Difference between revisions of "Episode620"

From Paul's Security Weekly
Jump to: navigation, search
m (Lee's Stories)
(Larry's Stories)
Line 46: Line 46:
  
 
== Larry's Stories ==
 
== Larry's Stories ==
 +
#[https://www.theregister.co.uk/2019/09/19/iowa_pentester_update/ Update on the Coalfire pentesters…]
 +
#[https://www.cnet.com/news/weworks-weak-wi-fi-security-leaves-sensitive-documents-exposed/ WeWork WiFi] - Documents sent on WeWork's unsecured network included financial records, bank account credentials and a cat photo of Nicolas Cage.  Play stupid games, win stupid prizes.
 +
#[https://www.theregister.co.uk/2019/09/18/github_code_analysis_biz_semmle/ Github Acquires Semmle] - does that mean we now get free code audits?
 +
#[https://www.cnet.com/news/justice-department-sues-edward-snowden-over-memoir/ Snowden sued for his memoir] - because he did not submit it to the publications office first…
 +
#[https://www.us-cert.gov/ncas/current-activity/2019/09/17/2019-cwe-top-25-most-dangerous-software-errors MITRE updates the top CWE 25]
  
 
== Lee's Stories ==
 
== Lee's Stories ==

Revision as of 21:50, 19 September 2019

Recorded September 19, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Lee Neely
    is a Sr. Cyber Analyst at LLNL,SANS Analyst, SANS NewsBites Editor


  • Announcements

    • Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
    • OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!
    • We have officially migrated our mailing list to a new platform! Sign up for the list to receive invites to our virtual trainings, webcasts, and other content relative to your interests by visiting securityweekly.com/subscribe and clicking the button to join the list! You can also submit your suggestions for guests by going to securityweekly.com/guests and submitting the form! We'll review them monthly and reach out if they are a good fit!
    • Our first-ever virtual training is happening on March 19th @11:00am ET, with Adam Kehler & Rob Harvey from Online Business Systems Risk, Security & Privacy Team. In this training you will learn how to generate a complex SHA-256 hashed password and then use password cracking tools to break it. Register for our upcoming trainings by visiting securityweekly.com, selecting the webcast/training drop down from the top menu bar and clicking registration.


    Interview: Jason Lang, TrustedSec - 6:00-6:30PM

    Jason Langis the Chief Human Hacker of TrustedSec

    • Work on TrustedSec's Adversary Emulation and Threat Research team.
    • Job is red teaming, purple teaming, pentesting
    • In infosec for 10+ years, over 5 in offensive security / pentesting.
    • Enterprise background. Enjoy coding in C#, Powershell, python
    • DerbyCon speaker/trainer
    • "Amish Hacker". Live in the middle of nowhere. Hobbies: woodworking, fly fishing, beekeeping.

      Segment Topic:
      Anything Red/Purple teaming

      Segment Description:
      Modern day red teaming against some of the largest company's in the US. Current passion is Ansible for red teamers (i.e. fast infrastructure buildout)


    Tech Segment: Wes Widner, Hacker Halted Speaker - 6:30 - 7:30PM

    Wes Widneris the Cloud Engineering Manager at CrowdStrike
    Wes Widner engineers clouds with Crowdstrike. Large-scale distributed threat intelligence systems that span a range of threat vectors are his bread and butter. His work history includes data engineering with McAfee Labs’s Global Threat Intelligence department and malware pipelining with Norse Corporation. In his ample spare time, Wes also enjoys teaching children how to hack, ethically of course.

    Segment Topic:
    Audio Security

    Segment Description:
    Personal voice assistants are the wave of the future. So naturally we should wonder about the unique attack vectors they pose. I'd like to discuss my research into this field and share a few tips on how you can keep yourself safe around voice assistants.

    Segment Resources:
    https://github.com/kai5263499/audio-security-awesome


    Security News - 7:30PM-8:30PM

    Paul's Stories

    Template:PSWPaul620

    Larry's Stories

    1. Update on the Coalfire pentesters…
    2. WeWork WiFi - Documents sent on WeWork's unsecured network included financial records, bank account credentials and a cat photo of Nicolas Cage. Play stupid games, win stupid prizes.
    3. Github Acquires Semmle - does that mean we now get free code audits?
    4. Snowden sued for his memoir - because he did not submit it to the publications office first…
    5. MITRE updates the top CWE 25

    Lee's Stories

    1. iOS 13 Flaw Could Provide Access to Contacts without Passcode iOS 13 flaw discovered in beta product. Likely fixed in iOS 13.1 scheduled for release September 20.
    2. Entercom Raido Network Deals with Ransomware-Like Incident Malware infectection stemming from programming department has spread. Internal memo released prohibiting external discussions of issues.
    3. SIM Flaw lets Hackers Hijack any Phone by sending SMS Exploits vulnerability in S@T Browser to obtain location and IMEI information. Fix will require updated (replacement) SIM cards.
    4. Equifax demands more information before making payouts While the Equifax settlement is out there, those signed up for payments are being asked more question before payment is agreed to...
    5. LastPass Fixes Password-Leaking Flaw LastPass browser plugin could expose credentails when used with Opera or Chrome. Update to 4.33.0 to resolve the problem
    6. Cyber Fraud Hits Superannuation As much as $10M AUD was stolen by fraud and ID theft syndicate. Stolen funds laundered through cryptocurrency and untraceable assets back to Australia.
    7. phpMyAdmin CSRF Zero-Day CVE-2019-12922 CSRF vulnerability in phpMyAdmin can be used to delete any server configured through the setup panel. User interaction required to exploit. Not patched yet.
    8. Confidental Data of 24.3 Million Patients Discovered Online590 of 2300 medical imaging systems analyzed world-wide were found to be insecure, revealing X-rays, CT scans, MRI scans, etc plus full names, DOB, exam dates and associated data. 39 servers had neither access control nor HTTPS access.
    9. CFPB probes fake credit card accounts at Bank of America BofA accused of opening accounts without user consent reminiscent of Wells Fargo. BofA also not collecting signature of intent for account openings.
    10. Google Calendars possibly leaking private information online Shared Google Calendars are indexed by their search engine, the links to the indexed content are public. Accessing the link can be used to read/update the corresponding calendar. Review calendar sharing settings.
    11. CookieMiner malware targets Mac, steals passwords and SMS messages, mines for cryptocurrency Hunts for files containing passwords, web auth tokens, private keys for cryptocurrency wallets. Mines for Koto, the Zcash-based cryptocurrency associated with Japan.
    12. New report: AI can't offer protection from 'deepfakes' Beware of quick fixes, true detection is a complex problem, requiring social and technical fixes and detection capabilities.