Difference between revisions of "Episode464"

From Security Weekly Wiki
Jump to navigationJump to search
Line 25: Line 25:
 
{{FiveQuestions}}
 
{{FiveQuestions}}
  
=Tech Segment=
+
= Listener Feedback Segment =
  
 +
Couple of questions from a listener:
 +
 +
Question # 1
 +
 +
I am a mid-career IT pro and network security engineer who is interested to break into pen testing and offensive security. What are the pros and cons of jumping in and starting to do paid pen test work, learning on the job versus apprenticing / learning from a more established firm or practitioner?
 +
 +
 +
Question # 2
 +
 +
I have an opportunity to perform pen test work under a subcontract with a managed services provider firm. While I have stayed on good terms with the firms' principles, many others that I have known a long time have left that firm due to culture and ethics issues. The firm also has an airtight subcontractor contract that is heavily unfavorable to me and my company (as subcontractor). Is it worth taking the risk of working with a firm like this to get my first paid pen testing gigs? What other risks be aware of going into a situation like this? For example, if the firm doesn't have a solid get out of jail free card document or legal team with security experience?
  
 
= Stories of the Week - 7:00PM-8:00PM =
 
= Stories of the Week - 7:00PM-8:00PM =

Revision as of 20:02, 12 May 2016


Paul's Security Weekly - Episode 464 - 6:00PM

Recorded May 12, 2016

Episode Audio

[] Coming Soon Douglas White, Ph.D. CEO / Product Architect

Announcements

  • We will have Douglas White, Ph.D. in studio on the show today!

First segment 6:00PM-7:00PM

Our guest on the show will be Douglas White, Ph.D.

Professor of Networking, Security and Forensics, Director, FANS Lab Doug will be in the Studio with us. Dr. Douglas White has worked in the technology industry for 30 years and has worked as a programmer, networking admin, security specialist, and consultant. Dr. White teaches courses in Digital Forensics, Computer Networking, and any other class that comes along that involves computers and security. Doug is a core team member of the Rhode Island Cyber Disruption Team which is coordinated by the Rhode Island State Police. Doug White was the first certified instructor for the ISFCE digital forensics boot camps and has worked for a variety of professional training organizations and corporations teaching and working in technology.

  1. Three words to describe yourself.
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.

Listener Feedback Segment

Couple of questions from a listener:

Question # 1

I am a mid-career IT pro and network security engineer who is interested to break into pen testing and offensive security. What are the pros and cons of jumping in and starting to do paid pen test work, learning on the job versus apprenticing / learning from a more established firm or practitioner?


Question # 2

I have an opportunity to perform pen test work under a subcontract with a managed services provider firm. While I have stayed on good terms with the firms' principles, many others that I have known a long time have left that firm due to culture and ethics issues. The firm also has an airtight subcontractor contract that is heavily unfavorable to me and my company (as subcontractor). Is it worth taking the risk of working with a firm like this to get my first paid pen testing gigs? What other risks be aware of going into a situation like this? For example, if the firm doesn't have a solid get out of jail free card document or legal team with security experience?

Stories of the Week - 7:00PM-8:00PM

In the Press:


Paul's Stories

Larry's Stories

  1. Shakeup in the Endpoint security market - Virustotal changes the game.
  2. HackRF Jeep unlock replay attack - A simple capture and replay with a hacker can unlock older jeeps…no rolling code needed.
  3. Walmart sues - Over Chip and pin implementation, because it is chip and signature that os required, not chip and pin.
  4. FB CFT - Now opensource.

Joff's Stories

Jack's Stories

  1. Verizon DBIR and reactions

The 2016 Verizon DBIR is out. As always, there's some good stuff in there, but not much new- it is sadly a Report Card of Fail in many ways- how many times can we hear that folks need to use 2FA, patch their stuff, segment their networks, etc. etc.?
Jericho took exception to the vulnerability section of this year's DBIR and he isn't alone.
Jericho followed up after Kenna's response
Rob Graham was also unimpressed
A reponse from Kenna Security, who wrote most of the vulnerability section, doesn't seem to answer all of the questions
[http://blog.trailofbits.com/2016/05/05/the-dbirs-forest-of-exploit-signatures/ and Dan Guido further dissassebles the vulnerability section.

  1. Lots of handy tiny apps thanks to the ever sexy Chris Nickerson for sharing this.
  2. VirusTotal changes the rules and some folks are gonna get hurt, and might deserve it.
  3. [The ThreatButt DZIR might appeal to you if the Verizon DBIR doesn't.

Kevin's Stories

Michael's (Santa) Stories

  1. Crooks Go Deep With ‘Deep Insert’ Skimmers