From Security Weekly Wiki
Jump to navigationJump to search

Episode Media

[ Episode 365 MP3 pt1]

[Episode 365 MP3 pt2]


Paul's Security Weekly - Episode 365 for Thursday March 6th, 2014

  • The Offensive Countermeasures Hack Lab at the Mid-Atlantic CCDC conference in 2014, and sticking around to MC the event and do a live Podcast!
  • We are looking for sponsors for our weekly webcasts. Contact paul -at- hacknaked.tv for details, there are still a few slots available!
  • Paul will be speaking at this years Northeast Linux Fest which will be held on April 5 of 2014 at Harvard University and on April 6.
  • I'm also slated to speak at the Charlotte ISSA conference in 2014 and the NOLA conference in New Orleans in June.

Guest Interview:Eve Adams @HackerHuntress


Eve Adams (@HackerHuntress) is Senior Talent Acquisition Expert at Halock Security Labs, a full-service information security advisory in Schaumburg, IL. Eve leverages her security staffing experience to drive recruitment for both internal Halock roles and client placement. She also spearheads Halock’s social media presence and counts Twitter as one of her most powerful recruiting tools. Eve’s passionate about information security, thinks most recruiters are doing it wrong, and naively believes technology can change the world for the better. In past lives, she has been a writer, translator and reptile specialist, among other things. While she is officially OS-agnostic, Eve usually runs Ubuntu at home.

  1. How did you get involved with recruiting? How did you get involved with the security community?
  2. What advice do you have for those just starting their information security careers?
  3. How much value do certifications have in computer security?
  4. I believe certs help you when you get started, then start to diminish in value as you move through your career, do you agree or disagree and why or why not?
  5. What are the top 2 tips for resume building?
  6. The job market is pretty competitive in security, what tips do you have for employers?
  7. Lets take someone who has some skills, and is not happy with their job, what are the top things they can do to start making a move?
  8. What is the highest paying position(s) in security and why?
  9. From both a job seeker and employer perspective, how do you put the right salary on a position?

Five Questions

  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of Ass Grabby Grabby do you prefer to go first or second?
  5. If you could have dinner with one celebrity, who would it be?

Tech Segment: Regular Expressions!

By Allison Nixon

In this tech segment we're going to talk about regular expressions in python. We're going to be using perl-style regular expressions, which is usually referenced as "PCRE". PCRE is used in many places outside of Python, such as snort and other IDS signatures, and most places you see regular expressions, it will be PCRE. Regex is a language, but it's far more restricted than a normal programming language.

If you need to perform any complex string search and replace, you're probably going to use regular expressions. As the famous saying goes,

Some people, when confronted with a problem, think “I know, I'll use regular expressions.” Now they have two problems.

So I'm going to teach you how to create some problems for yourself.

I'm going to put the testing strings in the show notes. If you want to play along, you don't need to install python, we're going to use pythex, an online regular expressions tester. I think this is the best way to demonstrate regular expressions without getting too bogged down in the context of code.


Regular expressions are controlled through the use of metacharacters, which convey a particular meaning. I'm going to explain the meaning of these metacharacters to get you started dealing with regular expressions

In pythex, let's use this multi-line test string:

The quick brown fox jumps over the lazy dog.






matches any one character. If you write only a dot in the regular expression field, you will see every character gets matched for separately. Pythex puts a space between each match so you'll see an extra space between each letter.


matches any number of the previous characters. One of the most common regular expressions you'll use is the .*, which is essentially a wildcard. Write that into pythex, and you'll see it matches everything in one go.


is similar to asterisk, in that it matches one or more of the previous characters. Asterisk will match on zero occurrences of the previous character, which may cause you problems if you don't know this little detail. Punch in the regular expression a+ and a* and note the differences. Using + will give you more meaningful results in this case.


The question mark matches zero or one times only. The question mark is also used for more complex operations that I'm not going to get into here.


parenthesis define regular expression groupings. This makes it easier to call it in your code if you are going to parse out a particular piece of text in the middle of a bunch of other text. Say you have a regular expression that matches five times, but you only care about the third one. We're going to use the parenthesis from now on to make it easier to visualize.


Curly braces offer more precision control than the asterisk or plus sign. You can match on an exact number, or any range of occurrences.

(a{1,2}) Will match on any occurrences of one or two characters
(a{2,4}) Will match on any occurrences of characters between two and four. Notice that there's a string of 6 a's, and it matches on four a's first, and then it matches on two. It default to matching on more characters before it matches on fewer
(a{3,}) matches on 3 or more characters. If you put a comma in there, and leave one side or the other blank, it defaults to zero or infinity depending on which side was left blank. This example will match between 3 and infinity numbers of a's
(a{,3}) This matches between zero and three a's

Square braces will match any one character within.

([Tt]he) If you are somehow unable to use the IGNORECASE mode when matching regular expressions, this is how you can match a word regardless of how it is capitalized.

Pipe means "or". You can write two separate regular expression statements, put them on both sides of a pipe, and it will match on both.


