Difference between revisions of "Episode483"

From Security Weekly Wiki
Jump to navigationJump to search
 
(9 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
= Paul's Security Weekly - Episode 483 =
 
= Paul's Security Weekly - Episode 483 =
 +
 +
==Episode Audio==
 +
<div align="center">
 +
{{#widget:SoundCloud
 +
|id=285545237
 +
|width=75%
 +
|height=100
 +
|color=660202
 +
|visual=false
 +
}}
 +
</div>
  
 
Recorded: September 29, 2016
 
Recorded: September 29, 2016
  
 
 
== Episode Audio ==
 
 
[] Coming Soon
 
  
 
= Announcements =
 
= Announcements =
Line 13: Line 19:
 
* Make sure you visit http://securityweekly.com/subscribe and subscribe to our new shows including Enterprise Security Weekly and Startup Security Weekly. You can also subscribe to all shows individually, as well as a main feed which contains this show, Hack Naked TV and Enterprise Security Weekly.
 
* Make sure you visit http://securityweekly.com/subscribe and subscribe to our new shows including Enterprise Security Weekly and Startup Security Weekly. You can also subscribe to all shows individually, as well as a main feed which contains this show, Hack Naked TV and Enterprise Security Weekly.
  
=Interview: - Ferruh Mavituna, Netsparker 6:00-7:00PM=
+
=Interview: Ferruh Mavituna, Netsparker - 6:00-7:00PM=
 +
 
 +
<center>{{#ev:youtube|RUZmnFlFxVA}}</center>
 +
 
 
https://ferruh.mavituna.com/
 
https://ferruh.mavituna.com/
  
Line 29: Line 38:
 
Web Application Security Research, Automated Vulnerability Detection & Exploitation.
 
Web Application Security Research, Automated Vulnerability Detection & Exploitation.
  
 +
https://www.netsparker.com/blog/web-security/exploiting-csrf-vulnerability-mongodb-rest-api/
 +
https://www.netsparker.com/blog/docs-and-faqs/export-netsparker-web-security-scan-web-application-firewall-rules/
 +
https://www.netsparker.com/blog/docs-and-faqs/selenium-netsparker-manual-crawling-web-applications-scanner/
  
 
= Listener Feedback:  - 7:00PM-7:30PM =
 
= Listener Feedback:  - 7:00PM-7:30PM =
 +
 +
<center>{{#ev:youtube|TpZ76X-PdcI}}</center>
  
 
"In addition to your wonderful podcast, I also listen to ISMG.
 
"In addition to your wonderful podcast, I also listen to ISMG.
Line 50: Line 64:
  
 
= Security News - 7:30PM-8:30PM =
 
= Security News - 7:30PM-8:30PM =
 +
 +
<center>{{#ev:youtube|ounMMb8uPiQ}}</center>
 +
 
== Paul's Stories ==
 
== Paul's Stories ==
 
+
#[https://threatpost.com/congressional-leaders-demand-answers-on-yahoo-breach/120931/ Congressional Leaders Demand Answers on Yahoo Breach]
 +
#[http://blog.burntsushi.net/ripgrep ripgrep is faster than {grep]
 +
#[http://www.geeky-gadgets.com/new-raspberry-pi-pixel-operating-system-introduced-28-09-2016/ New Raspberry Pi PIXEL Operating System Introduced - Geeky Gadgets]
 +
#[http://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html Defending Against Hackers Took a Back Seat at Yahoo]
 +
#[http://www.darkreading.com/cloud/microsoft-launches-cloud-based-fuzzing-/d/d-id/1327052 Microsoft Launches Cloud-Based Fuzzing]
 +
#[http://news.hitb.org/content/yahoo-hackers-werent-state-sponsored The Yahoo hackers weren't state-sponsored]
 +
#[http://news.hitb.org/content/security-tsunami-internet-things-coming-are-you-ready The security tsunami of the Internet of Things is coming]
 +
#[http://news.hitb.org/content/apple-logs-your-imessage-contacts-and-could-share-them-police Apple logs your iMessage contacts and could share them with police]
 +
#[http://news.hitb.org/content/marissa-mayer-declined-reset-yahoo-users%E2%80%99-passwords-2-years-ago Marissa Mayer declined to reset Yahoo users’ passwords 2 years ago]
 +
#[http://news.hitb.org/content/hp-disabling-3rd-party-ink-ensures-%E2%80%9Cbest-printing-experience%E2%80%9D HP: Disabling 3rd-party ink ensures “best printing experience”]
 +
#[http://www.theregister.co.uk/2016/09/23/openssl_swats_a_dozen_bugs_one_notable_nasty/ OpenSSL Swats A Dozen Bugs]
 +
#[http://motherboard.vice.com/read/meet-the-hackers-who-drive-the-porsches-you-paid-for Meet The Hackers Who Drive The Porsches You Pay For]
 +
#[http://motherboard.vice.com/read/uks-top-police-warn-that-modding-games-may-turn-kids-into-hackers UK Police Warn That Modding Games May Turn Kids Into Hackers]
 +
#[http://www.bbc.com/news/technology-37441109 Meet Israel's Master Phone Crackers]
 +
#[http://www.zdnet.com/article/thousands-of-cisco-devices-still-at-risk-of-unpatched-nsa-zero-day/ Thousands Of Cisco Devices Still At Risk Of Unpatched NSA Zero-Day Flaws]
 +
#[http://www.theregister.co.uk/2016/09/27/152463_hacked_cameras_deliver_990gbps_recordbreaking_dual_ddos/ 152k Cameras In 990Gbps Record Breaking Dual DDoS]
  
