Difference between revisions of "Episode325"

From Security Weekly Wiki
Jump to navigationJump to search
m (Text replacement - " PaulDotCom " to " Security Weekly ")
 
(20 intermediate revisions by 6 users not shown)
Line 3: Line 3:
 
= Episode Media =  
 
= Episode Media =  
  
[http://pauldotcom.com/2013/3/episode-324 Episode 322]
+
[http://securityweekly.com/2013/3/episode-325 Episode 325]
  
[http://traffic.libsyn.com/pauldotcom/PaulDotCom-324.mp3 MP3]
+
[http://traffic.libsyn.com/pauldotcom/PaulDotCom-325.mp3 MP3]
  
 
= Announcements & Shameless Plugs =
 
= Announcements & Shameless Plugs =
  
PaulDotCom Security Weekly - Episode 324 for Thursday March 21st, 2013
+
Security Weekly - Episode 325 for Thursday March 28th, 2013
  
 
* Register for "Offensive Countermeasures: The Art Of Active Defense": [https://www.sans.org/event/sansfire-2013/course/offensive-countermeasures-defensive-tactics-work SANSFIRE Washington, DC] June 15-16th with John Strand
 
* Register for "Offensive Countermeasures: The Art Of Active Defense": [https://www.sans.org/event/sansfire-2013/course/offensive-countermeasures-defensive-tactics-work SANSFIRE Washington, DC] June 15-16th with John Strand
  
* Come to [http://www.securitybsides.com/w/page/61966594/BSidesRI Security BSides Rhode Island One-Day Conference] on June 15th tickets are NOW ON SALE at [https://www.wepay.com/events/141697 WePay.com]. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire PaulDotCom crew!
+
* Come to [http://www.securitybsides.com/w/page/61966594/BSidesRI Security BSides Rhode Island One-Day Conference] on June 15th tickets are NOW ON SALE at [https://www.wepay.com/events/141697 WePay.com]. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire Security Weekly crew!
  
 
* [http://www.stogiegeeks.com The Stogie Geeks Show]! - Kick some ash with the Stogie Geeks, Thursday nights at 8:30PM EST. Come have a cigar with us!
 
* [http://www.stogiegeeks.com The Stogie Geeks Show]! - Kick some ash with the Stogie Geeks, Thursday nights at 8:30PM EST. Come have a cigar with us!
  
 
= Guest Technical Segment:  Simon Bennetts on OWASP Zed Attack Proxy v 2.0.0=
 
= Guest Technical Segment:  Simon Bennetts on OWASP Zed Attack Proxy v 2.0.0=
 +
<center>{{#ev:youtube|t6wKH_6bvm0}}</center>
  
Simon is a Mozilla Security Automation Engineer and ZAP Project Leader.  He is also one of the founders of the OWASP Manchester chapter and the OWASP Data Exchange Format project.
+
Simon is a Mozilla Security Automation Engineer and ZAP Project Leader.  He is also one of the founders of the OWASP Manchester chapter and the OWASP Data Exchange Format project. Simon is on to discuss [http://owasp.blogspot.co.uk/2013/01/owasp-zed-attack-proxy-v-200.html OWASP's Zed Attack Proxy v 2.0.0]
  
 
From the OWASP site:
 
From the OWASP site:
Line 27: Line 28:
 
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
 
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
  
Simon talks [http://owasp.blogspot.co.uk/2013/01/owasp-zed-attack-proxy-v-200.html OWASP Zed Attack Proxy v 2.0.0]
+
 
 +
 
 +
#What is the Zed Attack Proxy (ZAP)?
 +
#How is it maintained?
 +
#How is it different from other proxies, like Burp?
 +
#Where do you see ZAP going in the future?
 +
#What are ZAP's strengths and limitations?
 +
#Are you working on any other OWASP projects?
  
 
= Announcement =  
 
= Announcement =  
  
* We are in the process of archiving and cataloging our technical segments, please visit the [http://pauldotcom.com/wiki/index.php/TechSegments PaulDotCom Technical Library] and we indexed all of the [http://pauldotcom.com/wiki/index.php/Interviews interviews we have conducted]. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.
+
* We are in the process of archiving and cataloging our technical segments, please visit the [http://securityweekly.com/wiki/index.php/TechSegments Security Weekly Technical Library] and we indexed all of the [http://securityweekly.com/wiki/index.php/Interviews interviews we have conducted]. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.
 +
 
 +
* Register for "DEFENSIVE COUNTERMEASURES: FOUNDATIONS OF BECOMING A DEVIOUS DEFENDER": [http://www.blackhat.com/us-13/training/defensive-countermeasures-foundations-of-becoming-a-devious-defender.html JULY 27-28 & 29-30 with Paul].
  
