Difference between revisions of "PSWEpisode626"

From Paul's Security Weekly
Jump to: navigation, search
(Tech Segment: Kevin Finisterre & Josh Valentine, Arcade Hacking - 6:30PM-7:00PM)
(One intermediate revision by the same user not shown)
Line 16: Line 16:

Revision as of 22:29, 7 November 2019

Recorded November 7, 2019 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Tyler Robinson
    Managing Director of Network Operations at Nisos, Inc .
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.

  • Announcements

    • Register for one of our upcoming webcasts with Bryce Shroeder and Barbara Kay of ServiceNow, Kevin O'Brien of GreatHorn, or Steve Laubenstein of Core Security (or all of them!) by going to securityweekly.com -> Click the webcast dropdown & Select Registration! If you have missed any of our previously recorded webcasts, you can find our on-demand library by selecting on-demand from the webcast drop down! If you attend any of our webcasts, you will receive 1 CPE credit per webcast!
    • We're currently running our annual Listener Feedback Survey! Please visit securityweekly.com -> click the survey tab & select "2019 Listener Survey" to submit your responses!
    • The new Security Weekly website is officially live! Visit securityweekly.com to check out all of our new sorting and filtering functionality! Please let us know if you find any issues or have any feedback by sending to website@securityweekly.net
    • Paul will be providing his insights & predictions in the information & cyber security space at a local (ISC)2 RI Chapter Meeting on Monday, November 18th @ Gregg's Restaurant in Providence. If you would like to join us, go to securityweekly.com/isc2ri

    Interview: Peter Smith, Edgewise - 6:00-6:30PM

    Peter Smithis the Founder & CEO of Edgewise
    Peter Smith, Edgewise Founder and CEO, is a serial entrepreneur who built and deployed Harvard University’s first NAC system before it became a security category. Peter brings a security practitioner’s perspective to Edgewise with more than ten years of expertise as an infrastructure and security architect of data centers and customer-hosting environments for Harvard University, Endeca Technologies (Oracle), American Express, Fidelity UK, Bank of America, and Nike. Most recently, Peter was on the founding team at Infinio Systems where he led product and technology strategy.

    Tech Segment: Kevin Finisterre & Josh Valentine, Arcade Hacking - 6:30PM-7:00PM

    Kevin is currently working quietly as an automotive security engineer helping to keep autonomous vehicles safe. Most recently he is perhaps best known for his efforts both crafting and working within a distributed online community to expose vulnerabilities in consumer drone hardware. Many think Kevin's disclosures are solely responsible for the recent wave of US Government bans on Chinese drone hardware from manufactures like DJI.

    Josh Valentineis a Co-founder of Arcade Hustle
    Josh is a long time arcade game enthusiast and collector. Over the past couple of years, he and Kevin have been collecting arcade machines and game platforms. Josh has spent the last 0000458:0000020 years in information security. The majority of that time spent doing offensive work and research. Most recently, he has moved to the dark side, helping clients secure their networks.

    Segment Topic:
    The arcade scene and how it relates to the computer security scene

    Segment Description:
    Josh and I have spent the last year immersing ourselves in arcade platforms, games, and cabinets. There is quite a bit of cross over into the traditional security scene. There is even more to learn in the subtle differences of how each scene handles. We'd like to talk about our project Arcade Hustle, and the things we've learned during our into to the arcade scene.
    1. Similarities and differences between arcade hardware, consoles gaming, and PC gaming. (similar to #4 that Kevin provided)
    2. Dedicated hardware, COTS hardware. e.g. SH4, x86/64, JVS/JAMMA/FastIO
    3. How does security fit into all of this?

    Security News - 7:30-8:30PM

    Paul's Stories

    1. Who is responsible for Active Directory security within your organization? - Help Net Security - But 24% said that they don’t know who is responsible for Active Directory security within their organization – showing that sometimes this important function can fall through the cracks between IT and security teams. If you are one of these companies, we need to chat :)
    2. Presentation Template: Build Your 2020 Security Plan - Just one slide, big letters: We're Screwed.
    3. A Warning About Viruses From Weird Al - Thanks for burning my best email phishing campaign, "Stinky Cheese" was so successful!
    4. Apple publishes new technical details on privacy features - Apple also outlined steps it has taken to cut off app developers that circumvent its rules. For example, even when users have turned off location-based services that use an iPhone’s GPS chips, app developers can scan for nearby Wi-Fi networks and Bluetooth devices to approximate the user’s location. Developers now must ask permission for Bluetooth access, for example, and explain why it is needed, Apple’s guides said. Googles respons is classic: Google Chief Executive Sundar Pichai said in a New York Times op-ed that “privacy cannot be a luxury good offered only to people who can afford to buy premium products.” Says the company with a $1k phone with less feature's than the iPhone 11...
    5. Facebook reveals privacy flaw in Groups - Crap, now they know where I get my memes: With permission, app developers could access a group's name, the number of members and the content of posts. However, they could only access member names and photos if people explicitly opted in. But on Tuesday, the company revealed that about 100 "partners" retained access following the change.
    6. Bug Hunters Earn $195,000 for Hacking TVs, Routers, Phones at Pwn2Own | SecurityWeek.Com
    7. Camgirl sites expose millions of members and users
    8. How to ensure online safety with DNS over HTTPS
    9. Mobile security firms will help protect Google Play - Help Net Security
    10. Printers: The overlooked security threat in your enterprise | TECHtalk - Overlooked for sure, but attackers don't need to hack your printer. Largely we've observed attackers using other methods to obtain data, and printer attacks are not popular, yet. Email phishing and lateral movement within the domain using credentials wins almost every time. When we force attackers to step outside this technique, they may turn to printers, however its still an opportunistic attack.
    11. Capital One Shifts Its CISO to New Role - Dark Reading
    12. Amazons Ring Video Doorbell could open the door of your home to hackers - The controversial title is beyond irresponsible, which I am shocked as this site is typically pretty good. First, you'd have to have a smart lock on your front door, and not use any other type of lock as a backup. Also, if you have smart locks, be certain you have cameras. And yes, an attacker could use the Doorbell vulnerability to get the Wifi password, open the door and then delete the recordings from the camera. But holy crap, how did we get here? In any case, in order for the vulnerability to be exploitable, the Ring doorbell must be re-configured. The article suggests that a constant de-auth attack could then, in turn, cause the user to re-configure the device, leaving it exposed to the vulnerability that will cough up the Wifi password. All of this will likely just go away once Ring pushes an update. Every IoT security flaw is not the end of the world or even deserves an article to be written about it.
    13. Bill Gates says people would be using Windows Mobile if not for the Microsoft antitrust case - “There’s no doubt the antitrust lawsuit was bad for Microsoft, and we would have been more focused on creating the phone operating system, and so instead of using Android today, you would be using Windows Mobile if it hadn’t been for the antitrust case,” Gates, a Microsoft co-founder and board member, said at the New York Times’ DealBook conference in New York. Really? Somone send Bill a copy of "Extreme Ownership".
    14. What you probably didnt know about sudo
    15. New 'unremovable' xHelper malware has infected 45,000 Android devices | ZDNet


    1. People are posting their genitals on Reddit to get STI diagnoses - “Social media was not built to deliver health care,” UC San Diego scientist and study co-author Alicia Nobles told CNBC.

    Larry's Stories

    Tyler's Stories

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+