 
== Larry's Stories ==
 
== Larry's Stories ==
  
== Jeff's Stories ==
+
== Joff's Stories ==
  
 +
#[http://thehackernews.com/2016/09/hacking-d-link-wireless-router.html Multiple Backdoors in D-Link Router!]
  
 
== Michael's (Santa) Stories ==
 
== Michael's (Santa) Stories ==
Line 63: Line 96:
  
 
== Jack's Stories ==
 
== Jack's Stories ==
#This week Jack goes barking mad about "Active Defense", "Hacking Back", and Related Stupidity.
+
#This week Jack goes barking mad about "Active Defense", "Hacking Back", and Related Stupidity:
##[http://www.recode.net/2016/9/23/13032420/yahoo-breach-hackers-preemptive-cybersecurity This article says the Yahoo breach proves that we should "act preemptively" to combat breaches.] Yeah, at a company that ignores its security team that will work very well.
+
#*[http://www.recode.net/2016/9/23/13032420/yahoo-breach-hackers-preemptive-cybersecurity This article says the Yahoo breach proves that we should "act preemptively" to combat breaches.] Yeah, at a company that ignores its security team that will work very well.
##[http://ethics.calpoly.edu/hackingback.htm Here's a PDF on the ethics of hacking back] which takes the position that all active defense is "hacking back" and misses the mark in several other ways.  BUT, there are a few decent thoughts hiding in the derp.
+
#*[http://ethics.calpoly.edu/hackingback.htm Here's a PDF on the ethics of hacking back] which takes the position that all active defense is "hacking back" and misses the mark in several other ways.  BUT, there are a few decent thoughts hiding in the derp.
##[http://www.cnas.org/sites/default/files/publications-pdf/CNAS_ActiveCyberDefense_Lachow_0.pdf An older PDF of a policy brief on "Active Cyber Defense"] which is pretty decent, in spite of using the phrase "CEZ, Cyber Engagement Zone".
+
#*[http://www.cnas.org/sites/default/files/publications-pdf/CNAS_ActiveCyberDefense_Lachow_0.pdf An older PDF of a policy brief on "Active Cyber Defense"] which is pretty decent, in spite of using the phrase "CEZ, Cyber Engagement Zone".
##[https://tuftsdev.github.io/DefenseAgainstTheDarkArts/notes/4858-1066-strike.pdf A short 2004 article (PDF) from Jennifer Granick on "strike back"] which shows just how far we have *not* come in addressing this in any meaningful way.
+
#*[https://tuftsdev.github.io/DefenseAgainstTheDarkArts/notes/4858-1066-strike.pdf A short 2004 article (PDF) from Jennifer Granick on "strike back"] which shows just how far we have '''not''' come in addressing this in any meaningful way.
 
#[http://www.pcworld.com/article/3123075/linux/linux-wont-install-on-your-laptop-blame-intel-not-microsoft.html You will be stunned to learn this, but people were wrong on the Internet. All of that "Microsoft won't let Lenovo let customers install Linux on their computers" noise last week? Not so much, blame Intel, not Microsoft.] Don't worry we still get to blame MS for all kinds of other things.
 
#[http://www.pcworld.com/article/3123075/linux/linux-wont-install-on-your-laptop-blame-intel-not-microsoft.html You will be stunned to learn this, but people were wrong on the Internet. All of that "Microsoft won't let Lenovo let customers install Linux on their computers" noise last week? Not so much, blame Intel, not Microsoft.] Don't worry we still get to blame MS for all kinds of other things.
 
#[https://hbr.org/2016/09/good-cybersecurity-can-be-good-marketing The Harvard Business Review says good security can be good for marketing]
 
#[https://hbr.org/2016/09/good-cybersecurity-can-be-good-marketing The Harvard Business Review says good security can be good for marketing]

Latest revision as of 15:44, 6 June 2017

Paul's Security Weekly - Episode 483

Episode Audio

Recorded: September 29, 2016


Announcements

  • Visit http://securityweekly.com/hotseat for the latest edition happening on Sept 13th 2PM EST, register today! We wile sit down with Yolonda Smith, Director of Product Management with Pwnie Express. We will dig into the shift in the number, types, and ownership of devices showing up on enterprise networks, and how you can protect your company from new threats from these devices. We will also get into some cool tech for monitoring and securing your enterprise from wireless, bluetooth, cellular and even good old wired device threats.
  • Make sure you visit http://securityweekly.com/subscribe and subscribe to our new shows including Enterprise Security Weekly and Startup Security Weekly. You can also subscribe to all shows individually, as well as a main feed which contains this show, Hack Naked TV and Enterprise Security Weekly.

