Difference between revisions of "Episode250"

From Security Weekly Wiki
Jump to navigationJump to search
m (Text replacement - "\{\{\#ev\:bliptv\|(.*)\}" to "\[https://youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]")
 
(38 intermediate revisions by 6 users not shown)
Line 4: Line 4:
 
= Announcements =
 
= Announcements =
  
PaulDotCom Security Weekly - Episode 250 for Friday July 8th, 2011.
+
Security Weekly - Episode 250 for Friday July 8th, 2011.
 
 
* El primer Episodio de PaulDotCom Espanol [http://pauldotcom.com/wiki/index.php/PaulDotCom_Espanol esta disponible aqui].  Tenemos mas entrevistas en las semanas que vienen....
 
  
 +
* Los tres primeros episodios de Security Weekly Espanol con Julio Canto, Lorenzo Martinez, y Chema Alonso [http://securityweekly.com/wiki/index.php/PaulDotCom_Espanol esta disponible aqui].  Tenemos mas entrevistas en las semanas que vienen....
 
* Sign up for Blackhat Training Courses:
 
* Sign up for Blackhat Training Courses:
** PaulDotCom Blackhat Training [http://blackhat.com/html/bh-us-11/training/pauldotcom-offensive.html Sign up] for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
+
** Security Weekly Blackhat Training [http://blackhat.com/html/bh-us-11/training/pauldotcom-offensive.html Sign up] for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
 
** Tenable Security Blackhat Training [http://blackhat.com/html/bh-us-11/training/bh-us-11-training_TEN-AdvNessus.html Sign up] for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2
 
** Tenable Security Blackhat Training [http://blackhat.com/html/bh-us-11/training/bh-us-11-training_TEN-AdvNessus.html Sign up] for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2
  
* Don't forget to [http://pauldotcom.com/ Read our blog], [http://mail.pauldotcom.com/listinfo Participate on our mailing list], [http://pauldotcom.com/insider/ Visit PaulDotCom Insider], [http://twitter.com/pauldotcom Follow us on Twitter], and [http://pauldotcom.blip.tv Watch our Videos]!
+
* If you can't make it to BlackHat, then consider instead [http://www.sans.org/network-security-2011/description.php?tid=4921 the always fabulous SANS Las Vegas] for "Advanced Vulnerability Scanning Techniques Using Nessus" Saturday, September 17 - Sunday, September 18.
 +
* DerbyCon : Louisville, Kentucky – September 30th to October 2nd. Catch Carlos Perez's training session - [http://www.derbycon.com/automating-post-exploitation-with-metasploit "Automating Post Exploitation with Metasploit"] Friday and Saturday of the Con from 4:00PM to 9:00PM.
 +
* Don't forget to [http://securityweekly.com/ Read our blog], [http://mail.securityweekly.com/listinfo Participate on our mailing list], [http://securityweekly.com/insider/ Visit Security Weekly Insider], [http://twitter.com/securityweeklyFollow us on Twitter], [irc://irc.freenode.net/securityweeklyJoin the IRC channel at irc.freenode.net #securityweekly], and [http://blip.tv/securityweekly Watch our Videos]!
 +
** You can [http://www.facebook.com/pages/Security-Weekly/56074056651 Add us on Facebook] where we can be "friends"
 +
 
 +
=Episode Media=
 +
 
 +
[http://traffic.libsyn.com/pauldotcom/PDC-250-Part1.mp3 MP3 pt 1]
 +
 
 +
[http://traffic.libsyn.com/pauldotcom/PDC-250-Part2.mp3 MP3 pt 2]
 +
 
 +
= I Wish I Were Him =
 +
 
 +
Original by Ben Lee.  Covered and lyrics by Joshua Wright.
 +
 
 +
It may sound stupid when I say it out loud
 +
Like I'm just jealous of his silver cloud
 +
Paul's crazy as hell he drinks beer like it's Coke
 +
Gets his cigars sent by air not boat
 +
 
 +
CHORUS
 +
 
 +
I wish I was him
 +
He gets the girls at his feet
 +
And all his cool friends
 +
He gets his hardware for free
 +
I wish I was him
 +
He pays no software fees
 +
I wish I was him
 +
 
 +
He's got Metasploit commit access
 +
Scripts like a god
 +
He's got a lot of seeds for RSA key fobs
 +
Larry's got his stalker fan club, his hack naked toys
 +
He knows mudge and all the l0pht boys
 +
 
