Changes

From Security Weekly Wiki
Jump to navigationJump to search
6,709 bytes added ,  16:28, 29 June 2017
m
Text replacement - "\{\{\#ev\:bliptv\|(.*)\}" to "\[https://youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]"
{{Advertisements}}
= Episode Media =
[http://traffic.libsyn.com/pauldotcom/PaulDotCom-333-Part1.mp3 MP3]
= Announcements & Shameless Plugs =
PaulDotCom Security Weekly - Episode 333 for Thursday May 30th, 2013
* Register at Blackhat USA Las Vegas! [https://www.blackhat.com/us-13/training/offensive-countermeasures-the-art-of-active-defenses.html Offensive Countermeasures: The Art Of Active Defense] July 27-28 & 29-30, register before May 31 for the best price!
* We are looking for sponsors for monthly webcasts in conjunction with SANS - contact paul -at- hacknaked.tv for details!
* Come to [http://www.securitybsides.com/w/page/61966594/BSidesRI Security BSides Rhode Island Two-Day Conference] on June 14th and 15th tickets are NOW ON SALE at [https://www.wepay.com/events/141697 WePay.com]. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire PaulDotCom Security Weekly crew!
* Planning for the 11th Annual Louisville Metro InfoSec Conference is now underway - the event will be Thursday October 3rd, 2013 in Shepherdsville KY just south of Louisville. We are looking for technical and business speakers from the infosec world - as well as sponsorships - which run from $500 - $5000 for a keynote sponsorship. Between 400-500 attendees will spend the day learning from world-class speakers, rubbing elbows with the regions security professionals, and having lots of fun! Visit the site at louisvilleinfosec.com.
= Interview: Gunnar Peterson=
<center>\[https://youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]}</center>
 
Gunnar Peterson does security consulting, training and research on Identity and Access Management, Cloud, Mobile and software security. He is a Microsoft MVP for Application security, an IANS Research Faculty member, and a Securosis Contributing Analyst. He maintains a popular information security blog at http://1raindrop.typepad.com.
 
Twitter: @oneraindrop
 
The word "trust" seems to be misused and misunderstood in security- can you share your thoughts on "trust" and the dangers of the concept as we use it in security?
 
There are a lot of security people making statements about "risk". What factors do the following play in the risk equation: "whether you are feeling happy, sad, anxious, angry or disgusted; how much money you had between the ages of 18 and 25; whether, if you are a man, a woman recently touched you on the shoulder; whether, if you are a woman, there are a lot of men in the room; how well the market has done lately; which country or culture you come from; how long ago you ate your last meal; whether you smoke; how much you weigh; whether you put your feet up on a table when you were thinking about the risk; whether at least 75 people have died in an airplane crash in the past three days; whether the sun is shining; how urgently you need to go to the bathroom;"
 
To ask the age old question, "How can we make more informed risk-based decisions"? Or does it really go deeper than just "risk"?
 
What data can be collected about information security in an organization to help predict what could happen and how it impacts your risk equation. I love the Turkey analogy, I think it means you do the same things every day, and then factors beyond your control change, so how do you measure that?
 
What are some parallels between investing and security?
= Tech Segment: Chris Truncer on Veil=
<center>\[https://youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]}</center>Chris Truncer is a Penetration Tester at Veris Group where he performs a variety of assessments for Federal and commercial customers. Currently Chris is supporting DHS and their development of a operational Penetration Testing team to support civilian government agencies. He currently helps to develop the overall program while also leading pen testing teams for other customers. His specialties include wireless network assessments and network level penetration testing. Recently, Chris became interested AV evasion methods, which lead led to the development of Veil.
Links:
*Twitter - @ChrisTruncer*Website: http://www.christophertruncer.com*Upcoming Classes: **https://www.blackhat.com/us-13/training/adaptive-red-team-tactics.html**https://www.blackhat.com/us-13/training/adaptive-penetration-testing.html 
== Announcement ==
== Announcement ==* Join Paul and John for a [https://www.sans.org/webcasts/common-tools-breach-systems-96732 free webcast on June 4th] at 1:30PM ET on "The Three Most Common Tools Used to Breach Systems"
* We are in the process of archiving and cataloging our technical segments, please visit the [http://pauldotcomsecurityweekly.com/wiki/index.php/TechSegments PaulDotCom Security Weekly Technical Library] and we indexed all of the [http://pauldotcomsecurityweekly.com/wiki/index.php/Interviews interviews we have conducted]. Also, please follow us on Google+ [https://plus.google.com/communities/104303121236769636115 The PaulDotCom Security Weekly Google+ Community], [https://plus.google.com/106764787434811009569/posts The PaulDotCom Security Weekly Google+ Page] and [https://plus.google.com/108998557249071696489/posts Paul's Google+ Page].
* [http://www.sans.org/instructors/lawrence-pesce Larry teaching SANS SEC617] all over and coming to a city near you in 2013. It isn't too Late to sign up for my class in San Diego this May! (actually, it is, so sign up for SANSFIRE next month and NS2013 in Vegas!)
= Stories =
 