Interview: Ferruh Mavituna, Netsparker - 6:00-7:00PM

https://ferruh.mavituna.com/

Hacking web apps since 2003, web app sec expert, CEO of Netsparker - http://netsparker.com

Founder of Netsparker Ltd, Product Manager of Netsparker, Web Application Security Scanner. Developed the first and only false-positive free web application security scanner with state of the art accurate vulnerability detection and exploitation features, today used by thousands companies around the world. Changed the automated web application security space.

Frequent speaker at several conferences about Web Application Security, released several research papers and tools.

Coming from a developer background (C++, ASP, ASP.NET and PHP), working in the web application security area since 2002.

Deep understanding of web application security in both sides, attacking and defending. Between 2002-2006 worked for Turkish Army and Police as well as several big clients as freelance contractor, in Turkey, USA, Canada and UK.

I mostly focus in these technical areas: Web Application Security Research, Automated Vulnerability Detection & Exploitation.

https://www.netsparker.com/blog/web-security/exploiting-csrf-vulnerability-mongodb-rest-api/ https://www.netsparker.com/blog/docs-and-faqs/export-netsparker-web-security-scan-web-application-firewall-rules/ https://www.netsparker.com/blog/docs-and-faqs/selenium-netsparker-manual-crawling-web-applications-scanner/

Listener Feedback: - 7:00PM-7:30PM

"In addition to your wonderful podcast, I also listen to ISMG. Ran into this pile of bullshit this morning and I was hoping you guys would respond.

http://www.bankinfosecurity.com/interviews/interview-john-dickson-i-3333 at the core of the issue Dickson covers here, I think, is the issue of "old vs new" and "shadow IT". He says some of the right things, in a rather daunting way, almost sky-larkings -- then goes down-hill fast when "dynamic languages" are brought up. Different from my view, and I think also yours, is the need to work together, rather than work _with_ shadow IT.

maybe I'm wrong. can you comment?"


Hey guys (Ian Smith),

I am a systems administrator, and in my off time, the co-founder and CTO of an incredibly small web services company. I have a degree in Linux/database administration and am pursuing a few others.

My question is how to pursue a career in information security without much but a drive to learn more about the field. I went to defcon this year, submitted a paper to O'Reiley's security conference in New York about starting security programs in SMBs on the cheap, and plan to develop more presentations about what I know and what I can give back to the community. I know that your general advice on the subject is to obtain certifications and spin up labs, but the certification route is pretty unobtainable at this point because of the costs associated.

Any advice would be greatly appreciated. Thank you for your time.

Security News - 7:30PM-8:30PM

Paul's Stories

  1. Congressional Leaders Demand Answers on Yahoo Breach
  2. ripgrep is faster than {grep
  3. New Raspberry Pi PIXEL Operating System Introduced - Geeky Gadgets
  4. Defending Against Hackers Took a Back Seat at Yahoo
  5. Microsoft Launches Cloud-Based Fuzzing
  6. The Yahoo hackers weren't state-sponsored
  7. The security tsunami of the Internet of Things is coming
  8. Apple logs your iMessage contacts and could share them with police
  9. Marissa Mayer declined to reset Yahoo users’ passwords 2 years ago
  10. HP: Disabling 3rd-party ink ensures “best printing experience”
  11. OpenSSL Swats A Dozen Bugs
  12. Meet The Hackers Who Drive The Porsches You Pay For
  13. UK Police Warn That Modding Games May Turn Kids Into Hackers
  14. Meet Israel's Master Phone Crackers
  15. Thousands Of Cisco Devices Still At Risk Of Unpatched NSA Zero-Day Flaws
  16. 152k Cameras In 990Gbps Record Breaking Dual DDoS

Larry's Stories

Joff's Stories

  1. Multiple Backdoors in D-Link Router!

Michael's (Santa) Stories

Carlos's Stories

Jack's Stories

  1. This week Jack goes barking mad about "Active Defense", "Hacking Back", and Related Stupidity:
  2. You will be stunned to learn this, but people were wrong on the Internet. All of that "Microsoft won't let Lenovo let customers install Linux on their computers" noise last week? Not so much, blame Intel, not Microsoft. Don't worry we still get to blame MS for all kinds of other things.
  3. The Harvard Business Review says good security can be good for marketing
  4. A think tank write a scare piece on cyberterrorism in space and it gets more traction than your company's crappy password policies.
  5. Can armies of interns close the cybersecurity skills gap?
  6. A Commodore 64 is still up and running- and running a business-critial app for an auto repair shop
  7. Local Police Department hit by ransomware- and it's no big deal because they had good backups. Imagine that, preparedness.
  8. UK’s Top Police Warn That Modding Games May Turn Kids into Hackers and the dimwits mean it in a bad way.