From Security Weekly Wiki
Jump to navigationJump to search

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 286 for Thursday May 3d, 2012

Special Guests: Mike Yaffe, Alex Horan, Selena Proctor


Alex is a Senior Product Manager for Core, a serial hoarder, and certified Breadth and Depth expert. Previously he ran the System Engineering team at Core, helping to provide training and customer support services to CORE IMPACT'S user base. Alex brings a deep knowledge and understanding of vulnerability assessment, penetration testing, and network administration to his work at Core as well as to cigar smoking.


Mike Yaffe is the Director of Marketing for Core, and a pretty one at that. At Core, Mike is responsible for driving the company's strategic marketing efforts for CORE INSIGHT Enterprise.



  1. Do you need to exploit a vulnerability to know that you have a vulnerability?
  2. Why is it that people feel that you must show that a vulnerability is exploitable before you fix it?
  3. Web application vulnerabilities are by far the most difficult to show the impact, how can we best exemplify vulnerabilities such as XSS and SQLi?
  4. From a penetration testers perspective, how can we best utilize automated tools?
  5. When procuring a penetration test, how can we differentiate between the "good" and the "bad"?
  6. With the current measures in place to prevent exploitation, how much longer does it take to develop a reliable exploit?
  7. What value does automated exploitation provide to the enterprise? Isn't most of the value what happens after the exploit?
  8. What are some things that can be automated in post-exploitation?
  9. What stuff works now when automating in post-exploitation, and more importantly what areas need more work?
  10. Given that the underground market has exploded, How can we get better at testing for 0day exploits?
  11. When we embark on finding vulnerabilities, exploiting vulnerabilities, determining the affects, and generating a report, what can we do to improve the process that comes after that?


Some More Plugs

  • DerbyCon Call for Papers and Ticket Registration is: happening NOW. The PaulDotCom crew will be in attendance for DerbyCon. Training begins Thursday September 27th and the DerbyCon conference runs the 28th thru 30th.
  • Security BSides everywhere: Iowa, London, Chicago, Austin, Charleston, more. http://www.securitybsides.com/ - We have 5 BSides tickets to give away! Listen to the instructions at the end of Episode 282 for complete details!

Paul's Stories

  1. Life as a nautical broadband specialist - This is just a sweet gig: His typical shipboard network includes a Kerio Control firewall, which he configures to filter and prioritize network traffic passing through the VSAT link. The firewall also provides antivirus protection and network monitoring, and a VPN connection that allows his company to perform remote maintenance and support when customers are cruising. Working on Yachts, in all the pictures the weather is nice. Be cool to hack from the boat!
  2. Is it So Bad for the CIO to Report to the CFO? - Conventional wisdom says that the CIO must report to the CEO or risk losing stature, authority and access to the power center of the company. Reporting to the CFO is bad, the theory goes, because IT is then viewed as a nonstrategic operations group where the governing principle is saving money. Uhm, I tend to agree here. The CFO is all about the cash rules everything around me (G), and the CIO is trying to make things work. Where does the CSO sit in all this?I like it when all the C-levels report to the CEO, then they get to figure it out and balance each other out. When C-levels report to anything other than the CEO, it spells trouble.
  3. CIOs: Will You Be Relevant in 2017?
  4. Two Things I Wish Companies Cared More About: Cloud & Acquisitions Risks
  5. For free Wi-Fi
  6. From LOW to PWNED [4 Browsable Directories]
  7. From LOW to PWNED [3 JBoss/Tomcat server-status]
  8. From LOW to PWNED [1 Exposed Services and Admin Interfaces]
  9. Advanced Attacks Call For New Defenses - Dark Reading
  10. Wireless Printing in the Enterprise - Input Output
  11. The 99% Goes Cyber
  12. Iran makes its own anti-virus software – would you buy it?
  13. Fun with Password Managers
  14. Boeing Paying Hackers to Break into Their Systems

Jack's Stories