Paul's Security Weekly - Episode 359 for Thursday January 23rd, 2014
- Security Weekly will be at the SANS ICS Summit from March 12-18th, doing a live podcast on Sunday night, covering the courses and attending the 2-day summit. Security Weekly subscribers can now enjoy a 20% off discount code! Use SecurityWeekly20 on checkout to get that discount applied. This conference will be held in Orlando at the Contemporary Resort & Convention Center in sunny Orlando, FL REGISTER NOW!
- We are looking for sponsors for our weekly webcasts and shows. Contact paul -at- hacknaked.tv for details, there are still a few slots available!
Guest Interview: James Arlen (@myrcurial)
James Arlen is a senior consultant at Leviathan Security Group, a podcaster for the LiquidMatrix podcast and is a boardmember for the SecTor conference. He's Mycurial on Twitter and firmly believes that "Han shot first".
James Arlen is a senior consultant at Leviathan Security Group providing security consulting services to the utility and financial verticals. He has been involved with implementing a practical level of information security in Fortune 500, TSE 100, and major public-sector corporations for 18+ years. James is also a contributing analyst with Securosis and has a recurring column on Liquidmatrix Security Digest ( http://www.liquidmatrix.org ) . Best described as: "Infosec geek, hacker, social activist, author, speaker, and parent." His areas of interest include organizational change, social engineering, blinky lights and shiny things.
- Is being a CISO as sexy as it sounds?
- Its been claimed that you are "the originator of the term 'cyberdouchery' ". Tell us how that came about.
- How do you feel about people saying they are experts? Why?
- How important is if for security researchers to both write and present well? How can they improve?
- When we talk about SCADA, it generally encapsulates ICS/DCS&SCADA, what are the differences?
- What are the greatest threats to both ISC/DCS and SCADA?
- What do you mean with the theory Money = C ( the speed of light) as it applies to Security?
- Private MPLS, Frame Relay links that rely on speed, and don't have firewalls or ACLS are still secure, right?Why is this a best practice in some industries?
- Why does everyone want to blame Canada?
- Three words to describe yourself
- True or False: SecTor is ShmooCon but with more snowpocalypse.
- Luke, Leia or Guido?
- If you were a serial killer, what would be your weapon of choice?
- If you wrote a book about yourself, what would the title be?
- In the popular game of Ass Grabby Grabby do you prefer to go first or second?
- Stranded in a desert island, which tablet would you bring along: a) iPad b) Surface c) Android d) All of the above e) None of the above?
Special Guest:Kristian Hermansen
- Larry teaching SANS classes: Check out his SANS page for the details" 617 in Orlando in March, Also 571 at RSA
- SEC504 in Mentor format in Downtown Boston coming up in April! Use the discount code "SecOrg" when registering for 10% off the class. Register at http://tinyurl.com/SEC504-Boston Email firstname.lastname@example.org for more info or for a special discount code if you prefer to get the GCIH attempt for free instead.
Kristian joins us in regard to the recent article on healthcare.gov
- - Microcorruption - [Larry] - In arguably one of the first of it’s kind, a CTF strictly for embedded devices. You get to participate online, and remotely hack a set of electronic locks. neat stuff. Did I mention that it is free, and provided by matasano and square?
- DEF CON 21 videos - [Larry] - did you sleep in? Hungover? Too busy with hallwaycon or checking out some contests? Now you can catch up on all of the talks that you missed at DEF CON 21 including the FAIL PANEL wher eI drop some fun goodies on Smart Grid stuff.
- Great use for your RTL-SDR - [Larry] - We talked about these inexpensive software defined radios on episode 300, and the use for these just keeps growing. It isn’t jsut for interpreting unknown (or known) signals, it makes a great tool for intercepting YOUR signals as a troubleshooting aid.
- Snapchat, STAHP. - [Larry] - First the “hack”, then the poor response, then the commitment to make things more secure”. What did they do? They added a verification step for queries that require the need to find the Snapchat ghost in one of 9 images and click on it. Too bad it was cracked with 100 lines of code 30 minutes after Steven Hickson investigated it using image recognition libraries. 100% accuracy. Repeat after me in a robot voice; “I AM NOT A COMPUTER!”
- Gas Pump Card skimming - [Larry] - Sure this has been around for a while, but this technique of gathering the track and pin data is becoming more widely adopted by attackers. The device in the pump that captures the data stores it, and then can be transferred to the attacker over bluetooth. Easy peasy; pair the device before install and anytime you are near, it pairs and you can script a download of data. Before you used to have to physically retrieve the device, or be in close proximity to observe the radio signal (such as 900Mhz). Not any more. Now the specific challenge here is how do you monitor for rogue bluetooth devices, at scale? I know of NO commercial rogue bluetooth detection offerings. Not to mention the challenges of false positives…
- - Mobile Malware Memory Lane - [Joff] - 2014 marks the 10th anniversary of Cabir, the world’s first mobile phone malware. To mark this
occasion, Fortinet’s FortiGuard Labs strolls down memory lane to examine the evolution of mobile threats during the last 10 years]
- - HackingTeam expands Galileo to include Windows Phone - [Joff] -HackingTeam is reportedly able to bypass encryption and monitor emails, files, Skype, and other VoIP communications. The firm is able to also remotely control cameras and microphones. It does all this through Galileo.
- - PLCpwn prototype - [Joff] From the S4x14 CONFERENCE A researcher has rigged a programmable logic controller (PLC) with a low-cost hacking tool that can shut down a process control network with a text message.