Difference between revisions of "Episode269"

From Security Weekly Wiki
Jump to navigationJump to search
(Created page with '{{Advertisements}} = Announcements & Shameless Plugs = PaulDotCom Security Weekly - Episode 269 for Thursday December 8th, 2011. * Check out our new shows: [http://hacknaked....')
 
m (Text replacement - "\{\{\#ev\:bliptv\|(.*)\}" to "\[https://youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]")
 
(20 intermediate revisions by 5 users not shown)
Line 4: Line 4:
 
= Announcements & Shameless Plugs =
 
= Announcements & Shameless Plugs =
  
PaulDotCom Security Weekly - Episode 269 for Thursday December 8th, 2011.
+
Security Weekly - Episode 269 for Thursday December 8th, 2011.
  
* Check out our new shows: [http://hacknaked.tv Hack Naked TV] with John Strand, [http://www.hacknakedatnight.tv Hack Naked At Night] with Larry and Darren, [http://pauldotcom.com/wiki/index.php/PaulDotCom_Espanol PaulDotCom Espanol] with Carlos Perez, and our only non-computer security related show dedicated to Cigar Enthusiasts [http://www.stogiegeeks.com Stogie Geeks] with Paul Asadoorian and Tim "BugBear" Mugherini.
+
* Check out our new shows: [http://hacknaked.tv Hack Naked TV] with John Strand, [http://www.hacknakedatnight.tv Hack Naked At Night] with Larry and Darren, [http://securityweekly.com/wiki/index.php/PaulDotCom_Espanol Security Weekly Espanol] with Carlos Perez, and  
  
* Larry is teaching [http://www.sans.org/san-antonio-2011/description.php?tid=4432 SEC580 Metasploit Kung Fu for Enterprise Pen Testing] in San Antonio, TX December 4-5.  Want 10% off of every class in San Antonio?  Use the discount code Larry-SA10.
+
* Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts [http://www.stogiegeeks.com Stogie Geeks] with Paul Asadoorian and Tim "BugBear" Mugherini. We are working on our top ten cigars released in 2011. We've been painstakingly smoking cigars, enjoyed with fresh coffee and single malt scotch in my nice warm workshop. Its a hard job but someone has to do it, and we're, ya know, toughing through it.
  
* Don't forget to [http://pauldotcom.com/ Read our blog], [http://mail.pauldotcom.com/listinfo Participate on our mailing list], [http://pauldotcom.com/insider/ Visit PaulDotCom Insider], [http://twitter.com/pauldotcom Follow us on Twitter], [irc://irc.freenode.net/pauldotcom Join the IRC channel at irc.freenode.net #pauldotcom], [http://pauldotcom.blip.tv Watch our Videos] and [http://www.facebook.com/therealpauldotcom Add us on Facebook] where we can be "friends"
+
* Don't forget to [http://securityweekly.com/ Read our blog], [http://mail.securityweekly.com/listinfo Participate on our mailing list], [http://securityweekly.com/insider/ Visit Security Weekly Insider], [http://twitter.com/securityweeklyFollow us on Twitter], [irc://irc.freenode.net/securityweeklyJoin the IRC channel at irc.freenode.net #securityweekly], [http://blip.tv/securityweekly Watch our Videos] and [http://www.facebook.com/pages/Security-Weekly/56074056651 Add us on Facebook] where we can be "friends"
  
 
* BSides, BSides, [http://www.securitybsides.com/w/page/12194156/FrontPage BSides everywhere]
 
* BSides, BSides, [http://www.securitybsides.com/w/page/12194156/FrontPage BSides everywhere]
  
= Guest Interview:  Katie Missouras=
+
=Episode Media=
 +
 
 +
[http://traffic.libsyn.com/pauldotcom/PaulDotCom-269-Part1.mp3 MP3 pt 1]
 +
 
 +
[http://traffic.libsyn.com/pauldotcom/PaulDotCom-269-Part2.mp3 MP3 pt 2]
 +
 
 +
 
 +
 
 +
= Guest Interview:  Katie Moussouris =
 +
<center>\[https://youtube.com/securityweeklytv Visit The Security Weekly YouTube Channel for all of our latest videos\!\]}</center>
  