 +
CHORUS
 +
 
 +
I feel much better now I've let it all out
 +
'course Larry's got big biceps and a masculine shout
 +
Don't want to sound like I'm being mean
 +
John plays guitar much faster than me
 +
 
 +
CHORUS
 +
 
 +
I wish I was him
 +
Girls at his feet
 +
I wish I was him
 +
Hardware for free
 +
I wish I was him
 +
No software fees
 +
I wish I was him
 +
I wish I was him
 +
 
 +
= Interview: Randal "Merlyn" Schwartz=
 +
 
 +
== Media ==
 +
 
 +
<center>\[https://youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]}</center>
 +
 
 +
'''Watch the live video version of this segment above. For more videos and to subscribe to Security Weekly TV visit http://blip.tv/securityweekly'''
 +
 
 +
'''COMING SOON: Download the Audio (MP3) Version of this segment here!'''
 +
 
 +
Randal Schwartz is a renowned expert on the Perl programming language. In addition to writing "Learning Perl" and the first two editions of "Programming Perl", he has written hundred of magazine articles on Perl and programming. Randal runs a Perl training and consulting company (Stonehenge Consulting Services), and is highly sought-after as a speaker for his combination of technical skill, comedic timing, and crowd rapport. He's also known as a pretty good Karaoke singer.
  
= Interview: Secret Guest! =
 
  
 
7:30 PM
 
7:30 PM
 +
 +
# According to your busy [http://www.stonehenge.com/merlyn/dot-plan.txt travel plans] you just got back from [http://www.flickr.com/photos/randal-schwartz/5901439031/ Rio] with friends, what were you doing at SERPRO?
 +
# How did you get your start in programming and information security?
 +
# What were the early days of Perl like?
 +
# You once said that to get the most out of Perl, you should program at least 3 hours a week.  Why is that?
 +
# You've done the Learning Perl (llama Book), the Programming Perl (Camel Book), and hundreds of magazine articles - which do you prefer, magazine articles or writing books?  Which is your favorite book?
 +
# If you were to pick up a language today to begin programming, would it still be Perl?
 +
# For those not in the know, why is the CPAN the 'secret weapon' of Perl?
 +
# Has the CPAN been used for malicious distribution of code (to your knowledge)?
 +
# If not too painful, can you briefly discuss your conviction and subsequent expungement of the [http://www.lightlink.com/spacenka/fors/ State of Oregon v. Randal Schwartz fiasco]?
 +
# Tell us about your hobby in sniffing clear text passwords on Geek Cruises.
 +
# How did the [https://secure.wikimedia.org/wikipedia/en/wiki/Schwartzian_transform Schwartzian transform] come into being?
 +
# How did you get involved with [https://secure.wikimedia.org/wikipedia/en/wiki/StarShipSofa Star Ship Sofa]
 +
# What are your favorite science fiction books?
 +
# Who's been your favorite guest on "FLOSS Weekly"?
 +
# Who would win in a cage match - Linus Torvalds, Bill Gates or RIchard Stallman?
  
 
= Secret Segment! =
 
= Secret Segment! =
  
8:00 to 8:30
+
== Media ==
 +
 
 +
<center>\[https://youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]}</center>
 +
 
 +
'''Watch the live video version of this segment above. For more videos and to subscribe to Security Weekly TV visit http://blip.tv/securityweekly'''
 +
 
 +
'''COMING SOON: Download the Audio (MP3) Version of this segment here!'''
 +
 
 +
8:15 to 8:30
 +
 
 +
Various friends of the show call in to give us "The top 5 (ish) things I learned from listening to 250 Episodes of Security Weekly".
 +
 
 +
= Caitlin Johanson - Top Ten Things I Learned on Security Weekly=
 +
 
 +
== Media ==
 +
 
 +
<center>\[https://youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]}</center>
 +
 
 +
'''Watch the live video version of this segment above. For more videos and to subscribe to Security Weekly TV visit http://blip.tv/securityweekly'''
 +
 
 +
 
 +
"A few things to actually feel good about (or not) taking away from 250 episodes of PDC."
  
