From Security Weekly Wiki
Jump to navigationJump to search

Episode Media

Episode 322


Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 323 for Thursday March 7th, 2013

  • Come to Security BSides Rhode Island One-Day Conference on June 15th tickets are NOW ON SALE at WePay.com. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire PaulDotCom crew!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 8:30PM EST. Come have a cigar with us!

Guest Tech Segment: Jonathan Ness of MS talks EMET

Jonathan leads the Microsoft Security Response Center Engineering team in investigating externally-reported security vulnerabilities and ensuring they are addressed appropriately via Microsoft’s monthly security update process. Jonathan also acts as one of the engineering technical leads for the Microsoft company-wide Software Security Incident Response Process. The most important aspect of his work is helping customers find ways to reduce attack surface and protect themselves. Outside Microsoft work, Jonathan participates as a member of a reserve military unit helping to protect DoD networks and has written three-part “Gray Hat Hacking” book series.


From MS:

"The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult to perform as possible. In many instances, a fully-functional exploit that can bypass EMET may never be developed."

  1. What kind of malware or attacks is EMET most successful protecting against?
  2. Give us some examples of software that has known incompatibilities with EMET.
  3. Where does EMET provide no or limited protection?
  4. What levels of protection are given in Windows 8 vs. 7 vs. XP and Win2K8 VS. Win2012?
  5. What could EMET do against, say the vulnerability now classified as Microsoft Security Advisory 2794220 (MS13-008)?
  6. What kind of testing (Metasploit/tools,etc) are done before release?
  7. Tell us about some of the changes from the BlueHat Prize last summer.

Interview: Michael Farnum

Michael Farnum has worked with computers since he got a Kaypro II and an Apple IIc during his middle school years. Michael served in the US Army, where he drove, loaded, and gunned on the mighty M1A1 Abrams main battle tank (which is where he got his "m1a1vet" handle). Michael has worked at Accuvant as a solutions manager and is the founder of HouSecCon, THE Houston Security Conference, which will hold its 4th annual event in October.


Five Questions:

  1. If you were a serial killer, what would be your weapon of choice?
  2. Three words to describe yourself?
  3. If you had to write a book about yourself, what would it be?
  4. Stranded on a deserted island, which tablet would you take with you if you could only choose one: iPad, Android or Surface?
  5. In the popular game of ass grabby-grabby would you prefer to go first or second?


  • We are in the process of archiving and cataloging our technical segments, please visit the PaulDotCom Technical Library and we indexed all of the interviews we have conducted. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.


Paul's Stories

  1. EXCLUSIVE: Hacked ABC website likely breached by crooks in 2011 | Risky Business - Was this site hacked for two years? Just goes to show, just because someone has all of your hashes, they may not go public or try to bribe you, they may just use them to PROFIT.
  2. Secure Development: Must-Do Or Money Pit? - I have mised feelings about the thoughts and opinions listed here. First, they say you should check you code once, then only check it if it changes again, hence saving time. I think that new exploitation techniques come out all the time, so going back to re-check based on new experiences is key. I do agree that if you identify a tricky area, or something of crucial importance, code it once. To me, this means spending more time and resources on certain critical sections of code. Of course, if none of your developers know how to code securely, then this is a waste of time. They recommend only sending the developers who are interested in security to training. I say fire the rest, so this can be a good test to run right before a round of layoffs, or just go hire people who like to write code and are interested in doing it securely. Oh, and one of the panelists, Brad Arkin, is from Adobe, not sure if this is a feather in his cap, or if we should be leary about this device. On the plus side, they are finding and fixing more bugs than most major software companies.
  3. Hot security skills of 2013 - PC Advisor - These are Diverse technology experience, Fluency in the IT side of physical security, Advanced data-protection expertise, Business and financial acumen, Good communication skills, Good communication skills.
  4. Yahoo Mail Users Still Getting Hacked Despite Vulnerability Fixes : The Droid Guy - DO NOT use Yahoo! for email! There have been a string of hacks, and Yahoo! says they've fixed them. I think the ones that were gonna fix them worked from home, then they changed the policy, now they work for Google, Amazon or Microsoft ;)
  5. Security cameras continue to pose snooping risk - IT News from V3.co.uk - Still, more vulnerabilities on cameras and cameras exposed to the web.
  6. Al Qaeda Document on Avoiding Drone Strikes - This is offensive countermeasures! "Jamming of and confusing of electronic communication using old equipment and keeping them 24-hour running because of their strong frequencies and it is possible using simple ideas of deception of equipment to attract the electronic waves devices similar to that used by the Yugoslav army when they used the microwave (oven) in attracting and confusing the NATO missiles fitted with electromagnetic searching devices.
  7. D-Link fixes router vulnerabilities very quietly - So if you don't publish you've fixed a security vulnerability, people will not install the update! WTF D-Link?!?!? This happens more than you think..

Jack's Stories

  1. Cyber Fast Track runs out of road. It was an experiment, and I think most of us would agree it was a big success, both from the perspective of those given assistance and the changes it may bring to government thinking.
  2. The Trustwave Global Security Report is out. That's all, haven't digested it yet, but data nerds have bedtime reading material.

Allison's Stuff

  1. STALKING THE WILY HACKER This is an extremely old writeup but it's new to me so maybe it'll be new to you too. It's a technical paper about the events described in the book The Cuckoo's Egg written by the same author. Almost everything discussed here is still relevant today so if you've got time for a long read and like spy stories, consider this paper.
  2. Prices fall, services rise in malware-as-a-service market. This includes socks proxies, ddos-for-hire, pay-per-installs, carding, and all sorts of other nasty stuff. These markets are easily accessible to anyone who knows where to look. This is something I've been looking into for the past several months. You would be surprised to see how many transactions go on in malicious markets and how little heat they really get.
  3. Suit: 185K spyware images sent to rental computers Aaron's put spyware on their rental computers to help keep track of them. The spyware is capable of using the webcam and sends back images when requested. As anyone might predict, the computer's webcam occasionally captured images of nude children and adults, and of adults having sex. Now they're getting the pants sued off them.
  4. ID thieves targeting children Apparently it's quite lucrative to steal the identity of children. They don't tend to take out loans until they are 18 so they won't realize they're in debt, and I guess loan companies don't check if they are 18 yet either. If you have kids it might be worth running a credit check on them once in a while.
  5. China’s Paid Trolls: Meet the 50-Cent Party An interview with a Chinese troll. Not strictly security related but I found it very interesting. China pays people money to steer online discussions and put the communist party in a positive light.
  6. Rats in a Sinking Server This is an interesting read. The folks over at SecureWorks got a bunch of old malware domains related to the comment group(AKA mandiant's APT1)and started recording data sent to it. They called up all the victims to let them know they were compromised. One of the victims was a university, and this university agreed to share data relating to the attack. That cooperation allowed the researchers to discover three more victims- a US based energy company, defense contractor, and IT business. They say evil triumphs when good men do nothing, and in this case refusing to share that data could have allowed those three compromises to go undetected. Sharing attack data is a key to winning the fight against espionage.

Patrick's Stories