Difference between revisions of "Episode488"

From Security Weekly Wiki
Jump to navigationJump to search
Line 29: Line 29:
# Where do you see the VPN market going in 5 years?
# Where do you see the VPN market going in 5 years?
= Technical Segment: Considerations for Using Intel SGX - 7:00PM-7:30PM =
= Technical Segment: Considerations for Using Intel SGX - 7:00PM-7:30PM =

Revision as of 22:34, 3 November 2016

Paul's Security Weekly - Episode 488

Recorded: November 3, 2016


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Jeff Man
    Infosec analyst
    Pioneering ex-NSA pen tester
    PCI specialist
    Tribe of Hackers
    InfoSec Curmudgeon
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.
  • Jack Daniel
    Co-Founder of Security BSides and certified security wizard.

Episode Audio

[] Coming Soon


Interview: David Koplovitz, ProXPN - 6:00-7:00PM

Over twenty years of experience in corporate leadership and management.

Developed agile products, created solutions, integrated systems and deployed technologies for both external and internal client initiatives.

Specialized in startups for the last 15 years with a focus on developing geographically diverse teams that deliver cost effective solutions with excellence.

  1. What are the use cases for ProXPN?
  2. How do you differentiate yourself in the market? (For our audience, why should they choose ProXPN over someone else?
  3. What are the best methods for evaluating VPN products?
  4. How can enterprises use your product?
  5. What are some of the technologies in use on the backend?
  6. Where do you see the VPN market going in 5 years?
  1. Three words to describe yourself.
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.

Technical Segment: Considerations for Using Intel SGX - 7:00PM-7:30PM

Intel SGX is a newer method of implementing trusted computing.

  • You need to develop software that uses Intel SGX, Then this code, and associated data, would be protected during execution, even if an attacker were to gain administrative privs on the box
  • You can only currently write apps in C/C++
  • Everyone accessing the applications would need to run this software and on hardware that supports Intel SGX.
  • This would mean that all systems on the network would need to be about a year old as SGX is only available on Skylake and later processors: https://github.com/ayeks/SGX-hardware
  • You would only get true protection at both ends when every system on the network is running the software and has the SGX supported hardware
  • There are validation methods in SGX, a remote enclave can create a cryptographic report, essentially letting others know that SGX is in use, so we can validate that a financial institution is in fact using SGX
  • Bad news, while SGX enclaves are protected, it's similar to a firewall, they have to let things in an out in order to operate, and it's speculated that this is where attacks will occur
  • More bad news, it's a doubled edged sword, applications used in the business can be protected, however so can malware. Malware can run in an SGX enclave, and essentially lock out the kernel, operating system and any anti-malware products



Security News - 7:30PM-8:30PM

Paul's Stories

  1. This Evil Office Printer Hijacks Your Cellphone Connection
  2. Three hospitals in England cancel operations over computer virus
  3. Cisco says it'll make IoT safe because it owns the network
  4. Ubiquiti all the things: how I finally fixed my dodgy wifi
  5. Its time to regulate baby monitors
  6. How Hackers Can Steal Your Cell Phone Pictures From Your Crock-Pot
  7. Belkins WeMo Gear Can Hack Android Phones
  8. New, fast-spreading IoT botnet hybridizes two less-effective strains to achieve quick dominance
  9. Fixing the communications breakdown between IT security and the board and c-suite
  10. Alarmed by Admiral's data grab? Wait until insurers can see the contents of your fridge
  11. Admiral Insurance to use algorithms to set insurance prices based on customers' Facebook posts
  12. Flipboard on Flipboard
  13. Google security head says Pixel is as secure as the iPhone
  14. Unsecured Internet of Things gadgets get hacked within 40 minutes of being connected to the net
  15. Webcams Used To Attack Twitter And Reddit Recalled
  16. Windows 10 Vulnerability AtomBombing Can Bypass Security Software
  17. Disappearing Messages Added to Signal App
  18. IoT Devices as Proxies for Cybercrime
  19. Telnet, SSH prod of death smashes Cisco broadband boxes offline
  20. How Hackers Plant False Flags to Hide Their Real Identities | Motherboard
  21. Nuclear Power Plant Disrupted by Cyber Attack
  22. JTAG Explained (finally!): Why "IoT" Makers, Software Security Folks, and Device Manufacturers Should Care - Senrio
  23. We're Not Going To Beat Cybercrime In Our Lifetime
  24. MITRE Will Give You $50k To Fingerprint Rogue IoT Devices
  25. IoT Malware Has Apparently Reached Almost All Countries
  26. Sex robots with warm skin to hit dating scene and could benefit relationships
  27. 4 cybersecurity trends you need to be aware of
  28. 4 cybersecurity trends you need to be aware of
  29. Yahoos CISO resigned in 2015 over secret e-mail search tool ordered by feds
  30. Hack Crashes Linux Distros with 48 Characters of Code

Jack's Stories

  1. IoTpocalyspe, but we can't talk about it properly
  2. Mirai tries to knock a country offline
  3. Oh, look, 2016 and vuln disclosure battles.
  4. Another look at this new "vulnerability disclosure" thing
  5. Hack the planet. Or your car, or toaster- legally now.
  6. The death of thought leadership
  7. Microsoft announces the end of life for EMET

Joff's Stories

  1. Critical Flaws in MySQL Give Root Access
  2. Mirai Used to DDoS Liberia

Michael's (Santa) Stories