 
6:00 PM EDT
 
6:00 PM EDT
  
 +
Katie Moussouris leads the Security Community Outreach and Strategy team at Microsoft. Her team's work encompasses Security Ecosystem Strategy programs such as Microsoft's BlueHat conference and worldwide hacker conference engagement, security researcher outreach, and Microsoft's Vulnerability Disclosure Policies. Katie also founded and runs Microsoft Vulnerability Research, which is responsible for Microsoft's research and reporting of vulnerabilities in 3rd party software.
 +
 +
<center>[[File:Katie moussouris.jpg]]</center>
 +
 +
 +
The inaugural Microsoft BlueHat Prize contest challenges security researchers to design a novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities. The solution considered to be the most innovative by the Microsoft BlueHat Prize board will be presented the grand prize of US $200,000.
 +
 +
[http://www.microsoft.com/Presspass/press/2011/aug11/08-03MSBlackHat2011PR.mspx Microsoft Fuels Security Innovation With New Twist on Security Research Rewards]
 +
 +
[http://www.microsoft.com/security/bluehatprize/ BlueHat Prize Blog]
 +
 +
[http://blogs.technet.com/b/ecostrat/archive/2011/07/28/bluehat-prize.aspx From Bounties to the BlueHat Prize – Evolutionary Thinking in Valuing Security Research]
 +
 +
[http://blogs.technet.com/b/msrc/archive/2011/08/10/bluehat-prize-q-amp-a-with-katie-moussouris.aspx BlueHat Prize Q&A with Katie Moussouris]
 +
 +
= Video Tech Segment on New Burp Feature!=
 +
 +
Cross Site Request Forgery is hard to test for...  This makes it easier.
 +
 +
[http://www.youtube.com/watch?v=nqFzab1si8g Check it out here.]
  
<center>[[File:Scott Moulton.jpg]]</center>
+
= Paul's Stories =
  
 +
[http://securityweekly.com/wiki/index.php/Misc Miscellaneous Show Topics That Have Nothing to do with computer security]
  
= Stories For Discussion =
+
#[http://securityvulns.com/docs27398.html Security Advisory: [security bulletin] HPSBPI02728 SSRT100692 rev.1 - Certain HP Printers and HP Digital Senders] - Looks like HP is jumping on the problems with the printers that have firmware updates turned on. If you have printers on your network (snicker) then you should be rolling out this patch.
 +
#[http://blog.ncircle.com/blogs/patterns/archives/2011/12/which_half_of_your_business_ar.html nCircle Patterns Blog: Which Half of Your Business Are You Protecting?] - This is the same old story, business are only looking at the perimeter, ignoring security on the rest of the environment. I see this both ways in the vulnerability management front. It seems either an organization will scan the inside OR the outside, but not always both. You need to be managing vulnerabilities on all systems. Of course, thats the tricky part, getting full coverage of everything that connects to the network in today's world.
 +
#[http://www.veracode.com/blog/2011/12/hp-faces-class-action-lawsuit-over-printer-software-vulnerability/ HP Faces Class Action Lawsuit Over Printer Software Vulnerability] - The community rises to fight printer vulnerabilities, whooohoo! Do we need to get lawyers involved though? Maybe thats what it comes down to. I think the difficult part may be showing loss, as the vulnerabilitiy is not being exploited in the wild to my knowledge.
 +
#[http://www.h-online.com/security/news/item/Facebook-glitch-gave-access-to-other-users-private-pictures-1391270.html Facebook glitch gave access to other users' private pictures] - Lots of drunk half naked women/girls were exposed. Sorry, just had to say it.
 +
#[http://www.h-online.com/security/news/item/Download-com-apologises-for-bundling-1392501.html Download.com apologises for bundling] - Apologies? How about a process that verifies what is being downloaded? CNET should be publically shamed for letting this happen. Oh wait, I just did.
 +
#[http://www.telegraph.co.uk/technology/news/8921033/Staff-to-be-banned-from-sending-emails.html Staff to be banned from sending emails - Telegraph] - I wish more people would do this. I don't think it would help security, but it would make for better communication. So many people use email where IM could work better.
 +
#[http://carnal0wnage.attackresearch.com/2011/11/embeding-link-to-network-share-in-word.html Carnal0wnage & Attack Research Blog: Embeding A Link To A Network Share In A Word Doc] - This is great for tracking documents.
 +
#[http://hackonadime.blogspot.com/2011/12/hacking-printers-pjl-basics.html Hacking On A Dime: “Hacking” Printers - PJL Basics] - Great article on PJL, anytime you can get a breakdown of this protocol its a good thing, because its a messed up protocol.
 +
#[http://1raindrop.typepad.com/1_raindrop/2011/12/top-5-security-influencers.html Top 5 Security Influencers] - This is just a great list, and I totally agree. Security is about people.
 +
#[http://www.darknet.org.uk/2011/12/sslyze-fast-and-full-featured-ssl-configuration-scanner/ sslyze – Fast and Full-Featured SSL Configuration Scanner] - We bash SSL, fact is so many SSL implementations are just wrong. Use this tool to make it right.
 +
#[http://www.secureconsulting.net/2011/12/3-common-ways-security-fails-p.html 3 Common Ways Security Fails People] - "1) It gets in the way. 2) It makes life more difficult. 3) It doesn't understand what's important."
 +
#[https://365.rsaconference.com/blogs/mike-gentile/2011/12/07/how-being-green-makes-you-stink-at-security-print-bigger How being Green Makes You Stink at Security: Print Bigger] - I can see how this MAY save a few pieces of paper, security-wise though, you are still printing through a vulnerable printer :)
 +
#[http://carnal0wnage.attackresearch.com/2011/12/aggressive-mode-vpn-ike-scan-psk-crack.html Aggressive Mode VPN — IKE-Scan] - I come up against VPN on pen tests, its pretty boring, there are some attacks, but what most people ignore is that if I want to attack your VPN, I'm going after the clients. I also want to hear about successful attacks against SSL VPNS.
 +
#[http://nakedsecurity.sophos.com/2011/12/08/justin-bieber-stabbed-facebook-scam/ Justin Bieber stabbed by a crazed fan? It’s a Facebook scam] - We can only hope...

