From Security Weekly Wiki
Jump to navigationJump to search

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 298 for Thursday August 2nd, 2012

  • Episode 300 of PaulDotCom Security Weekly will be recorded and streamed live on Friday August 31st in support of of a cure for Breast Cancer. We will broadcast live from 10am until 6PM Eastern time and the show will feature tech segments, round table discussions and special guests. Mark it on your calendars today!
  • In other admin related news, we're leaving Ning and moving onwards. Ning was cool, but now its a haven for SPAM. I want to thank everyone for participating. In the meantime please follow us on Twitter (@pauldotcom), Facebook (https://www.facebook.com/therealpauldotcom), and add me on Google+ (Paul Asadoorian, I will have a good email account for that soon). Don't forget to join our mailing list http://mail.pauldotcom.com and look for a newsletter in the not-too-distant future.

Interview with Kevin Finisterre of Accuvant

Teasers & Plugs

Kevin Finisterre is a Senior Research Consultant with Accuvant, has hacked everything from utilities providers to police cars and is keen on disseminating information relating to the identification and exploitation of software vulnerabilities on many platforms.

  1. How did you get your start in information security?
  2. What advice do you have for others just getting started in information security?
  3. In 2004 you were involved with the trifinite group, many of us used the tools that came from this project, how did it start and what were the motivations for attacking Bluetooth?
  4. How big is the Bluetooth security problem today? Have we fixed stuff or is it now just flying under the radar, outshined
  5. You've also spent a good amount of time finding vulnerabilities, what are some of your favorite tools and techniques for finding vulnerabilities?
  6. What are some of the most funny and/or interesting vulnerabilities that you've found (that you are comfortable talking about)?
  7. So wait, you can't just release SCADA vulnerabilities and exploits, right?
  8. In your experience, what are some of the differences between how Apple handles vulnerability disclosure vs. Microsoft?
  9. So if one wanted to 0wn a cop car, how would they do it?

Five Questions!


Teasers & Plugs

  • DerbyCon Call for Papers and Ticket Registration is: available online. If you have not yet registered or submitted a talk, please do so now.
  • Security BSides everywhere: Cleveland, Las Vegas, Los Angeles more. http://www.securitybsides.com/ - We have 5 BSides tickets (only 3 left) to give away! Listen to the instructions at the end of Episode 282 for complete details, or submit a technical segement!

Paul's Stories

  1. Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate - Seems to be getting a lot of press, did not have time to fully digest. I remember discouraging PPTP long ago...
  2. Hacker Will Expose Potential Security Flaw In Four Million Hotel Room Keycard Locks - Forbes - Pretty neat usage of Arduino to crack the locks on hotel doors. Still doesn't get around the latch locking mechanism though. However, if you are not in your room, you can be pwned. Note: Never leave laptop in room (tough to do).
  3. BlackHat USA 2012: Day One - Nice write-up, Ian' work is solid, brings up several outstanding points. Awesome to see a defense talk at Blackhat!
  4. Black Hat 2012 - My write-u p from BH.
  5. Top 10 Things I Learned at Blackhat 2012 & Defcon 20 and Vegas - My other write-up from BH and Defcon.

Larry's Stories

Allison's St0ri3s

Jack's Stories of bare knuckled brawling

  1. Time to play offense? According to Art Coviello, it is. Although he has a pretty passive idea of defense. I'm sure the fact that he's promoting Big Data has nothing to do with EMC's storage sales.
  2. TSA and nudie scanners Not an infosec story, but so many of us travel frequently that it is interesting. The U.S. Circuit Court of Appeals for the District of Columbia has ordered the TSA to explain its failure to comply with a court order issued over a year ago- an order which required public hearings on the scanners.
  3. ONE TRILLION DOLLARS Or not. Yeah, probably not.