Difference between revisions of "Episode483"

From Security Weekly Wiki
Jump to navigationJump to search
Line 63: Line 63:
  
 
== Jack's Stories ==
 
== Jack's Stories ==
This week Jack goes barking mad about "Active Defense", "Hacking Back", and Related Stupidity.
+
#This week Jack goes barking mad about "Active Defense", "Hacking Back", and Related Stupidity.
 
#[http://www.recode.net/2016/9/23/13032420/yahoo-breach-hackers-preemptive-cybersecurity This article says the Yahoo breach proves that we should "act preemptively" to combat breaches.] Yeah, at a company that ignores its security team that will work very well.
 
#[http://www.recode.net/2016/9/23/13032420/yahoo-breach-hackers-preemptive-cybersecurity This article says the Yahoo breach proves that we should "act preemptively" to combat breaches.] Yeah, at a company that ignores its security team that will work very well.
 
#[http://ethics.calpoly.edu/hackingback.htm Here's a PDF on the ethics of hacking back] which takes the position that all active defense is "hacking back" and misses the mark in several other ways.  BUT, there are a few decent thoughts hidding in the derp.
 
#[http://ethics.calpoly.edu/hackingback.htm Here's a PDF on the ethics of hacking back] which takes the position that all active defense is "hacking back" and misses the mark in several other ways.  BUT, there are a few decent thoughts hidding in the derp.

Revision as of 15:40, 29 September 2016

Paul's Security Weekly - Episode 483

Recorded: September 29, 2016


Episode Audio

[] Coming Soon

Announcements

  • Visit http://securityweekly.com/hotseat for the latest edition happening on Sept 13th 2PM EST, register today! We wile sit down with Yolonda Smith, Director of Product Management with Pwnie Express. We will dig into the shift in the number, types, and ownership of devices showing up on enterprise networks, and how you can protect your company from new threats from these devices. We will also get into some cool tech for monitoring and securing your enterprise from wireless, bluetooth, cellular and even good old wired device threats.
  • Make sure you visit http://securityweekly.com/subscribe and subscribe to our new shows including Enterprise Security Weekly and Startup Security Weekly. You can also subscribe to all shows individually, as well as a main feed which contains this show, Hack Naked TV and Enterprise Security Weekly.

Interview: - Ferruh Mavituna, Netsparker 6:00-7:00PM

https://ferruh.mavituna.com/

Hacking web apps since 2003, web app sec expert, CEO of Netsparker - http://netsparker.com

Founder of Netsparker Ltd, Product Manager of Netsparker, Web Application Security Scanner. Developed the first and only false-positive free web application security scanner with state of the art accurate vulnerability detection and exploitation features, today used by thousands companies around the world. Changed the automated web application security space.

Frequent speaker at several conferences about Web Application Security, released several research papers and tools.

Coming from a developer background (C++, ASP, ASP.NET and PHP), working in the web application security area since 2002.

Deep understanding of web application security in both sides, attacking and defending. Between 2002-2006 worked for Turkish Army and Police as well as several big clients as freelance contractor, in Turkey, USA, Canada and UK.

I mostly focus in these technical areas: Web Application Security Research, Automated Vulnerability Detection & Exploitation.


Listener Feedback: - 7:00PM-7:30PM

"In addition to your wonderful podcast, I also listen to ISMG. Ran into this pile of bullshit this morning and I was hoping you guys would respond.

http://www.bankinfosecurity.com/interviews/interview-john-dickson-i-3333 at the core of the issue Dickson covers here, I think, is the issue of "old vs new" and "shadow IT". He says some of the right things, in a rather daunting way, almost sky-larkings -- then goes down-hill fast when "dynamic languages" are brought up. Different from my view, and I think also yours, is the need to work together, rather than work _with_ shadow IT.

maybe I'm wrong. can you comment?"


Hey guys (Ian Smith),

I am a systems administrator, and in my off time, the co-founder and CTO of an incredibly small web services company. I have a degree in Linux/database administration and am pursuing a few others.

My question is how to pursue a career in information security without much but a drive to learn more about the field. I went to defcon this year, submitted a paper to O'Reiley's security conference in New York about starting security programs in SMBs on the cheap, and plan to develop more presentations about what I know and what I can give back to the community. I know that your general advice on the subject is to obtain certifications and spin up labs, but the certification route is pretty unobtainable at this point because of the costs associated.

Any advice would be greatly appreciated. Thank you for your time.

Security News - 7:30PM-8:30PM

Paul's Stories

Larry's Stories

Jeff's Stories

Michael's (Santa) Stories

Carlos's Stories

Jack's Stories

  1. This week Jack goes barking mad about "Active Defense", "Hacking Back", and Related Stupidity.
  2. This article says the Yahoo breach proves that we should "act preemptively" to combat breaches. Yeah, at a company that ignores its security team that will work very well.
  3. Here's a PDF on the ethics of hacking back which takes the position that all active defense is "hacking back" and misses the mark in several other ways. BUT, there are a few decent thoughts hidding in the derp.
  4. An older PDF of a policy brief on "Active Cyber Defense" which is pretty decent, in spite of using the phrase "CEZ, Cyber Engagement Zone".
  5. A short 2004 article (PDF) from Jennifer Granick on "strike back" which shows just how far we have not come in addressing this in any meaningful way.
  6. You will be stunned to learn this, but people were wrong on the Internet. All of that "Microsoft won't let Lenovo let customers install Linux on their computers" noise last week? Not so much, blame Intel, not Microsoft. Don't worry we still get to blame MS for all kinds of other things.
  7. [https://hbr.org/2016/09/good-cybersecurity-can-be-good-marketing
  8. [http://www.popsci.com/report-warns-cyberterrorism-in-space
  9. [https://www.fastcompany.com/3063903/the-future-of-work/can-armies-of-interns-close-the-cybersecurity-skills-gap
  10. [http://sploid.gizmodo.com/this-old-ass-commodore-64-is-still-being-used-to-run-an-1787196319
  11. Local Police Department hit by ransomware- and it's no big deal because they had good backups. Imagine that, preparedness.
  12. UK’s Top Police Warn That Modding Games May Turn Kids into Hackers and the dimwits mean it in a bad way.