Latest revision as of 16:28, 29 June 2017


Announcements & Shameless Plugs

Security Weekly - Episode 269 for Thursday December 8th, 2011.

  • Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. We are working on our top ten cigars released in 2011. We've been painstakingly smoking cigars, enjoyed with fresh coffee and single malt scotch in my nice warm workshop. Its a hard job but someone has to do it, and we're, ya know, toughing through it.

Episode Media

MP3 pt 1

MP3 pt 2


Guest Interview: Katie Moussouris

\Visit The Security Weekly YouTube Channel for all of our latest videos\!\}

6:00 PM EDT

Katie Moussouris leads the Security Community Outreach and Strategy team at Microsoft. Her team's work encompasses Security Ecosystem Strategy programs such as Microsoft's BlueHat conference and worldwide hacker conference engagement, security researcher outreach, and Microsoft's Vulnerability Disclosure Policies. Katie also founded and runs Microsoft Vulnerability Research, which is responsible for Microsoft's research and reporting of vulnerabilities in 3rd party software.

Katie moussouris.jpg


The inaugural Microsoft BlueHat Prize contest challenges security researchers to design a novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities. The solution considered to be the most innovative by the Microsoft BlueHat Prize board will be presented the grand prize of US $200,000.

Microsoft Fuels Security Innovation With New Twist on Security Research Rewards

BlueHat Prize Blog

From Bounties to the BlueHat Prize – Evolutionary Thinking in Valuing Security Research

BlueHat Prize Q&A with Katie Moussouris

Video Tech Segment on New Burp Feature!

Cross Site Request Forgery is hard to test for... This makes it easier.

Check it out here.

Paul's Stories

Miscellaneous Show Topics That Have Nothing to do with computer security

  1. Security Advisory: [security bulletin HPSBPI02728 SSRT100692 rev.1 - Certain HP Printers and HP Digital Senders] - Looks like HP is jumping on the problems with the printers that have firmware updates turned on. If you have printers on your network (snicker) then you should be rolling out this patch.
  2. nCircle Patterns Blog: Which Half of Your Business Are You Protecting? - This is the same old story, business are only looking at the perimeter, ignoring security on the rest of the environment. I see this both ways in the vulnerability management front. It seems either an organization will scan the inside OR the outside, but not always both. You need to be managing vulnerabilities on all systems. Of course, thats the tricky part, getting full coverage of everything that connects to the network in today's world.
  3. HP Faces Class Action Lawsuit Over Printer Software Vulnerability - The community rises to fight printer vulnerabilities, whooohoo! Do we need to get lawyers involved though? Maybe thats what it comes down to. I think the difficult part may be showing loss, as the vulnerabilitiy is not being exploited in the wild to my knowledge.
  4. Facebook glitch gave access to other users' private pictures - Lots of drunk half naked women/girls were exposed. Sorry, just had to say it.
  5. Download.com apologises for bundling - Apologies? How about a process that verifies what is being downloaded? CNET should be publically shamed for letting this happen. Oh wait, I just did.
  6. Staff to be banned from sending emails - Telegraph - I wish more people would do this. I don't think it would help security, but it would make for better communication. So many people use email where IM could work better.
  7. Carnal0wnage & Attack Research Blog: Embeding A Link To A Network Share In A Word Doc - This is great for tracking documents.
  8. Hacking On A Dime: “Hacking” Printers - PJL Basics - Great article on PJL, anytime you can get a breakdown of this protocol its a good thing, because its a messed up protocol.
  9. Top 5 Security Influencers - This is just a great list, and I totally agree. Security is about people.
  10. sslyze – Fast and Full-Featured SSL Configuration Scanner - We bash SSL, fact is so many SSL implementations are just wrong. Use this tool to make it right.
  11. 3 Common Ways Security Fails People - "1) It gets in the way. 2) It makes life more difficult. 3) It doesn't understand what's important."
  12. How being Green Makes You Stink at Security: Print Bigger - I can see how this MAY save a few pieces of paper, security-wise though, you are still printing through a vulnerable printer :)
  13. Aggressive Mode VPN — IKE-Scan - I come up against VPN on pen tests, its pretty boring, there are some attacks, but what most people ignore is that if I want to attack your VPN, I'm going after the clients. I also want to hear about successful attacks against SSL VPNS.
  14. Justin Bieber stabbed by a crazed fan? It’s a Facebook scam - We can only hope...