 
= Stories For Discussion =
 
= Stories For Discussion =
  
== PaulDotCom Blog Roundup ==
+
== Media ==
 +
 
 +
<center>\[https://youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]}</center>
 +
 
 +
'''Watch the live video version of this segment above. For more videos and to subscribe to Security Weekly TV visit http://blip.tv/securityweekly'''
  
 +
== Security Weekly Blog Roundup ==
  
 
== Larry's Stories ==
 
== Larry's Stories ==
 +
#[http://community.websense.com/blogs/securitylabs/archive/2011/07/07/jailbreakme-com-3-and-security-implications.aspx iPhone Jailbreak PDF concerns] - [Larry] - Great observations here.  While we all love our iPhone jailbreaks, this one (as before) just involves a PDF reader exploit.  Browse to a website (or receive e-mail, view PDF and jailbreak.  How about the same with malicious content?  Yeah, that simple.  There are some bets as to when Apple will release a patch, but even if they do, how long will the attack surface be available for?  Those that don't update, and those who don't in order to keep their jailbreak.
 +
#[http://feedproxy.google.com/~r/digitalbond/oLPM/~3/o8QMVsIrUI4/ Incompetence or Deception] - [Larry] - So, what's worse when talking aabout vulnerability disclosure and discovery.  Specifically related to the Siemens replay issue, but can be applied elsewhere. You release a vuln for one model, but can test on the more expensive ones due to cost.  someone else confirms, but the vendor can;t make it work on the other models.  Later, they say, oh hey, we found this vulnerability in the expensive models….
 +
#[http://packetstormsecurity.org/news/view/19426/vsftpd-Download-Found-Backdoored.html vsftpd backdoored]- [Larry] - Lulz. Login s a user of :) and a TCP shell tries to connect back.  Looks like only one distribution point was compromised.
 +
#[http://www.darknet.org.uk/2011/07/security-researchers-discover-4-million-strong-indestructible-botnet-tdsstdl/ Indestructible Botnet?] - [Larry] - TDSS, a new version of the TDL Aleureon rootkit is now out there.    Why indestructible?  Arguably because it is hard to remove the client, as mostly because it goes unnoticed to begin with.
  
 
== Paul's Stories ==
 
== Paul's Stories ==
 
+
#[http://www.nytimes.com/2011/06/30/technology/30morris.html?_r=3&hpw Robert W. Morris Dies]
== Mystery Guest X's Stories ==
+
#[http://nmap.org/download.html New Nmap Version] - Lots of passive discovery!
 +
#[http://www.computerworld.com/s/article/9218255/Top_5_worries_keeping_IT_pros_up_at_night?taxonomyId=17 Top 5 worries of IT Pros] - Security is not really on the list..
 +
#[http://go.theregister.com/feed/www.theregister.co.uk/2011/07/06/paypaluk_twitter_hack/ Flinging Poo At Paypal] - '''An angry user hacked into PayPal UK's Twitter account on Tuesday night and changed the e-commerce company's avatar photo to a heap of steaming crap.''' Can we see more of this? I think it really defines the "hacker spirit"
 +
#[http://www.rootsecure.net/?p=link&l=28556 vsftpd is not very secure]

Latest revision as of 16:28, 29 June 2017


Announcements

Security Weekly - Episode 250 for Friday July 8th, 2011.

  • Los tres primeros episodios de Security Weekly Espanol con Julio Canto, Lorenzo Martinez, y Chema Alonso esta disponible aqui. Tenemos mas entrevistas en las semanas que vienen....
  • Sign up for Blackhat Training Courses:
    • Security Weekly Blackhat Training Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
    • Tenable Security Blackhat Training Sign up for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2

Episode Media

MP3 pt 1

MP3 pt 2

I Wish I Were Him

Original by Ben Lee. Covered and lyrics by Joshua Wright.

It may sound stupid when I say it out loud Like I'm just jealous of his silver cloud Paul's crazy as hell he drinks beer like it's Coke Gets his cigars sent by air not boat

CHORUS

I wish I was him He gets the girls at his feet And all his cool friends He gets his hardware for free I wish I was him He pays no software fees I wish I was him

He's got Metasploit commit access Scripts like a god He's got a lot of seeds for RSA key fobs Larry's got his stalker fan club, his hack naked toys He knows mudge and all the l0pht boys

CHORUS

I feel much better now I've let it all out 'course Larry's got big biceps and a masculine shout Don't want to sound like I'm being mean John plays guitar much faster than me

CHORUS

I wish I was him Girls at his feet I wish I was him Hardware for free I wish I was him No software fees I wish I was him I wish I was him

Interview: Randal "Merlyn" Schwartz

Media

\Visit The Security Weekly YouTube Channel for all of our latest videos\!\}

Watch the live video version of this segment above. For more videos and to subscribe to Security Weekly TV visit http://blip.tv/securityweekly

COMING SOON: Download the Audio (MP3) Version of this segment here!

