Difference between revisions of "PSWEpisode626"

From Security Weekly Wiki
Jump to navigationJump to search
(6 intermediate revisions by the same user not shown)
Line 29: Line 29:
  
 
= Tech Segment: Kevin Finisterre & Josh Valentine, Arcade Hacking - 6:30PM-7:00PM =
 
= Tech Segment: Kevin Finisterre & Josh Valentine, Arcade Hacking - 6:30PM-7:00PM =
[[File:KevinFinisterre2.jpg|right|250px|thumb|<center>'''[https://twitter.com/d0tslash Kevin Finisterre]'''is a Co-founder of [https://github.com/ArcadeHustle Arcade Hustle]</center>]] Kevin is currently working quietly as an automotive security engineer helping to keep autonomous vehicles safe. Most recently he is perhaps best known for his efforts both crafting and working within a distributed online community to expose vulnerabilities in consumer drone hardware. Many think Kevin's disclosures are solely responsible for the recent wave of US Government bans on Chinese drone hardware from manufactures like DJI.
+
[[File:KevinFinisterre2.jpg|right|250px|thumb|<center>'''[https://twitter.com/d0tslash Kevin Finisterre]'''is a Co-founder of [https://github.com/ArcadeHustle Arcade Hustle]</center>]] Kevin is currently working quietly as an automotive security engineer helping to keep autonomous vehicles safe. Most recently he is perhaps best known for his efforts both crafting and working within a distributed online community to expose vulnerabilities in consumer drone hardware. Many think Kevin's disclosures are solely responsible for the recent wave of US Government bans on Chinese drone hardware from manufactures like DJI.<br><br><br><br>
[[File:JoshValentine.jpg|right|250px|thumb|<center>'''[https://twitter.com/fsckewe Josh Valentine]'''is a Co-founder of [https://github.com/ArcadeHustle Arcade Hustle]</center>]] Josh is a long time arcade game enthusiast and collector. Over the past couple of years, he and Kevin have been collecting arcade machines and game platforms. Josh has spent the last 0000458:0000020 years in information security. The majority of that time spent doing offensive work and research. Most recently, he has moved to the dark side, helping clients secure their networks.<br><br>'''Segment Topic:'''<br>The arcade scene and how it relates to the computer security scene<br><br>'''Segment Description:'''<br>Josh and I have spent the last year immersing ourselves in arcade platforms, games, and cabinets. There is quite a bit of cross over into the traditional security scene. There is even more to learn in the subtle differences of how each scene handles. We'd like to talk about our project Arcade Hustle, and the things we've learned during our into to the arcade scene.<br><br>'''Segment Resources:'''<br>
+
<br><br>[[File:JoshValentine.jpg|right|250px|thumb|<center>'''[https://twitter.com/fsckewe Josh Valentine]'''is a Co-founder of [https://github.com/ArcadeHustle Arcade Hustle]</center>]] Josh is a long time arcade game enthusiast and collector. Over the past couple of years, he and Kevin have been collecting arcade machines and game platforms. Josh has spent the last 0000458:0000020 years in information security. The majority of that time spent doing offensive work and research. Most recently, he has moved to the dark side, helping clients secure their networks.<br><br>'''Segment Topic:'''<br>The arcade scene and how it relates to the computer security scene<br><br>'''Segment Description:'''<br>Josh and I have spent the last year immersing ourselves in arcade platforms, games, and cabinets. There is quite a bit of cross over into the traditional security scene. There is even more to learn in the subtle differences of how each scene handles. We'd like to talk about our project Arcade Hustle, and the things we've learned during our into to the arcade scene.
 +
# Similarities and differences between arcade hardware, consoles gaming, and PC gaming. (similar to #4 that Kevin provided)
 +
# Dedicated hardware, COTS hardware. e.g. SH4, x86/64, JVS/JAMMA/FastIO
 +
# How does security fit into all of this?
 +
* PC based arcade games
 +
* software updates
 +
* VxWorks!!<br><br>'''Segment Resources:'''<br>
 
*https://github.com/ArcadeHustle
 
*https://github.com/ArcadeHustle
 
*http://akuma.arcadehustle.com/
 
*http://akuma.arcadehustle.com/
Line 43: Line 49:
 
== Larry's Stories ==
 
== Larry's Stories ==
  
== Lee's Stories ==
+
== Tyler's Stories ==
 
<br>
 
<br>
  
  
 
{{SocialMedia}}
 
{{SocialMedia}}

Revision as of 17:35, 7 November 2019

Recorded November 7, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Tyler Robinson
    Managing Director of Network Operations at Nisos, Inc .


  • Announcements

    • Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
    • OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!
    • We have officially migrated our mailing list to a new platform! Sign up for the list to receive invites to our virtual trainings, webcasts, and other content relative to your interests by visiting securityweekly.com/subscribe and clicking the button to join the list! You can also submit your suggestions for guests by going to securityweekly.com/guests and submitting the form! We'll review them monthly and reach out if they are a good fit!
    • Our first-ever virtual training is happening on March 19th @11:00am ET, with Adam Kehler & Rob Harvey from Online Business Systems Risk, Security & Privacy Team. In this training you will learn how to generate a complex SHA-256 hashed password and then use password cracking tools to break it. Register for our upcoming trainings by visiting securityweekly.com, selecting the webcast/training drop down from the top menu bar and clicking registration.


