and sneak previews!
- You can purchase Hack Naked T-Shirts online via http://shop.securityweekly.com get yours today!
- Attend the show live if you are in the RI area, check http://securityweekly.com/attend for details
Guest Interview: Chris "loganWHD" Hadnagy
Chris Hadnagy, aka loganWHD, has been involved with computers and technology for over 14 years. Presently his focus is on the "human" aspect of technology such as social engineering and physical security. Chris has spent time in providing training in many topics around the globe and also has had many articles published in local, national and international magazines and journals.
- How does one get started social engineering?
- Now that Social Engineering has gotten a lot of press and awareness, are our jobs as professional social engineers getting harder? Are we like magicians who give away how the tricks are done?
- Some of the best social engineers are interested in sociology, what are like the top 3 things about people's behavior that make it easy to social engineer them?
- What is one of the most successful SE attacks used by bad guys (whether its a type of phish, mobile phone trick, etc...)?
- Tell us about some of the recent guests on your show, why did you choose them and what did they talk about?
- Three words to describe yourself
- If you were a serial killer, what would be your weapon of choice?
- If you wrote a book about yourself, what would the title be?
- In the popular game of Ass Grabby Grabby do you prefer to go first or second?
- If you could have dinner with one celebrity, who would it be?
Ten more questions to ask at random:
- If you had super powers, what would they be?
- A penguin walks through that door right now wearing a sombrero. What does he say and why is he here?
- If we came to your house for dinner, what would you prepare for us?"
- Pick two celebrities to be your parents."
- What do you think about when you are alone in your car?
- What song best describes your life?
- If you were a Star Trek® [or Star Wars® ] character, which one would it be?
- If you were 80 years old, what would you tell your children?
- What is the record amount of time you have gone without a shower?
- What is the geekiest thing you've ever done/created/bought/said?
Guest Interview: Steve Christy
- How did you get your start in information security?
- CVE turns 15 this year, how did the CVE begin?
- What major change is coming to the CVE program?
- Where are most of the vulnerabilities coming from that end up as CVEs?
- When vendors find bugs in their own software, do they request a CVE from you?
- The formal CVE entry typically doesn't contain detailed information about the vulnerability, mitigation, etc... How come?
- The vuln research industry is aging. The industry didn't EXIST, really, 10 years ago. What of the next generation of researchers? Are they being left in the dust?
- This segment is brought to you by http://www.blacksquirrel.io/ - Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.
- and by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
- and by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at pwnieexpress.com
- Cisco Security Advisory: Undocumented Test Interface in Cisco Small Business Devices
- "Ten Years Later
- Black Hat USA 2014: Embedded & Vulnerable
- Tavis Ormandy finds an embarrassing hole In more Microsoft products
- "Research Project Pays People to Download
- Gear to Block ‘Juice Jacking’ on Your Mobile
- Ransomware with a happy ending | Naked Security
- Vixie: Open Internet is Slowly Poisoning Us
- "Hacking the DSP-W215
- "Hacking the DSP-W215
- "Hacking the DSP-W215
- Products endorsed by cybersec experts
- Latin in Truecrypt? - [Larry] - So, take the first letter of each word in the parting message, and it is bad Latin for "I'm with the NSA now" or some variant. Time to get your tin foil hats.
- Transmitting ADS-B... - [Larry] wow, talk about dangerous bat man, but this was exactly what Renderman was talking about in his DEFCON talk...unauthenticated radio that can crash planes.
- Need some advice - verification on the illegality of decoding Pager traffic in the US. I'm told it is illegal, but only prosecuted when shared with a third party. I'm looking for discussion, rulings, court cases, specific sections of law, etc.