From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly #561

Recorded May 24, 2018 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Jack Daniel
    Co-Founder of Security BSides and certified security wizard.
  • Announcements

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Ticket Sales are open for Social Engineering RI Conference. Saturday, June 16th at Salve Regina University in Newport RI. Go to - http://se-ri.org/ to register! We are giving away 2 tickets to this conference. Please send your best meme of Paul and Larry to psw@securityweekly.com.

    Interview: Steven Bellovin, Columbia University - 6:00PM-6:45PM

    Steven Bellovin
    is the Professor of Computer Science at Columbia University.
    Steven M. Bellovin is the Percy K. and Vidal L. W. Hudson Professor of Computer Science at Columbia University, member of the Cybersecurity and Privacy Center of the university's Data Science Institute, and an affiliate faculty membe at Columbia Law School. He does research on security and privacy and on related public policy issues. In his copious spare professional time, he does some work on the history of cryptography. He joined the faculty in 2005 after many years at Bell Labs and AT&T Labs Research, where he was an AT&T Fellow. He received a BA degree from Columbia University, and an MS and PhD in Computer Science from the University of North Carolina at Chapel Hill. While a graduate student, he helped create Netnews; for this, he and the other perpetrators were given the 1995 Usenix Lifetime Achievement Award (The Flame). Bellovin has served as Chief Technologist of the Federal Trade Commission and as the Technology Scholar at the Privacy and Civil Liberties Oversight Board. He is a member of the National Academy of Engineering and is serving on the Computer Science and Telecommunications Board of the National Academies of Sciences, Engineering, and Medicine. In the past, he has been a member of the Department of Homeland Security's Science and Technology Advisory Committee, and the Technical Guidelines Development Committee of the Election Assistance Commission; he has also received the 2007 NIST/NSA National Computer Systems Security Award and has been elected to theCybersecurity Hall of Fame.Bellovin is the author of Thinking Security and the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds a number of patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs; he was also a member of the information technology subcommittee of an NRC study group on science versus terrorism. He was a member of the Internet Architecture Board from 1996-2002; he was co-director of the Security Area of the IETF from 2002 through 2004.

    More details may be found at http://www.cs.columbia.edu/~smb/informal-bio.html.

    1. How did you get your start in information security?
    2. What was the driving force behind writing "Firewalls and Internet Security"?
    3. How did you get together with the co-authors of the book?
    4. How has information security changed since your first wrote the book?
    5. What are the most impactful misconceptions of security today?
    6. What sparked the idea(s) for your latest booking: Thinking Security?
    7. understand how to design security architectures that don’t just prevent attacks wherever possible, but also deal with the consequences of failures. - What are some things for us to think about to be able to deal with the consequences of failures?
    8. What can we as security professionals today do to encourage the next generation of hackers?
    9. What is the impact of encryption on our society? For good guys? For bad guys? How to we attempt to make sure bad people aren't using encryption to their benefit? Or can we?
    10. How fragile is the Internet today with respects to wide-reaching disruption?
    11. What advice do you give your students today about their careers and information security?
    12. From 2013–2015 you were a Member of the National Research Council study committee on FAA Next Generation Air Traffic Control System,, what can you share with us about this experience?

    Tech Seg: Sven Morgenroth, Netsparker - 6:45-7:45PM

    Sven Morgenroth, Security Researcher at Netsparker
    Sven Morgenroth is a security researcher at Netsparker. He found filter bypasses for Chrome's XSS auditor and several web application firewalls. He likes to exploit vulnerabilities in creative ways and has hacked his smart TV without even leaving his bed. Sven writes about web application security and documents his research on the Netsparker blog.

    Security News - 7:45PM-8:30PM

    Paul's Stories

    1. What Will GDPR's Impact Be On U.S. Consumer Privacy?
    2. DOJ Sinkholes VPNFilter Control Servers Found in US
    3. Blue Team Training Toolkit (BT3) 2.7 Packet Storm
    4. 24 DevOps Pros Reveal the Most Important Characteristic of a Successful DevOps Engineer - Security Boulevard
    5. Font Steganography - Schneier on Security
    6. InfoSec Handlers Diary Blog - "Blocked" Does Not Mean "Forget It"
    7. This Day In Market History, May 24: AOL Is Founded
    8. Pornhub launches VPNhub a free and unlimited VPN service
    9. FBI seizes domain Russia allegedly used to infect 500,000 consumer routers
    10. Police: Florida man tasered after walking naked through neighborhood carrying cooking oil - I hate it when that happens...
    11. A Congressional Debate Was Hacked to Show Gay Porn - The best part of this article: According to KRCR, moderator Chris Verrill could be heard saying, “Looks like we got hacked again, we’ll try to fix this,” and then the feed was cut entirely. AGAIN! LOL
    12. Why The Older You Get, The More You Hate Everyone (And Why That's OK)

    Larry's Stories

    1. DHCP Vulnerability
    2. Unintended fallout of GDPR: Whois
    3. VPNfilter

    Joff's Stories

    1. Remote RowHammer == NetHammer

    Jason's Stories

    1. Security Managers and Modernization Don’t Mix…or Do They?
    2. FBI exaggerated inability to access encrypted devices in promotion of ‘Going Dark’ problem
    3. Surprise! Student receives $36,000 Google bug bounty for RCE flaw

    Kevin's Stories

    1. For the Love of God, Stop Renting Routers From Comcast "A bug in Comcast’s router and modem activation process potentially exposed the private data of millions of customers who rented hardware from the company."
    2. Amazon's Alexa recorded private conversation and sent it to random contact"The company, which has insisted its Echo devices aren’t always recording, has confirmed the audio was sent"
    3. FBI repeatedly overstated encryption threat figures to Congress, public"FBI Director Christopher A. Wray cited the inflated figure as the most compelling evidence for the need to address what the FBI calls “Going Dark” — the spread of encrypted software that can block investigators’ access to digital data even with a court order."

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+