Episode464

From Security Weekly Wiki
Jump to navigationJump to search


Paul's Security Weekly - Episode 464 - 6:00PM

Recorded May 12, 2016

Episode Audio

[] Coming Soon Douglas White, Ph.D. CEO / Product Architect

Announcements

  • We will have Douglas White, Ph.D. in studio on the show today!

First segment 6:00PM-7:00PM

Our guest on the show will be Douglas White, Ph.D.

Professor of Networking, Security and Forensics, Director, FANS Lab Doug will be in the Studio with us. Dr. Douglas White has worked in the technology industry for 30 years and has worked as a programmer, networking admin, security specialist, and consultant. Dr. White teaches courses in Digital Forensics, Computer Networking, and any other class that comes along that involves computers and security. Doug is a core team member of the Rhode Island Cyber Disruption Team which is coordinated by the Rhode Island State Police. Doug White was the first certified instructor for the ISFCE digital forensics boot camps and has worked for a variety of professional training organizations and corporations teaching and working in technology.

  1. Three words to describe yourself.
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.

Listener Feedback Segment

Couple of questions from a listener:

Question # 1

I am a mid-career IT pro and network security engineer who is interested to break into pen testing and offensive security. What are the pros and cons of jumping in and starting to do paid pen test work, learning on the job versus apprenticing / learning from a more established firm or practitioner?


Question # 2

I have an opportunity to perform pen test work under a subcontract with a managed services provider firm. While I have stayed on good terms with the firms' principles, many others that I have known a long time have left that firm due to culture and ethics issues. The firm also has an airtight subcontractor contract that is heavily unfavorable to me and my company (as subcontractor). Is it worth taking the risk of working with a firm like this to get my first paid pen testing gigs? What other risks be aware of going into a situation like this? For example, if the firm doesn't have a solid get out of jail free card document or legal team with security experience?

Stories of the Week - 7:00PM-8:00PM

In the Press:


Paul's Stories

  1. Torvalds on the Internet of Things: Security plays second fiddle - Torvalds again downplaying security: "Job one is to get the job done. In a new industry things will get done without security. Security plays second fiddle. It will be slightly distressing if someone hacks into my home furnace and turns up my heat to 95, I'll be bothered." Torvalds added, "In theory open source can be patched. In practice vendors get in the way."
  2. Windows 10 won't let you share WiFi passwords any more
  3. Hacker Finds Vulnerability In Mr Robot Website
  4. GCHQ Wants You To Stop Resetting Your Password
  5. Kiddicare Compromised
  6. Panama Papers Now Searchable
  7. Researcher Arrested For Disclosing Election Vulnerabilities
  8. WordPress Redirect Hack via Test0.com/Default7.com - Sucuri Blog
  9. Caleb Madrigal
  10. Freaking out over the DBIR
  11. 5 Things Devs Wish CISOs Knew About DevOps
  12. Top 3 Reasons Why Neglecting Application Security Is Risky Business
  13. Economist Detained for Doing Math on an Airplane
  14. The day we discovered our parents were Russian spies | World news | The Guardian
  15. Push Your ICS Vendor / Integrator To Do It Right
  16. Wendy’s: Breach Affected 5% of Restaurants
  17. Wendy’s admits to payment card malware infection
  18. "Pornhub bug bounty program will pay hackers up to $25

Larry's Stories

  1. Shakeup in the Endpoint security market - Virustotal changes the game.
  2. HackRF Jeep unlock replay attack - A simple capture and replay with a hacker can unlock older jeeps…no rolling code needed.
  3. Walmart sues - Over Chip and pin implementation, because it is chip and signature that os required, not chip and pin.
  4. FB CFT - Now opensource.

Joff's Stories

Jack's Stories

  1. The 2016 Verizon DBIR is out. As always, there's some good stuff in there, but not much new- it is sadly a Report Card of Fail in many ways- how many times can we hear that folks need to use 2FA, patch their stuff, segment their networks, etc. etc.?


Jericho took exception to the vulnerability section of this year's DBIR and he isn't alone.
Jericho followed up after Kenna's response
Rob Graham was also unimpressed
A response from Kenna Security, who wrote most of the vulnerability section, doesn't seem to answer all of the questions
and Dan Guido further disassembles the vulnerability section.

  1. Lots of handy tiny apps thanks to the ever sexy Chris Nickerson for sharing this.
  2. VirusTotal changes the rules and some folks are gonna get hurt, and might deserve it.
  3. [The ThreatButt DZIR might appeal to you if the Verizon DBIR doesn't.

Kevin's Stories

Michael's (Santa) Stories

  1. Crooks Go Deep With ‘Deep Insert’ Skimmers