    Interview: Peter Smith, Edgewise - 6:00-6:30PM

    Peter Smithis the Founder & CEO of Edgewise

    Peter Smith, Edgewise Founder and CEO, is a serial entrepreneur who built and deployed Harvard University’s first NAC system before it became a security category. Peter brings a security practitioner’s perspective to Edgewise with more than ten years of expertise as an infrastructure and security architect of data centers and customer-hosting environments for Harvard University, Endeca Technologies (Oracle), American Express, Fidelity UK, Bank of America, and Nike. Most recently, Peter was on the founding team at Infinio Systems where he led product and technology strategy.


    Tech Segment: Kevin Finisterre & Josh Valentine, Arcade Hacking - 6:30PM-7:00PM

    Kevin is currently working quietly as an automotive security engineer helping to keep autonomous vehicles safe. Most recently he is perhaps best known for his efforts both crafting and working within a distributed online community to expose vulnerabilities in consumer drone hardware. Many think Kevin's disclosures are solely responsible for the recent wave of US Government bans on Chinese drone hardware from manufactures like DJI.





    Josh Valentineis a Co-founder of Arcade Hustle

    Josh is a long time arcade game enthusiast and collector. Over the past couple of years, he and Kevin have been collecting arcade machines and game platforms. Josh has spent the last 0000458:0000020 years in information security. The majority of that time spent doing offensive work and research. Most recently, he has moved to the dark side, helping clients secure their networks.

    Segment Topic:
    The arcade scene and how it relates to the computer security scene

    Segment Description:
    Josh and I have spent the last year immersing ourselves in arcade platforms, games, and cabinets. There is quite a bit of cross over into the traditional security scene. There is even more to learn in the subtle differences of how each scene handles. We'd like to talk about our project Arcade Hustle, and the things we've learned during our into to the arcade scene.

    1. Similarities and differences between arcade hardware, consoles gaming, and PC gaming. (similar to #4 that Kevin provided)
    2. Dedicated hardware, COTS hardware. e.g. SH4, x86/64, JVS/JAMMA/FastIO
    3. How does security fit into all of this?


    Security News - 7:30-8:30PM

    Paul's Stories

    1. Who is responsible for Active Directory security within your organization? - Help Net Security - But 24% said that they don’t know who is responsible for Active Directory security within their organization – showing that sometimes this important function can fall through the cracks between IT and security teams. If you are one of these companies, we need to chat :)
    2. Presentation Template: Build Your 2020 Security Plan - Just one slide, big letters: We're Screwed.
    3. A Warning About Viruses From Weird Al - Thanks for burning my best email phishing campaign, "Stinky Cheese" was so successful!
    4. Apple publishes new technical details on privacy features - Apple also outlined steps it has taken to cut off app developers that circumvent its rules. For example, even when users have turned off location-based services that use an iPhone’s GPS chips, app developers can scan for nearby Wi-Fi networks and Bluetooth devices to approximate the user’s location. Developers now must ask permission for Bluetooth access, for example, and explain why it is needed, Apple’s guides said. Googles respons is classic: Google Chief Executive Sundar Pichai said in a New York Times op-ed that “privacy cannot be a luxury good offered only to people who can afford to buy premium products.” Says the company with a $1k phone with less feature's than the iPhone 11...
    5. Facebook reveals privacy flaw in Groups - Crap, now they know where I get my memes: With permission, app developers could access a group's name, the number of members and the content of posts. However, they could only access member names and photos if people explicitly opted in. But on Tuesday, the company revealed that about 100 "partners" retained access following the change.
    6. Bug Hunters Earn $195,000 for Hacking TVs, Routers, Phones at Pwn2Own | SecurityWeek.Com
    7. Camgirl sites expose millions of members and users
    8. How to ensure online safety with DNS over HTTPS
    9. Mobile security firms will help protect Google Play - Help Net Security
    10. Printers: The overlooked security threat in your enterprise | TECHtalk - Overlooked for sure, but attackers don't need to hack your printer. Largely we've observed attackers using other methods to obtain data, and printer attacks are not popular, yet. Email phishing and lateral movement within the domain using credentials wins almost every time. When we force attackers to step outside this technique, they may turn to printers, however its still an opportunistic attack.
    11. Capital One Shifts Its CISO to New Role - Dark Reading
    12. Amazons Ring Video Doorbell could open the door of your home to hackers - The controversial title is beyond irresponsible, which I am shocked as this site is typically pretty good. First, you'd have to have a smart lock on your front door, and not use any other type of lock as a backup. Also, if you have smart locks, be certain you have cameras. And yes, an attacker could use the Doorbell vulnerability to get the Wifi password, open the door and then delete the recordings from the camera. But holy crap, how did we get here? In any case, in order for the vulnerability to be exploitable, the Ring doorbell must be re-configured. The article suggests that a constant de-auth attack could then, in turn, cause the user to re-configure the device, leaving it exposed to the vulnerability that will cough up the Wifi password. All of this will likely just go away once Ring pushes an update. Every IoT security flaw is not the end of the world or even deserves an article to be written about it.
    13. Bill Gates says people would be using Windows Mobile if not for the Microsoft antitrust case - “There’s no doubt the antitrust lawsuit was bad for Microsoft, and we would have been more focused on creating the phone operating system, and so instead of using Android today, you would be using Windows Mobile if it hadn’t been for the antitrust case,” Gates, a Microsoft co-founder and board member, said at the New York Times’ DealBook conference in New York. Really? Somone send Bill a copy of "Extreme Ownership".
    14. What you probably didnt know about sudo
    15. New 'unremovable' xHelper malware has infected 45,000 Android devices | ZDNet

    WTF:

    1. People are posting their genitals on Reddit to get STI diagnoses - “Social media was not built to deliver health care,” UC San Diego scientist and study co-author Alicia Nobles told CNBC.

    Larry's Stories

    Tyler's Stories



    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+