From Security Weekly Wiki
Revision as of 02:09, 24 April 2015 by Kcrawford (talk | contribs)
Jump to navigationJump to search

Paul's Security Weekly - Episode 415 - 6:00PM

Episode Media

MP3 <-- Not yet published!

Intro, Sponsors & Announcements


On Security Weekly tonight we have a special guest interview with Apollo Clark! He'll talk web application security, Kali Linux and be mixing drinks live in studio! Get our take on listener submitted Bash command line tips and tricks, and we'll cover stories of the week including some more massive D-Link fail. All that and more on this edition of Security Weekly, making the world a better place one episode at a time..."


Broadcasting live from G Unit Studios in Rhode Island, the show where exploits run wild, packets aren’t the only things getting sniffed, and the cocktails flow steady its Paul’s Security Weekly!

Brought to you by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com

And by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/

And by Black Hills Information Security, the leaders in penetration testing and active defense. Email consulting@blackhillsinfosec.com to request a quote today!

Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet...

Here's a man who looks good in pink, but only in an arizona prison, Paul Asadoorian"

Hello everyone and welcome to Paul's Security Weekly - Episode 415 for Thursday April 23th, 2015

  • Ready to learn Combat Firmware Analysis? Register for my Blackhat course "Embedded Device Security Assessments", a 2-day hosted class at Blackhat Las Vegas. Registration includes breakfast, lunch, and access to the Blackhat Briefings Business Hall, Sponsor Workshops, Sponsor Sessions, and Arsenal! Visit http://securityweekly.com/iot to register today!
  • Larry teaching SANS 617 Wireless Ethical Hacking and Defense coming up in Orlando April 11-18, Austin, TX May 18-23, Baltimore, MD (SANSFIRE) June 13-20, and Berlin, Germany June 22-27

Guest Interview: Apollo Clark - 6:05 PM

EmbedVideo received the bad id "LCoN5D9u6mg"" for the service "youtube".


Apollo Clark, is a Boston-based web developer, originally from Maine, making websites since 2001. When he's not adding new features, he's breaking them. On the weekends he likes to mix cocktails, while automating his deployment pipeline. He is a proud member of the Boston OWASP chapter, and Boston Security meetup, recent founder of the "Boston Kali Linux Users" meetup, where developers, sys-admins, and anyone interested in security can learn penetration testing for free.


  1. How did you get your start in technology?
  2. What got you interested in computer security?
  3. What do developers think of security people in general?
  4. What do security people think of developers in general?
  5. What can we do to bridge the gaps between developers and security people?
  6. How did you get started with Kali?
  7. What kinds of things do you teach people about using Kali?
  8. tell us about the secutity testing you did with Kali and Gauntlit

Five Questions

  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.

Segment: Bash Command-line Tips - 7:05PM-7:30PM

Sponsors & Announcements

Bash Tips & Tricks: Listener Submitted

EmbedVideo received the bad id "V7lCxWgpvjo"" for the service "youtube".

This week, we are featuring user-submitted bash tips and tricks. Some are timesavers, others timewasters.

  1. $ !!
    or bang-bang: Submitted by James. "The !! command has probably extended the life of my fingers by ten years. (and everyone appreciates an extended finger)."
  2. $ tmux
    Submitted by Mick. Not really a tip, more of a personal choice like emacs. Steep learning curve but powerful.
  3. $ play -c2 -n synth whitenoise band -n 100 24 band -n 300 100 gain +20
    Submitted by Chris. "Generate Star Trek's U.S.S. Enterprise warp idle noise from CLI (requires sox):" <-- Timewaster I was talking about.
  4. $ awk '($1 == "MemTotal:") {print $2 / 1048576}' /proc/meminfo
    Submitted by Keith. "Uses awk to look in /proc/meminfo and find MemTotal then calculates the corresponding size into GB's from the terminal."
    1. $ awk '($1 == "MemTotal:" || $1 == "MemFree:") {print $2 / 1048576 "GB"}' /proc/meminfo 
      Paul's tweak to above
  5. $alias yolo='git commit -am "DEAL WITH IT" && git push -f origin master'
    Submitted by Apollo. "I run this on my personal projects."

Stories of the Week - 7:30PM-8:00PM

EmbedVideo received the bad id "hNmQhZD8w_g"" for the service "youtube".

Sponsors & Announcements

  • This segment is sponsored by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
  • And by Tenable Network Security, creators of Nessus, the world's best vulnerability scanner! Jumpstart your security program today and evaluate SecurityCenter CV, THE continuous monitoring solution. www.tenable.com
  • Don't forget to Register for BSides Boston coming up on May 9th!

Paul's Stories

  1. D-Link what the eff of the week
    1. Hacking the D-Link DIR-890L
    2. D-Link router patch creates NEW SOHOpeless vuln
  2. Hackers gaining upper hand, security conference told - To keep the barbarians away, we're simply building taller castle walls and digging deeper moats. Taller walls won't solve our problem - He proclaimed 2014 the year that shows we are losing the battle. We're building smarter walls, rather than changing the mindset.
  3. 6 Most Dangerous New Attack Techniques in 2015 - While these attacks are not new, SANS experts predict that we will see more data breaches, more IoT hacking, more ICS hacking, and more flaws in encryption. Pretty safe bets. Knowing this, what do we do about it?
  4. Wi-Fi client vulnerability could expose Android - Unfortunately, wpa_supplicant is also used on embedded devices, for which patches are not as frequently released or easy to install. And here we are again...
  5. CozyDuke Hackers Infiltrate The White House With 'Funny Monkey' Videos - Beware the Funny Monkey! All that effort we put into security, and its defeated by the funny monkey video. Hail user awareness training? Still, someone will find the monkey funny enough to click on it. Hail endpoint protection that actually works?
  6. iOS Vulnerability Could Force Devices Into Endless Reboot Loop
  7. Man guns down computer after getting fed up with Blue Screen of Death - We've all been there, ready to take aim at our computer for not cooperating with us. Begs the question, what is the best firearm to use when unleashing fury on a computer? Thoughts?
  8. Unsolicited Response Podcast: Rios on WhiteScope and Medical Device Security
  9. An Incredibly Insecure Voting Machine
  10. IRC Botnets alive

Larry's Stories

  1. Airplane hacking
  2. MS15-034 - This will be fun for years to come. http.sys. also scanning for MS15-034
  3. OMG WORDPRESS VULNS! - I thought that this one was interesting in that the developer docs for plugin development did not include any mention of sanitizing input. It should be common practice, but ANYONE can write a plugin, even the uninitiated.
  4. An incredibly vulnerable voting machine - Holy crap…and they retired them this year….
  5. April fools - a round up of stories from Dr. Krawetz.
  6. analyzing MIPS backdoors

Joff's Wallaby Stories

  1. Crash your favorite iDevice!
  2. You guessed it, more WordPress vulns
  3. Most Americans dislike Snowden but he's pretty popular overseas...
  4. ToR for everything? Not really a smart idea

Michael's Stories

  1. House Passes Cybersecurity Bill After Companies Fall Victim to Data Breaches Doing something/anything... for the children. But is it any good?
  2. VCs Pour Money Into Cybersecurity Startups Sign of a current/impending bubble?
  3. Dutch Homes Get Free Heating If They Agree To Host A Computer Server Physical security considerations? Would you do this?

Carlos' Stories

  1. RDP TLS Certificate Deployment Using GPO