 
* [http://www.sans.org/instructors/lawrence-pesce Larry teaching SANS SEC617] all over and coming to a city near you in 2013.  It isn't too Late to sign up for my class in San Diego this May!
 
* [http://www.sans.org/instructors/lawrence-pesce Larry teaching SANS SEC617] all over and coming to a city near you in 2013.  It isn't too Late to sign up for my class in San Diego this May!
Line 38: Line 48:
  
 
= Paul's Stories =
 
= Paul's Stories =
 +
 +
#[http://erratasec.blogspot.com/2013/03/ubuntu-low-mem-install-for-vms.html Ubuntu low-mem install for VMs] - Nice tip for running Ubuntu VMs. Having
 +
multiple Ubuntu VMs is handy. I mean backtrack is nice. But sometimes you need to run stuff, like firmware analysis tools, vulnerable web applications
 +
, or other such software. This allows you to run different versions of Ubuntu as well.
 +
#[http://www.h-online.com/security/news/item/Passcode-lock-can-be-bypassed-in-iOS-6-1-3-as-well-1827092.html Passcode lock can be bypassed in iOS 6.1.3 as well] - I mean really, come on! They just can't seem to lock this feature down.
 +
#[http://1raindrop.typepad.com/1_raindrop/2013/03/remember-your-helmet.html Remember Your Helmet] - Great article about keeping security simple.
 +
#[http://www.securityorb.com/2013/03/critical-flaw-threatens-millions-bind-servers/ Critical Flaw Threatens Millions of BIND Servers] - Exploitation i
 +
s easy, ah the memories of easily exploitable Bind vulnerabilities, TSIG anyone?
 +
#[http://www.darkreading.com/security/application-security/240151869/too-scared-to-scan.html Too Scared To Scan] - Scan in development, use credential
 +
ed scans, scanning is important, crashes happen.
 +
#[http://www.theregister.co.uk/2013/03/28/riotact_goes_berserk_over_bluetooth/ Oz states count cars using Bluetooth]
 +
#[http://news.hitb.org/content/network-security-study-reveals-26000-undetected-malware-samples Network security study reveals 26]
 +
#[http://www.theregister.co.uk/2013/03/26/netbsd_crypto_bug/ Whoops! Tiny Bug In NetBSD 6.0 Code Ruins SSH Crypto Keys]
  
 
= Larry's Stories =
 
= Larry's Stories =
Line 43: Line 66:
  
 
= Jack's Stories =
 
= Jack's Stories =
 +
#[http://www.kickstarter.com/projects/1456247168/hackers-in-uganda-a-documentary?ref=category A Kickstarter for a documentary] on Hackers in Uganda, Hackers for Charity.  The producer of the hacker documentary "Code2600" has set his sights on documenting Johnny Long's work in Uganda.
 +
#[http://krypt3ia.wordpress.com/2013/03/22/digital-natives-digital-immigrants-exo-nationals-and-the-digital-lord-of-the-flies/ Kids these days] Krypt3ia has some thoughts on the security implications of "digital natives".
 +
#[https://www.udacity.com/course/cs101 A free "intro to computer science" course] Free is good, right? A very basic programming class for those who want the basics of coding.
 +
#[https://www.net-security.org/secworld.php?id=14666 Most IT admins considering quitting due to stress] according to a survey by GFI software. The survey seems a bit questionable, small sample size and self selection bias, etc. But, still a few interesting insights.
 +
#[https://threatpost.com/en_us/blogs/critical-flaw-threatens-millions-bind-servers-032813 Critical Flaw Threatens Millions of BIND Servers] the article at ThreatPost highlights the issues with Bind on *nix systems. This bug "could not only cause a denial-of-service condition on the server but also could potentially compromise other software on the machine". That could be a problem.
 +
#[http://qz.com/68115/forget-about-the-cyberbunker-attack-heres-how-to-take-an-entire-continent-offline/ Forget CyberFUD, here's a DoS to worry about] Yes, there was the biggest DDoS in history (or not) this week, but this is scarier to me.
 +
#[http://www.local12.com/news/local/story/Former-Students-Face-Charges-for-Hacking-School/QGWgfWNuG0S8eBfPVSA62w.cspx Another "kids hack their school to changes grades" story]. Here are a couple little guttersnipes, aka "Digital Natives" getting in trouble.
 +
#[http://www.darkreading.com/security/application-security/240151869/too-scared-to-scan.html Too scared to scan] A sad state of affairs, but true in many organizations.
 +
#[http://www.securitycatalyst.com/2013/03/why-we-need-better-business-storytelling/ The first of a new set of posts about better storytelling in business] from Michael Santarcangelo, aka Security Catalyst [http://www.securitycatalyst.com/2013/03/how-to-build-better-business-stories/ part two is here]
  
