Changes

From Security Weekly Wiki
Jump to navigationJump to search
1,882 bytes added ,  01:08, 11 October 2014
m
Text replacement - "PaulDotCom SANS" to "Security Weekly SANS"
= Announcements & Shameless Plugs =
Live from the PaulDotCom G-Unit Studios Welcome to PaulDotCom Security Weekly, Episode 122 for September 11th, 2008
Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals. This week with a special guest in the studio!
* [http://pauldotcomsecurityweekly.com/sans/ PaulDotCom Security Weekly SANS Click-Through] - Go there, register for fabulous SANS training! Go now!
* [http://www.whitewolfsecurity.com/ice2.htm ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas!] - Interview in this episode!
* NS2008! Paul giving keynote: Things That Go Bump In The Network: Embedded Device (In)Security and teaching SEC535, Network Security Projects Using Hacked Wireless Routers! Don't forget our live podcast immediately following!
* [http://www.sans.org/mentor/details.php?nid=12904 "I met you yesterday at SANS and was wondering if you could help me promote my mentor session of SEC508 starting on September 23rd. If you could forward this invitation onto your network of contacts, that would be awesome."] - Evan
* Beer, Facebook, Linkedin, Twitter
 
=Episode Media=
 
[http://media.libsyn.com/media/pauldotcom/pauldotcom-SW-episode122pt1a.mp3 mp3 pt 1]
 
[http://media.libsyn.com/media/pauldotcom/pauldotcom-SW-episode122pt2.mp3 mp3 pt 2]
= Jay Beale Interview =
Thanks and I promise to catch up on all the past shows.
Scott"
 
= Security FAIL Of The Week: How not to work remotely from the coffee shop =
 
[http://feeds.feedburner.com/~r/AndyItguy/~3/384474794/how-not-to-work-securely-from-coffee.html Andy The IT Guy Reference]
 
[[Image:Unattendedlaptop.jpg]]
 
I noticed this twice, once in Starbucks, and once at a local Pei Wei restaurant.
= Stories Of Interest =
[http://feeds.engadget.com/~r/weblogsinc/engadget/~3/387757277/ Cheap SSD Drives] - [Larry] great, they are getting cheap - 32 Gig for $99, although slower and more power hungry than spinning disk. I bring this up, because the SSD drives provide a significant barrier to recovering deleted and or modified. This makes it very difficult to perform any type of forensics on these drives. How, as an industry do we deal with this situation? Not allow for system disks to utilize SSD?
[http://feeds.engadget.com/~r/weblogsinc/engadget/~3/387677950/ Secure RFID Technology?] - [PaulDotComPaul] - Continuing our discussion from last week, here is a story about a new technology from Verayo which aims to use PUF (Physical Unclonable Functions) to generate a random identifier. Truth? Fiction? Who knows, this is why testing the security of devices is so important. [http://www.verayo.com/technology.html Read more here]
[http://feeds.feedburner.com/~r/AnInformationSecurityPlace/~3/387631828/ "21" Meets RFID and the 21st century] - [PaulDotComPaul] - Chalk this up to "stupid ideas" here is an RFID poker table, nice!
[http://www.heise-online.co.uk/security/USB-stick-with-hardware-AES-encryption-has-been-cracked--/features/111194 Encryption is great!] - [Larry] - but bad implementations, and those that retrieve encrypted passwords are bad. We say all the time to use tried and try encryption algorithms, an this USB key manufacturer did just that. However, they added the ability for the password that is also used to access the device to be checked against a history of passwords. This function resides in memory, and brute force of the passwords can be conducted.
 
[http://www.f-secure.com/weblog/archives/00001487.html A Note About Mobile (in)security] - [Paul] - So, make a long story short, while an F-Secure researcher was giving a presentation about mobile security, a bluetooth worm outbreak happened and people's phones in the room were infected. There is also this [http://www.f-secure.com/weblog/archives/00001483.html scary Java vulnerability] that could effect mobile phones, over 100 million of them in fact. So, how do you control this in your environment? Do you just give people phones, or do you have a managed system like Blackberry? But what happens if a bluetooth phone worms creeps into your building? "Hi, this is security, before you can enter the building you must disable bluetooth on your phone". Is there even such a thing as a bluetooth IDS/IPS?
[http://www.heise-online.co.uk/security/USB-stick-with-hardware-AES-encryption-has-been-cracked--/features/111194 SCADA Attack released] - [Larry] - No offense to Kevin, but this is a re-implementation of the attack released by CORE a month or so back. So why does this one seem to get more press? This implementation is a Metasploit module. Yep, you can attack the latest in SCADA vulnerabilities for free.
[http://hardware.slashdot.org/article.pl?sid=08/09/08/2246203&from=rss You own the hardware] - [Larry] - You own the hardware, so tinker with it. There is already some folks poking at the Esquire magazine E-ink cover. Sure, not a device that has huge security implications, but take ownership of all of the other small (or large) devices that you network in your home or office.
 
[http://securityvulns.com/Udocument473.html Wireless Driver Vulns, and no patches, oh my!] - [Paul] - Laurent Butti and Julien Tinnes
from France Telecom have found vulnerabilities (DoS, possible remote code) in several wireless chipsets. For example, the Netgear WN802T (firmware 1.3.16) with MARVELL 88W8361P-BEM1 chipset is vulnerable to a bug that "...can be triggered by a malicious association request to the wireless access point with a Null SSID." Wow, thats pretty easy, and guess what, NO PATCH. [http://securityvulns.com/Udocument474.html This one, for Atheros, is patched]
[http://news.cnet.com/8301-1009_3-10035580-83.html?part=rss&subj=news&tag=2547-1009_3-0-20 Twitter to spread malware] - [Larry] - I'd have liked to see more, less user interaction. See blog post.

Navigation menu