From Paul's Security Weekly
Recorded November 7, 2019 at G-Unit Studios in Rhode Island!
- Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
- OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!
- We have officially migrated our mailing list to a new platform! Sign up for the list to receive invites to our virtual trainings, webcasts, and other content relative to your interests by visiting securityweekly.com/subscribe and clicking the button to join the list! You can also submit your suggestions for guests by going to securityweekly.com/guests and submitting the form! We'll review them monthly and reach out if they are a good fit!
- Our first-ever virtual training is happening on March 19th @11:00am ET, with Adam Kehler & Rob Harvey from Online Business Systems Risk, Security & Privacy Team. In this training you will learn how to generate a complex SHA-256 hashed password and then use password cracking tools to break it. Register for our upcoming trainings by visiting securityweekly.com, selecting the webcast/training drop down from the top menu bar and clicking registration.
Interview: Peter Smith, Edgewise - 6:00-6:30PM
Tech Segment: Kevin Finisterre & Josh Valentine, Arcade Hacking - 6:30PM-7:00PM
The arcade scene and how it relates to the computer security scene
Josh and I have spent the last year immersing ourselves in arcade platforms, games, and cabinets. There is quite a bit of cross over into the traditional security scene. There is even more to learn in the subtle differences of how each scene handles. We'd like to talk about our project Arcade Hustle, and the things we've learned during our into to the arcade scene.
- Similarities and differences between arcade hardware, consoles gaming, and PC gaming. (similar to #4 that Kevin provided)
- Dedicated hardware, COTS hardware. e.g. SH4, x86/64, JVS/JAMMA/FastIO
- How does security fit into all of this?
- PC based arcade games
- software updates
Security News - 7:30-8:30PM
- Who is responsible for Active Directory security within your organization? - Help Net Security - But 24% said that they don’t know who is responsible for Active Directory security within their organization – showing that sometimes this important function can fall through the cracks between IT and security teams. If you are one of these companies, we need to chat :)
- Presentation Template: Build Your 2020 Security Plan - Just one slide, big letters: We're Screwed.
- A Warning About Viruses From Weird Al - Thanks for burning my best email phishing campaign, "Stinky Cheese" was so successful!
- Apple publishes new technical details on privacy features - Apple also outlined steps it has taken to cut off app developers that circumvent its rules. For example, even when users have turned off location-based services that use an iPhone’s GPS chips, app developers can scan for nearby Wi-Fi networks and Bluetooth devices to approximate the user’s location. Developers now must ask permission for Bluetooth access, for example, and explain why it is needed, Apple’s guides said. Googles respons is classic: Google Chief Executive Sundar Pichai said in a New York Times op-ed that “privacy cannot be a luxury good offered only to people who can afford to buy premium products.” Says the company with a $1k phone with less feature's than the iPhone 11...
- Facebook reveals privacy flaw in Groups - Crap, now they know where I get my memes: With permission, app developers could access a group's name, the number of members and the content of posts. However, they could only access member names and photos if people explicitly opted in. But on Tuesday, the company revealed that about 100 "partners" retained access following the change.
- Bug Hunters Earn $195,000 for Hacking TVs, Routers, Phones at Pwn2Own | SecurityWeek.Com
- Camgirl sites expose millions of members and users
- How to ensure online safety with DNS over HTTPS
- Mobile security firms will help protect Google Play - Help Net Security
- Printers: The overlooked security threat in your enterprise | TECHtalk - Overlooked for sure, but attackers don't need to hack your printer. Largely we've observed attackers using other methods to obtain data, and printer attacks are not popular, yet. Email phishing and lateral movement within the domain using credentials wins almost every time. When we force attackers to step outside this technique, they may turn to printers, however its still an opportunistic attack.
- Capital One Shifts Its CISO to New Role - Dark Reading
- Amazons Ring Video Doorbell could open the door of your home to hackers - The controversial title is beyond irresponsible, which I am shocked as this site is typically pretty good. First, you'd have to have a smart lock on your front door, and not use any other type of lock as a backup. Also, if you have smart locks, be certain you have cameras. And yes, an attacker could use the Doorbell vulnerability to get the Wifi password, open the door and then delete the recordings from the camera. But holy crap, how did we get here? In any case, in order for the vulnerability to be exploitable, the Ring doorbell must be re-configured. The article suggests that a constant de-auth attack could then, in turn, cause the user to re-configure the device, leaving it exposed to the vulnerability that will cough up the Wifi password. All of this will likely just go away once Ring pushes an update. Every IoT security flaw is not the end of the world or even deserves an article to be written about it.
- Bill Gates says people would be using Windows Mobile if not for the Microsoft antitrust case - “There’s no doubt the antitrust lawsuit was bad for Microsoft, and we would have been more focused on creating the phone operating system, and so instead of using Android today, you would be using Windows Mobile if it hadn’t been for the antitrust case,” Gates, a Microsoft co-founder and board member, said at the New York Times’ DealBook conference in New York. Really? Somone send Bill a copy of "Extreme Ownership".
- What you probably didnt know about sudo
- New 'unremovable' xHelper malware has infected 45,000 Android devices | ZDNet
- People are posting their genitals on Reddit to get STI diagnoses - “Social media was not built to deliver health care,” UC San Diego scientist and study co-author Alicia Nobles told CNBC.