 
= Allison's Stuff =
 
= Allison's Stuff =

Latest revision as of 01:15, 11 October 2014


Episode Media

Episode 325

MP3

Announcements & Shameless Plugs

Security Weekly - Episode 325 for Thursday March 28th, 2013

  • Register for "Offensive Countermeasures: The Art Of Active Defense": SANSFIRE Washington, DC June 15-16th with John Strand
  • Come to Security BSides Rhode Island One-Day Conference on June 15th tickets are NOW ON SALE at WePay.com. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire Security Weekly crew!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 8:30PM EST. Come have a cigar with us!

Guest Technical Segment: Simon Bennetts on OWASP Zed Attack Proxy v 2.0.0

Simon is a Mozilla Security Automation Engineer and ZAP Project Leader. He is also one of the founders of the OWASP Manchester chapter and the OWASP Data Exchange Format project. Simon is on to discuss OWASP's Zed Attack Proxy v 2.0.0

From the OWASP site:

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.


  1. What is the Zed Attack Proxy (ZAP)?
  2. How is it maintained?
  3. How is it different from other proxies, like Burp?
  4. Where do you see ZAP going in the future?
  5. What are ZAP's strengths and limitations?
  6. Are you working on any other OWASP projects?

Announcement

  • We are in the process of archiving and cataloging our technical segments, please visit the Security Weekly Technical Library and we indexed all of the interviews we have conducted. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.
  • Larry teaching SANS SEC617 all over and coming to a city near you in 2013. It isn't too Late to sign up for my class in San Diego this May!

Stories

Paul's Stories

  1. Ubuntu low-mem install for VMs - Nice tip for running Ubuntu VMs. Having

multiple Ubuntu VMs is handy. I mean backtrack is nice. But sometimes you need to run stuff, like firmware analysis tools, vulnerable web applications , or other such software. This allows you to run different versions of Ubuntu as well.

  1. Passcode lock can be bypassed in iOS 6.1.3 as well - I mean really, come on! They just can't seem to lock this feature down.
  2. Remember Your Helmet - Great article about keeping security simple.
  3. Critical Flaw Threatens Millions of BIND Servers - Exploitation i

s easy, ah the memories of easily exploitable Bind vulnerabilities, TSIG anyone?

  1. Too Scared To Scan - Scan in development, use credential

ed scans, scanning is important, crashes happen.

  1. Oz states count cars using Bluetooth
  2. Network security study reveals 26
  3. Whoops! Tiny Bug In NetBSD 6.0 Code Ruins SSH Crypto Keys

Larry's Stories

Jack's Stories

  1. A Kickstarter for a documentary on Hackers in Uganda, Hackers for Charity. The producer of the hacker documentary "Code2600" has set his sights on documenting Johnny Long's work in Uganda.
  2. Kids these days Krypt3ia has some thoughts on the security implications of "digital natives".
  3. A free "intro to computer science" course Free is good, right? A very basic programming class for those who want the basics of coding.
  4. Most IT admins considering quitting due to stress according to a survey by GFI software. The survey seems a bit questionable, small sample size and self selection bias, etc. But, still a few interesting insights.
  5. Critical Flaw Threatens Millions of BIND Servers the article at ThreatPost highlights the issues with Bind on *nix systems. This bug "could not only cause a denial-of-service condition on the server but also could potentially compromise other software on the machine". That could be a problem.
  6. Forget CyberFUD, here's a DoS to worry about Yes, there was the biggest DDoS in history (or not) this week, but this is scarier to me.
  7. Another "kids hack their school to changes grades" story. Here are a couple little guttersnipes, aka "Digital Natives" getting in trouble.
  8. Too scared to scan A sad state of affairs, but true in many organizations.
  9. The first of a new set of posts about better storytelling in business from Michael Santarcangelo, aka Security Catalyst part two is here

Allison's Stuff