From Security Weekly Wiki
Jump to navigationJump to search

Recorded May 9, 2019 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Lee Neely
    is a Sr. Cyber Analyst at LLNL,SANS Analyst, SANS NewsBites Editor

  • Announcements

    • We just released our 2019 Security Weekly 25 Index Survey. Please go to securityweekly.com and click the Survey link to help us understand who's evaluating, using, or formerly used any of the Security Weekly 25 companies. The results will be summarized and presented back to all responders in a private webcast.

    Interview: Lesley Carhart, Dragos Inc. - 6:00-6:30PM

    Lesley Carhartis the Principal Threat Analyst at [Dragos Inc.]

    Lesley has been performing digital forensics and incident response on unconventional systems and advanced adversary attacks for over a decade. Some people, certification companies, and awards presenters think she might be pretty okay at it. In her free time, she fights (willing?) people with knives, and answers people’s infosec questions on Twitter instead of sleeping. Her goal in 2019 is to earn enough exp to become a level 14 rogue.

    Interview: Chris Sanders, Applied Network Defense & Rural Technology Fund - 6:30 - 7:30PM

    Chris Sanders is the founder of Applied Network Defense, a company focused on delivering high quality, accessible information security training. He is also the Director of the Rural Technology Fund, a non-profit that donates scholarships and equipment to public schools to further technical education in rural and high poverty areas. He is the author of Applied Network Security Monitoring and Practical Packet Analysis. You can connect with Chris on his blog at http://www.chrissanders.org or on Twitter @chrissanders88.

    Chris blogs at http://www.chrissanders.org. You can learn more about Applied Network Defense at http://www.appliednetworkdefense.com and the RTF at http://www.ruraltechfund.org.

    Security News - 7:30PM-8:30PM

    Paul's Stories

    1. Locked Computers - Schneier on Security - Best part is from the comments: The problem? Mice were stolen regularly. We've made a contraption: got out one unused backplate from each case, drilled two holes through it and ran mouse cable through them (plus some rubber padding). Then we screwed the backplates back in and closed the cases. The cable run from the serial port plug through the drilled backplate (in and out) and then to the mouse itself. You couldn't steal the mouse now without cutting the cable or opening the locked case. Problem solved - for some time.Some time later someone - probably out of frustration that he can't steal mice - stole all the balls from them. That was over the top. We've closed the venue and posted a message "Closed until all balls are returned". Some patrons must have got really angry at the thief and had a few pleasant words with him - the balls were found in a bag near the door next morning...
    2. Choosing Imagery for Your Security Awareness Program - If the only tip you take from this article is this, you are winning: Instead, look for imagery that works to evoke emotion. You can do this with imagery that is positive, colorful, and inviting. Unexpected image compositions can also help give a modern look and feel to your campaign.
    3. Top 5 Configuration Mistakes That Create Field Days for Hackers - Sometimes I believe we complicate security too much. This article highlights 1. Default passwords 2. Password re-use 3. Exposed remote management services 4. Missing patches 5. Logging disabled or non-existent.
    4. Quantifying Measurable Security - Okay, but so why is Android not-so-secure? Both Android and Chrome OS have dedicated security teams who are tasked with continually enhancing the security of these operating systems through new features and anti-exploitation techniques. In addition, each team leverages a mature and comprehensive security development lifecycle process to ensure that security is always part of the process and not an afterthought.
    5. Facial recognition will not ensure public safety and heres why - This is why it will never work: Detecting faces means also detecting emotions: if you look worried, angry or nervous, the machine will spot it, and think maybe, you’re up to no good…
    6. WordPress 5.2 Brings New Security Features | SecurityWeek.Com - For the first release, WordPress will (by default) soft-fail if the signature is not valid. In future releases, the default will be configured to a hard failure. The reason for this unsafe default is to ensure updates aren't blocked if there’s a bug in the update code, Okay great, you are validating software updates. WTF, is this really how attackers are exploiting Wordpress? No. It's through the plugins. Good solution, wrong problem to solve.
    7. Hackers exploit Jenkins flaw CVE-2018-1000861 to Kerberods malware
    8. Securing satellites: The new space race - Help Net Security - Okay, sign me up: For hackers with deeper pockets, they could realistically launch their own CubeSat into orbit and then conduct hacking operations from there. The benefits are primarily related to proximity to other satellites and not having to wait for a satellite to pass over the ground station to perpetrate an attack. Whatever the method, compromising a satellite is now a realistic and attainable opportunity for hackers.
    9. MobileIron introduces zero sign-on technology to eliminate passwords - Help Net Security
    10. How to Communicate Privately in the Age of Digital Policing
    11. Alpine Linux Docker Images Shipped for 3 Years with Root Accounts Unlocked - This is not a big deal for two reasons: 1) Most Alpine containers do not contain a shell (and certainly you can configure them that way), minimizing the likelyhood that PAM can even be accessed to exploit this flaw 2) This only gets you "root" inside the container, not the host system or any other containers.
    12. Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers - VICE
    13. San Diego man arrested after rifle-shaped bong causes gun scare - I mean okay, for one marijuana is legal in CA. Two, I mean people in CA love their weed, so I can see people getting bored and being like "Dude, ya know man, we should get a bong that's a rifle, like a rifle bong". And if you do that in comfort of your own home, not having to drive or have much other responsibilities, I'm cool with it. However, they smoked out of this thing in a hotel room in full view of a WINDOW. Common sense was absent that day.
    14. 'Software delivered to Boeing' now blamed for 737 MAX warning fiasco
    15. Israel Neutralizes Cyber Attack by Blowing Up A Building With Hackers
    16. Extinguishing the IoT Insecurity Dumpster Fire
    17. Microsoft Windows 10 will get a full built-in Linux Kernel for WSL 2 - If you're going to run Linux, just run Linux... I do want to see a lower cost device, that actually works, that is a small computer that sits in a PCIe slot that you can run Linux on. Heck, I run Linux and I'd still buy one just to have an extra Linux box in my computer.
    18. Amazon workers purloin $100,000 worth of Apple Watches | Cult of Mac

    Lee's Stories

    1. Microsoft WSL 2 Announced WLS 2 will include a Linux kernel, with better integration. Still includes Debian package manager.
    2. Discontinued Insulin pump with security flaw in high demand Users are hacking old Insulin pumps, using OpenAPS, to provide looping of insulin for better quality of life.