Episode286

From Security Weekly Wiki
Jump to navigationJump to search


Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 286 for Thursday May 3d, 2012

Special Guests: Mike Yaffe, Alex Horan, Selena Proctor

Introduction

Alex is a Senior Product Manager for Core, a serial hoarder, and certified Breadth and Depth expert. Previously he ran the System Engineering team at Core, helping to provide training and customer support services to CORE IMPACT'S user base. Alex brings a deep knowledge and understanding of vulnerability assessment, penetration testing, and network administration to his work at Core as well as to cigar smoking.

AlexHoran.jpg

Mike Yaffe is the Director of Marketing for Core, and a pretty one at that. At Core, Mike is responsible for driving the company's strategic marketing efforts for CORE INSIGHT Enterprise.

Yaffe.jpg

Questions

  1. Do you need to exploit a vulnerability to know that you have a vulnerability?
  2. Why is it that people feel that you must show that a vulnerability is exploitable before you fix it?
  3. Web application vulnerabilities are by far the most difficult to show the impact, how can we best exemplify vulnerabilities such as XSS and SQLi?
  4. From a penetration testers perspective, how can we best utilize automated tools?
  5. When procuring a penetration test, how can we differentiate between the "good" and the "bad"?
  6. With the current measures in place to prevent exploitation, how much longer does it take to develop a reliable exploit?
  7. What value does automated exploitation provide to the enterprise? Isn't most of the value what happens after the exploit?
  8. What are some things that can be automated in post-exploitation?
  9. What stuff works now when automating in post-exploitation, and more importantly what areas need more work?
  10. Given that the underground market has exploded, How can we get better at testing for 0day exploits?
  11. When we embark on finding vulnerabilities, exploiting vulnerabilities, determining the affects, and generating a report, what can we do to improve the process that comes after that?

Stories

Some More Plugs

  • DerbyCon Call for Papers and Ticket Registration is: happening NOW. The PaulDotCom crew will be in attendance for DerbyCon. Training begins Thursday September 27th and the DerbyCon conference runs the 28th thru 30th.
  • Security BSides everywhere: Iowa, London, Chicago, Austin, Charleston, more. http://www.securitybsides.com/ - We have 5 BSides tickets to give away! Listen to the instructions at the end of Episode 282 for complete details!

Paul's Stories

  1. Life as a nautical broadband specialist
  2. Is it So Bad for the CIO to Report to the CFO?
  3. CIOs: Will You Be Relevant in 2017?
  4. Two Things I Wish Companies Cared More About: Cloud & Acquisitions Risks
  5. For free Wi-Fi
  6. From LOW to PWNED [4 Browsable Directories]
  7. From LOW to PWNED [3 JBoss/Tomcat server-status]
  8. From LOW to PWNED [1 Exposed Services and Admin Interfaces]
  9. Advanced Attacks Call For New Defenses - Dark Reading
  10. Wireless Printing in the Enterprise - Input Output
  11. The 99% Goes Cyber
  12. Iran makes its own anti-virus software – would you buy it?
  13. Fun with Password Managers
  14. Boeing Paying Hackers to Break into Their Systems

Jack's Stories