Backslash is used for several purposes, and mostly to change the meaning of the character that follows it. Say you want to match on a period, but the period has a special meaning in regular expressions.

(\.) This will match on an actual period, and not just any character

The backslash also can be used to give special meaning to otherwise non-special letters. These are called special sequences, and you can view all of them in the cheat sheet on pythex

\d matches on any number.  Say you want to match on that 12345 though, simply writing \d won't get you the whole number.
(\d{1,}) This will pull out the whole number for you. The curly braces ensure you get the whole number, and the parenthesis group it so it's more easily callable in code.

The dollar sign anchors you to the end of a string so you can look for things at the end of a string only.


The carat is a lot like the dollar sign but it anchors you to the beginning of a string.


Regular expressions can be used in any number of combinations that can get extremely complex. I have only touched on the most basic and common use cases here, but there are an infinite number of combinations that are possible. And now I will leave you with a regular expression to match on e-mail addresses that is fully, 100% compliant with the RFC:

(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)?(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*)|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*:(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)?(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*)(?:,\s*(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)?(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*))*)?;\s*)


Paul's Stories

  1. The Cyber Security Skills Gap - J4vv4D - Pretty cool graphic, but begs the question just how large is the gap and how do w

e close it? Why is there a skills gap in the first place? Do we ask too much of our security positions?

  1. "New iOS flaw makes devices susceptible to covert keylogging -

Curious how the keystroke logging works, I am guessing that the cooidinates of the press match a character when the keyboard is present on the screen. In any case, you have to install

a malicious app to be vulnerable, which is not unheard of on iOS, but not as common as Android.
  1. RFID Wallets/Sleeves. How much Security do they provide? | Pentura Labs's Blog -

Looks like RF protection, aside from stainles steel, work about half the time. Just sayin'. And, over 96% of us carry an RF enabled card of some kind.

  1. ChrisTruncer/EyeWitness · GitHub - This is based on Peeping Tom, pretty neat stuff, I love the screenshot functionality and can't wait to
check out this tool.
  1. "Trey Ford: Testing - We can't be asleep at the wheel and let big brother take

away our rights to use hacking tools, making this talk very important. If we get ahead of it now, we stand a chance, if we don't, we'll be behind the curve and could lose the battle.

  1. BsidesSF 2014 Fix What Matters - Love this talk premise, people put too much faith in CVSS>
  2. Hackers Can Infect Your Computer Even If It's Not Connected To The Internet
  3. "Target overhauls security and compliance group - CIO has resigned, try to contain your shoc

k and awe.

  1. "Hackers Take Control Of 300 - Well no kidding, maybe this is the press that we need.
  2. CIA Found To Be Hacking The Senate Intelligence Committee - Right o

ut of a Hollywood script!

  1. "Hackers Churning Out 55 - 55,000 malware variants a day is some serious code re-use.
  2. Cisco Patches Authentication Flaw in Wireless Routers - Finally, but will people apply it? More t

han would apply home router updates.

  1. """Researchers at the University of Liverpool claim to have created a computer virus that can spread via Wi-Fi as effic..."
  2. C programming: you are teaching it wrong
  3. Car Hacking: You Cannot Have Safety without Security
  4. Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy
  5. DDoS & Security Reports » NTP ATTACKS: Welcome to The Hockey Stick Era
  6. "Swiss Firm Digs Up 300

Jack's Stories of Joy and Wonder

  1. Charles Babbage Institute Oral History Collection An amazing collection of oral histories from people who created the computer and security universe we know today. Some of these folks are even older than me.
  2. Teen's Facebook brag costs dad $80,000 lawsuit settlement Kids these days...
  3. Security Professionals: Time to Step Up Purdue's Eugene Spafford on Challenges Facing the Profession Fifteen minute audio interview with Spaf.
  4. When is the best time to buy your airline tickets? Not an InfoSec story, but since many of us travel a lot, potentially useful.
  5. New rules and procedures for DEF CON 22 contests
  6. Bogus survey has humorous, if bogus results such as "1 in 10 Americans think HTML is an STD, study finds"
  7. Your tax dollars at work^^waste? DHS proposes $1.25 billion for cybersecurity spending- an overdue upgrade to DHS security, or a colossal cash grab?
  8. Version 5 of the 20 Critical Security Controls The latest version of the 20 CSC was released last week. I haven;t seen any big changes, but some minor updates and tuning.
  9. The world's largest photo service just made its pictures free to use Getty opens its library. Another "not infosec" story, but potentially useful.
  10. Patrick Gray of Risky Business interviews Marcus Ranum on the RSA Conference Note: Audio file, may autoplay.

Joffs Stories

  1. [http://www.informationweek.com/security/attacks-and-breaches/malware-lobbing-hackers-seize-300000-routers/d/d-id/1114109? SOHO Routers Under Widespread Attack
  2. [http://www.darkreading.com/sophoslabs-insights/preying-on-a-predator/240166361 - Any O/S is a potential target. WinXP is not the only desktop platform going end of support.