<center>\[https://youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]}</center>
== Paul's Stories ==
#[http://blog.whitehatsec.com/interview-with-a-blackhat-part-1/ Interview With A Blackhat (Part 1) | WhiteHat Security Blog]
#[http://security.sunera.com/2013/05/download-multiple-nessus-reports-via_21.html Sunera Information Security Blog: Download Multiple Nessus Reports via the Nessus XML-RPC API]
#[http://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html Improving the security of your SSH private key files — Martin Kleppmann’s blog]
#[http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/ A closer look at a recent privilege escalation bug in Linux (CVE-2013-2094) at time to bleed by Joe Damato]
#[http://www.h-online.com/security/news/item/Log-file-vulnerability-in-Apache-server-1873651.html Log file vulnerability in Apache server]
#[http://www.h-online.com/security/news/item/Google-cuts-grace-period-for-vendors-of-vulnerable-software-1873878.html Google cuts grace period for vendors of vulnerable software]
#[http://www.darkreading.com/vulnerability/hacking-firmware-and-detecting-backdoors/240155815 Hacking Firmware And Detecting Backdoors -- Dark Reading]
==Larry’s Stories==
==Jack’s Stories==
#[http://www.darkreading.com/attacks-breaches/internet-crime-cost-consumers-more-than/240154922/Internet Crime Cost Consumers More Than A Half-Billion Dollars Last Year] at least if you believe this report.
#[http://www.washingtonpost.com/world/national-security/confidential-report-lists-us-weapons-system-designs-compromised-by-chinese-cyberspies/2013/05/27/a42c3e1c-c2dd-11e2-8c3b-0b5e9247e8ca_story.html Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies] The Chinese again. Or is this FUD? Here's [http://www.washingtonpost.com/world/national-security/a-list-of-the-us-weapons-designs-and-technologies-compromised-by-hackers/2013/05/27/a95b2b12-c483-11e2-9fe2-6ee52d0eb7c1_story.html A list of the U.S. weapons designs and technologies compromised by hackers]
#[http://thehackernews.com/2013/05/blueprints-of-australias-top-spy-agency.html Blueprints of Australia's top spy agency headquarters stolen by Chinese hackers] Is it bad when the Chinese steal your spy agency's floorplans? Yeah, probably. More details in this [http://www.abc.net.au/4corners/stories/2013/05/27/3766576.htm ABC report] (That's ABC as in Australian Broadcasting Company).
#[http://www.theverge.com/2013/5/23/4358400/google-engineer-bashes-microsoft-discloses-windows-flaw Google engineer publicizes Windows zero-day bug, claims Microsoft is 'difficult to work with']
#[http://seclists.org/fulldisclosure/2013/May/211 PayPal Bug Bounty Controversy - I found the XSS first: They still didn't pay me]
== Allison's Stories ==
 
#[https://krebsonsecurity.com/2013/05/ddos-services-advertise-openly-take-paypal/ DDoS Services Advertise Openly, Take PayPal] This is the result of some research that my friend Brandon Levene and I have been conducting over the past several months. These ddos-for-hire sites are typically used to cheat at videogames or express someone's rage, and operate in a grey area where we don't see any enforcement action against these sites even though they are clearly malicious. As of a couple weeks ago, ~100% of booter sites I surveyed accept Paypal as payment, and ~70% are protected by Cloudflare.
#[https://krebsonsecurity.com/2013/05/ragebooter-legit-ddos-service-or-fed-backdoor/ Ragebooter: ‘Legit’ DDoS Service, or Fed Backdoor?] A second part in a [??] part series. We document the hilariously public life of a booter owner and some technical details of his site. His site is mostly used for cheating at video games by DDOSing the opponent and disconnecting their home connection. I tested the site and found it to be almost completely nonfunctional. The site covered here also accepts PayPal and is protected by Cloudflare.
#[https://krebsonsecurity.com/2013/05/u-s-government-seizes-libertyreserve-com/ U.S. Government Seizes LibertyReserve.com] For those not in the know, liberty reserve is the #1 payment processor in the criminal underground. Its structured for maximum obfuscation so you can't see where the money came from and where it's going. This takedown will cause ripples in the criminal underground before they move on to the next payment processor.
==Patrick's Stories==

Navigation menu