From Security Weekly Wiki
Jump to navigationJump to search

Episode Media

MP3 < Not yet published!


Paul's Security Weekly - Episode 401 for Thursday January 8th, 2015

And now, from the dark corners of the Internet, where exploits run wild, packets aren’t the only things getting sniffed, and the beer flows steady its Paul’s Security Weekly!

  • This interview is sponsored by Palo Alto Networks creators of THE next-generation firewalls, helping you enforce network security policies based on applications, users, and content. Visit them on the web at www.paloaltonetworks.com
  • And by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
  • And by Tenable Network Security, the creators of Nessus, the worlds best vulnerability scanner. Check out the new Nessus Enterprise and Nessus Enterprise cloud, engage your IT department in the vulnerability management process today!
  • And by Black Squirrel. Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.

"Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet..."

"Here's your host, a man who can count to potato but only on his good flipper on tuesdays, Paul Asadoorian"

  • Security Weekly Announcements:
    • Check out the SteelCon competition. Enter to win a SecurityTube Training course. You must write documentation for an open source project. Details can be found on the website. http://www.steelcon.info/competition/documentation-competition/
    • Larry teaching SANS 617 Wireless Ethical Hacking and Defense coming up in Orlando April 11-18, Austin, TX May 18-23, Baltimore, MD (SANSFIRE) June 13-20, and Berlin, Germany June 22-27

Interview: Reuben Paul


8 year old CEO, Cyber Security Ambassador, Keynote Speaker, Hacker, The Kung Fu Kid, The ‘Chairperson’ of InfoSec conferences, are a few titles used to describe Reuben Paul. Reuben is 8 years old today and a 3rd grader at Harmony School of Science in Austin, TX. When asked by his 1st grade teacher to illustrate his future career, he drew on a sheet that he wanted to become a Cyber Spy.


  1. How did you get your start in information security?
  2. How did you get started developing your apps?
  3. What is your favorite past-time?

MSN news on Child prodigies around the world > http://www.msn.com/en-in/news/photos/child-prodigies-around-the-world/ss-BBeMBFK

KEYE CBS News, Austin - Austin 3rd Grader Expert on Cyber Security > http://www.keyetv.com/news/features/top-stories/stories/austin-3rd-grader-expert-cyber-security-21666.shtml

Channel 2 News, Houston - 8 year old Reuben Paul gives keynote at Houston Security Conference. > http://www.click2houston.com/news/thirdgrader-gives-keynote-speech-at-houston-security-conference/29199744

Daily News and Analysis (India) newspaper article - 8 year old CEO Reuben Paul is a cyber security expert > http://www.dnaindia.com/india/report-eight-year-old-ceo-reuben-paul-is-a-cyber-security-expert-2035237

The Hindu (India) newspaper article - Eight year old woos Cyber experts > http://www.thehindu.com/news/cities/Delhi/eightyearold-woos-cyber-experts/article6601791.ece

InfoSec Professional Magazine article - Reuben Paul: The Eight-Year-Old CEO wants to “Create a Safe and Secure Cyber World For Kids (and their parents)” > http://prudentgames.com/wp-content/uploads/2014/12/Reuben-Paul-Interview-InfoSec-Professional-Magazine-Dec-2014.pdf

SC Magazine article - And a little child shall secure them: The next generation of CISOs > http://www.scmagazine.com/and-a-little-child-shall-secure-them-the-next-generation-of-cisos/article/385054/

TripWire “The State of Security” Interview - 8 year old CEO proves kids are the future of Cybersecurity > http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/8-year-old-ceo-reuben-paul-proves-that-kids-are-the-future-of-cybersecurity/

NDTV new story Indian-Origin Whizkid Reuben Paul Lectures on Cyber Security > http://www.ndtv.com/article/diaspora/indian-origin-whizkid-reuben-paul-lectures-on-cyber-security-621139 Who is Reuben Paul (the 8 year old prodigy and CEO) - http://www.quora.com/Who-is-Reuben-Paul-the-8-year-old-prodigy-and-CEO

Prudent Games CEO - http://prudentgames.com/team/reuben-paul-3/

Fox TV News, Austin - 7 year old earns Black Belt > http://www.myfoxaustin.com/story/23257303/7-year-old-earns-black-belt

Digital Story Telling Competition (DISTCO) 2014 Winner for video biography “The Kung Fu Kid” > http://www.youtube.com/watch?v=B13icCFqUGg

Five Questions

  1. If you had super powers, what would they be?
  2. If you were a Star Trek® [or Star Wars® ] character, which one would it be?
  3. Three words to describe yourself.
  4. Pick two celebrities to be your parents.
  5. What song best describes your life?



  • Stories of the week is brought to you by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
  • And by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com
  • And by Black Hills Information Security, the leaders in penetration testing and active defense. Email consulting@blackhillsinfosec.com to request a quote today!

