- 1 Paul's Security Weekly - Episode 464 - 6:00PM
- 2 First segment 6:00PM-7:00PM
- 3 Listener Feedback Segment
- 4 Stories of the Week - 7:00PM-8:00PM
Paul's Security Weekly - Episode 464 - 6:00PM
Recorded May 12, 2016
 Coming Soon Douglas White, Ph.D. CEO / Product Architect
- We will have Douglas White, Ph.D. in studio on the show today!
First segment 6:00PM-7:00PM
Our guest on the show will be Douglas White, Ph.D.
Professor of Networking, Security and Forensics, Director, FANS Lab Doug will be in the Studio with us. Dr. Douglas White has worked in the technology industry for 30 years and has worked as a programmer, networking admin, security specialist, and consultant. Dr. White teaches courses in Digital Forensics, Computer Networking, and any other class that comes along that involves computers and security. Doug is a core team member of the Rhode Island Cyber Disruption Team which is coordinated by the Rhode Island State Police. Doug White was the first certified instructor for the ISFCE digital forensics boot camps and has worked for a variety of professional training organizations and corporations teaching and working in technology.
- Three words to describe yourself.
- If you were a serial killer, what would be your weapon of choice?
- If you wrote a book about yourself, what would the title be?
- In the popular game of ass grabby-grabby, do you prefer to go first or second?
- Choose two celebrities to be your parents.
Listener Feedback Segment
Couple of questions from a listener:
Question # 1
I am a mid-career IT pro and network security engineer who is interested to break into pen testing and offensive security. What are the pros and cons of jumping in and starting to do paid pen test work, learning on the job versus apprenticing / learning from a more established firm or practitioner?
Question # 2
I have an opportunity to perform pen test work under a subcontract with a managed services provider firm. While I have stayed on good terms with the firms' principles, many others that I have known a long time have left that firm due to culture and ethics issues. The firm also has an airtight subcontractor contract that is heavily unfavorable to me and my company (as subcontractor). Is it worth taking the risk of working with a firm like this to get my first paid pen testing gigs? What other risks be aware of going into a situation like this? For example, if the firm doesn't have a solid get out of jail free card document or legal team with security experience?
Stories of the Week - 7:00PM-8:00PM
In the Press:
- Torvalds on the Internet of Things: Security plays second fiddle - Torvalds again downplaying security: "Job one is to get the job done. In a new industry things will get done without security. Security plays second fiddle. It will be slightly distressing if someone hacks into my home furnace and turns up my heat to 95, I'll be bothered." Torvalds added, "In theory open source can be patched. In practice vendors get in the way."
- Windows 10 won't let you share WiFi passwords any more
- Hacker Finds Vulnerability In Mr Robot Website
- GCHQ Wants You To Stop Resetting Your Password
- Kiddicare Compromised
- Panama Papers Now Searchable
- Researcher Arrested For Disclosing Election Vulnerabilities
- WordPress Redirect Hack via Test0.com/Default7.com - Sucuri Blog
- Caleb Madrigal
- Freaking out over the DBIR
- 5 Things Devs Wish CISOs Knew About DevOps
- Top 3 Reasons Why Neglecting Application Security Is Risky Business
- Economist Detained for Doing Math on an Airplane
- The day we discovered our parents were Russian spies | World news | The Guardian
- Push Your ICS Vendor / Integrator To Do It Right
- Wendy’s: Breach Affected 5% of Restaurants
- Wendy’s admits to payment card malware infection
- "Pornhub bug bounty program will pay hackers up to $25
- Shakeup in the Endpoint security market - Virustotal changes the game.
- HackRF Jeep unlock replay attack - A simple capture and replay with a hacker can unlock older jeeps…no rolling code needed.
- Walmart sues - Over Chip and pin implementation, because it is chip and signature that os required, not chip and pin.
- FB CFT - Now opensource.
- Verizon DBIR and reactions
The 2016 Verizon DBIR is out. As always, there's some good stuff in there, but not much new- it is sadly a Report Card of Fail in many ways- how many times can we hear that folks need to use 2FA, patch their stuff, segment their networks, etc. etc.?
Jericho took exception to the vulnerability section of this year's DBIR and he isn't alone.
Jericho followed up after Kenna's response
Rob Graham was also unimpressed
A reponse from Kenna Security, who wrote most of the vulnerability section, doesn't seem to answer all of the questions
[http://blog.trailofbits.com/2016/05/05/the-dbirs-forest-of-exploit-signatures/ and Dan Guido further dissassebles the vulnerability section.
- Lots of handy tiny apps thanks to the ever sexy Chris Nickerson for sharing this.
- VirusTotal changes the rules and some folks are gonna get hurt, and might deserve it.
- [The ThreatButt DZIR might appeal to you if the Verizon DBIR doesn't.