Randal Schwartz is a renowned expert on the Perl programming language. In addition to writing "Learning Perl" and the first two editions of "Programming Perl", he has written hundred of magazine articles on Perl and programming. Randal runs a Perl training and consulting company (Stonehenge Consulting Services), and is highly sought-after as a speaker for his combination of technical skill, comedic timing, and crowd rapport. He's also known as a pretty good Karaoke singer.


7:30 PM

  1. According to your busy travel plans you just got back from Rio with friends, what were you doing at SERPRO?
  2. How did you get your start in programming and information security?
  3. What were the early days of Perl like?
  4. You once said that to get the most out of Perl, you should program at least 3 hours a week. Why is that?
  5. You've done the Learning Perl (llama Book), the Programming Perl (Camel Book), and hundreds of magazine articles - which do you prefer, magazine articles or writing books? Which is your favorite book?
  6. If you were to pick up a language today to begin programming, would it still be Perl?
  7. For those not in the know, why is the CPAN the 'secret weapon' of Perl?
  8. Has the CPAN been used for malicious distribution of code (to your knowledge)?
  9. If not too painful, can you briefly discuss your conviction and subsequent expungement of the State of Oregon v. Randal Schwartz fiasco?
  10. Tell us about your hobby in sniffing clear text passwords on Geek Cruises.
  11. How did the Schwartzian transform come into being?
  12. How did you get involved with Star Ship Sofa
  13. What are your favorite science fiction books?
  14. Who's been your favorite guest on "FLOSS Weekly"?
  15. Who would win in a cage match - Linus Torvalds, Bill Gates or RIchard Stallman?

Secret Segment!

Media

\Visit The Security Weekly YouTube Channel for all of our latest videos\!\}

Watch the live video version of this segment above. For more videos and to subscribe to Security Weekly TV visit http://blip.tv/securityweekly

COMING SOON: Download the Audio (MP3) Version of this segment here!

8:15 to 8:30

Various friends of the show call in to give us "The top 5 (ish) things I learned from listening to 250 Episodes of Security Weekly".

Caitlin Johanson - Top Ten Things I Learned on Security Weekly

Media

\Visit The Security Weekly YouTube Channel for all of our latest videos\!\}

Watch the live video version of this segment above. For more videos and to subscribe to Security Weekly TV visit http://blip.tv/securityweekly


"A few things to actually feel good about (or not) taking away from 250 episodes of PDC."

Stories For Discussion

Media

\Visit The Security Weekly YouTube Channel for all of our latest videos\!\}

Watch the live video version of this segment above. For more videos and to subscribe to Security Weekly TV visit http://blip.tv/securityweekly

Security Weekly Blog Roundup

Larry's Stories

  1. iPhone Jailbreak PDF concerns - [Larry] - Great observations here. While we all love our iPhone jailbreaks, this one (as before) just involves a PDF reader exploit. Browse to a website (or receive e-mail, view PDF and jailbreak. How about the same with malicious content? Yeah, that simple. There are some bets as to when Apple will release a patch, but even if they do, how long will the attack surface be available for? Those that don't update, and those who don't in order to keep their jailbreak.
  2. Incompetence or Deception - [Larry] - So, what's worse when talking aabout vulnerability disclosure and discovery. Specifically related to the Siemens replay issue, but can be applied elsewhere. You release a vuln for one model, but can test on the more expensive ones due to cost. someone else confirms, but the vendor can;t make it work on the other models. Later, they say, oh hey, we found this vulnerability in the expensive models….
  3. vsftpd backdoored- [Larry] - Lulz. Login s a user of :) and a TCP shell tries to connect back. Looks like only one distribution point was compromised.
  4. Indestructible Botnet? - [Larry] - TDSS, a new version of the TDL Aleureon rootkit is now out there. Why indestructible? Arguably because it is hard to remove the client, as mostly because it goes unnoticed to begin with.

Paul's Stories

  1. Robert W. Morris Dies
  2. New Nmap Version - Lots of passive discovery!
  3. Top 5 worries of IT Pros - Security is not really on the list..
  4. Flinging Poo At Paypal - An angry user hacked into PayPal UK's Twitter account on Tuesday night and changed the e-commerce company's avatar photo to a heap of steaming crap. Can we see more of this? I think it really defines the "hacker spirit"
  5. vsftpd is not very secure