Paul's Stories

  1. Attack Attribution in Cyberspace
  2. "Internet of Things is a threat to privacy
  3. Thieves Jackpot ATMs With ‘Black Box’ Attack
  4. Thunderstrike shocks OS X with firmware bootkit
  5. ‘Self-XSS’ flaw in found Microsoft Dynamics CRM
  6. OpenSSL Fixes Eight Security Vulnerabilities
  7. Anybody can take North Korea offline
  8. IoT Security: How to Protect Applica#[https://www.schneier.com/blog/archives/2015/01/attack_attribut.html Attack Attribution in Cyberspace
  9. "Internet of Things is a threat to privacy
  10. Thieves Jackpot ATMs With ‘Black Box’ Attack
  11. Thunderstrike shocks OS X with firmware bootkit
  12. ‘Self-XSS’ flaw in found Microsoft Dynamics CRM
  13. OpenSSL Fixes Eight Security Vulnerabilities
  14. Anybody can take North Korea offline
on the Edge]
  1. The Elephant in the Room is Compliance
  2. Best Defense Against a Cyber-Attack Is to Know Your Adversary
  3. "Home Wi-Fi security's just as good as '90s PC security! Wait
  4. Poll: The Perimeter Has Shattered!
  5. How To Become a CISO: Top Tips
  6. 5 ways to prepare for Internet of things security threats#IoT Security: How to Protect Applications on the Edge
  7. The Elephant in the Room is Compliance
  8. Best Defense Against a Cyber-Attack Is to Know Your Adversary
  9. "Home Wi-Fi security's just as good as '90s PC security! Wait
  10. Poll: The Perimeter Has Shattered!
  11. How To Become a CISO: Top Tips

Larry's Stories

  1. Keurig DRM - [Larry] - Yeah, so much fail. Ok, let’s not argue about the quality of Keurig coffee, but about the quality of the DRM to prevent third party K-cups. Discuss: Patent, licensing, etc.
  2. XFINITY WIFI - [Larry] - All sorts of fail here. Comcast gets to allegedly take over your router…by enabling a free wifi AP for all customers. They get to use your bandwidth. That you pay for. And you can’t shut it off. Also real great for messing with open wifi...
  3. DEAUTH AGAIN? - [Larry] - Yeah, remember the whole fiasco with A Marriott with Deauthing MiFis? Yeah, now they plan on doing this across the board. Uhhh, WAT? Yeah, they have petitioned the FCC to permit this. From the article, "Marriott is asking, therefore, for a unique right: the right to police spectrum privately based on property rights. As Cisco put it in its comment, “Wi-Fi operators may not ‘deputize’ themselves to police the Part 15 radio frequency environment.” but “[Eric Pederson] live[s] in a high-rise apartment building in New York City. I typically see 20-plus of my neighbors’ SSIDs. Yet somehow my Wi-Fi works just fine.”
  4. USBDriveby - [Larry] - USBDriveby on a teensy with Teeensyterpreter. We’ve talked about the teensy before (and no, not just Paul’s manhood), as an embedded device that you can have act as a USB HiD device. This one targets OSX, by changing the hosts file without the need for a password, then net cat outbound. On windows Powershell FTW.
  5. MoonPig - [Larry] - Wow. Initial issue with hardcoded credentials used with the API on the MoonPig App was disclosed in Mid-2013. Changing the customer ID in the API requests revealed infer for each user, including Name, Address and CC info (at least only the last 4…). MoonPig said it was not an issue, due to legacy code and would fix soon. Almost 18 months later, it is still an issue, and not MoonPig has disabled the API and App. Geez, why does public shaming need to be used?
  6. I know, more SONY - [Larry] - So, SONY claims that the massive hack won’t incur any financial hit. That sad part is, they pare probably correct, hence why in some cases the argument for improved security isn’t going to fly. Why do I need to secure this if there is no negative financial impact?

Joff's random verbal emissions

Jack's stories of wonder

  1. Oh Microsoft, what the...Advanced Notification Service (ANS) "evolving" (pretty much going away). That's great, because there are never any problems with MS patches.
  2. Microsoft update blunders are going out of control

Like this one and this one

  1. Google takes legal action against Mississippi State Attorney General for going in the tank for the MPAA
  2. Cyberattack on German Iron Plant Causes ‘Widespread Damage’ and

Kim Zetter has this update on the story.

  1. Google, Microsoft throw weight in fight against Marriott Wi-Fi blocking request
  2. [http://www.scmagazine.com/proposal-would-drive-european-govts-into-us-courts/article/390361/ U.S. uses trade agreement talks to seek breach investigation immunity for American companies
  3. Senator Warns of DHS Struggle with Cyber Security and maybe not coincidentally DHS releases the wrong FOIA-requested documents, exposing infrastructure vulnerabilities
  4. That's Security 101? Great, show me your 101 list.
  5. The EFF is worried as Stingrays Go Mainstream and Senators question FBI’s legal reasoning behind cell-tower spoofing
  6. Bypassing OpenSSL Certificate Pinning in iOS Apps Good stuff from Matasano]