Difference between revisions of "PSWEpisode630"

From Paul's Security Weekly
Jump to: navigation, search
m (Lee's Stories)
(Larry's Stories)
Line 39: Line 39:
  
 
== Larry's Stories ==
 
== Larry's Stories ==
 +
#[https://security.googleblog.com/2019/12/detecting-unsafe-path-access-patterns.html Unsafe Path access auditing with PathAuditor]
 +
#[https://www.helpnetsecurity.com/2019/12/11/test-employee-cyber-competence/ How to test employee cyber competence through pen-testing]
 +
#[https://arstechnica.com/tech-policy/2019/12/senate-judiciary-committee-interrogates-apple-facebook-about-crypto/ Senate Judiciary committee interrogates Apple, Facebook about crypto] - OMG this is turning into a shit show...
 +
#[https://github.com/dhondta/dronesploit DroneSploit] - A Metasploit like interface for a collection of Drone exploits.
  
 
== Jeff's Stories ==
 
== Jeff's Stories ==

Revision as of 23:11, 12 December 2019

Recorded December 12, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Jeff Man
    Cryptanalyst,
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist,
    Tribe of Hackers, & InfoSec Curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Lee Neely
    is a Sr. Cyber Analyst at LLNL,SANS Analyst, SANS NewsBites Editor
  • Tyler Robinson
    Managing Director of Network Operations at Nisos, Inc .


  • Announcements

    • Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
    • Attend RSA Conference 2020, February 24-28 in San Francisco, CA! Visit securityweekly.com/rsac2020 to sponsor an interview with us on-site at the conference or register using our code to save $150!
    • OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!


    Interview: Jorge Salamero, Sysdig - 6:00-6:45PM

    Jorge Salamerois the Director of Technical Marketing at Sysdig
    Jorge enjoys playing with containers and Kubernetes, home automation and DIY projects. Currently, he is part of the Sysdig team, and in the past was a Debian developer. When he is away from computers, you will find him walking with his 2 dogs in the mountains or driving his car through a twisted road.

    Segment Topic:
    Runtime Protection for Containers


    Tech Segment: John Strand, BHIS - 6:45PM-7:30PM

    John Strandis the Security analyst, Founder of Black Hills Information Security, and CTO of Offensive Countermeasures.
    John Strand is the Founder of Black Hills Information Security and Active Countermeasures. John has both consulted and taught hundreds of organizations in the areas of security, regulatory compliance, and penetration testing. John is a contributor to the industry shaping Penetration Testing Execution Standard and 20 Critical Controls frameworks.

    Segment Topic:
    Backdoors & Breaches

    Segment Description:
    Backdoors & Breaches is an Incident Response card game


    Security News - 7:30-8:30PM

    Paul's Stories

    1. Your Smart Christmas Lights Are Safer Than They Were Last Year - There is hope for IoT security! (and I own these lights, and hopefully the new version...or maybe hopefully the old version so I can more easily hack my Christmas tree): The good news is that researchers at Pen Test compared tests they did on the Twinkly lights (from the manufacturer LEDWORKs) last year to the new version of the lights released for the 2019 holiday season and found most of the issues to be solved. LEDWORKS replaced the ESP8266 module with the slightly more secure ESP32, which researchers mentioned in their public research about the security of the lights last year was a better option than the one already in the product.
    2. Exploring Legacy Unix Security Issues | Liquidmatrix Security Digest
    3. Intels SGX coughs up crypto keys when scientists tweak CPU voltage - 'By subtly increasing or decreasing the current delivered to a CPU—operations known as "overvolting" and "undervolting"—a team of scientists has figured out how to induce SGX faults that leak cryptographic keys, break integrity assurances, and potentially induce memory errors that could be used in other types of attacks. The breakthrough leading to these attacks was the scientists' ability to use previous research into the undocumented model-specific register inside the x86 instruction set to abuse the dynamic voltage scaling interface that controls the amount of voltage used by a CPU. Also noteworthy is surgically controlling the voltage in a way that introduces specific types of attacks.
    4. Russian police raid NGINX Moscow office | ZDNet
    5. Reusing Cookies
    6. Consumers not willing to compromise when it comes to IoT security - Help Net Security - It's one thing to say in a survey that you care about the security of your IoT devices, but another when you are actually shopping and realize that a device with the same functionality can be purchased for 75% cheaper than the "secure" one.
    7. AirDoS: Hackers Can Block iPhones, iPads Via AirDrop Attack | SecurityWeek.Com - Annoying: Bagaria discovered that an attacker can use the AirDoS attack to “infinitely spam” all nearby iPhones and iPads with an AirDrop popup. The dialog box will keep appearing on the screen regardless of how many times the user presses the Accept or Decline buttons. The attack will continue even after the user locks and unlocks the device.
    8. Shenzhen's Homegrown Cyborg
    9. How Hackers Are Breaking Into Ring Cameras - Enable two-factor, this is just a password spraying/guessing attack. The tools being traded and sold also sound really lame (and probably have backdoors put in by the authors).
    10. Bloomberg accidentally created an Alexa Fleshlight and oh my gawd - Okay, relax everyone, it's an ear. That's they, er, uh, wrong security hole?
    11. 4 Steps to Communicate Anything Clearly, According to a Scientist Who Teaches Quantum Physics to Kids - I love 1, 2 and 4. #3 would not fly for most audiences we present to, but again depends on the audience.
    12. InfoSec Handlers Diary Blog - Integrating Pi-hole Logs in ELK with Logstash - I mean, because, why not? This is really great.
    13. New PyXie Python RAT targets multiple industries
    14. Use Hash-Identifier to Determine Hash Types for Password Cracking
    15. 20 VPS providers to shut down on Monday, giving customers two days to save their data | ZDNet
    16. Scientists Crack Longest, Most Complex Encryption Key Ever

    Larry's Stories

    1. Unsafe Path access auditing with PathAuditor
    2. How to test employee cyber competence through pen-testing
    3. Senate Judiciary committee interrogates Apple, Facebook about crypto - OMG this is turning into a shit show...
    4. DroneSploit - A Metasploit like interface for a collection of Drone exploits.

    Jeff's Stories

    1. Lessons from the NSA: Know Your Assets Should be "Lessons from NSA: Know Your Assets" :-)
    2. Windows Security review: There are better options, but not for the 'price'
    3. Cyber Security: Revisiting the Questions the Board Should Ask
    4. Cyber Attack Halts Radiation Treatment By Oahu Cancer Center
    5. 2019 in review: data breaches, GDPR’s teeth, malicious apps, malvertising and more

    Lee's Stories

    1. Reveton ransomware schemer stripped of six years of freedom, ₤270,000, and Rolex This was malvertizing which loaded fake ransomware which tricked users into making payments via older techniques rather than actually encrypting files. The prosecution estimates he collected closer to £720,000, the court has given him 3 months to collect the fine, or face two years in jail and the fine remains.
    2. Mobile devices blur work and personal privacy increasing Cyber Risks BYOD encapsulates the problem, but this applies to COPE and even personal devices in the workspace. Consider OPSEC - data capture, employee location discovery, business conversations in insecure locations.
    3. These Kids‘ smartwatches have problems as simple as 123 Duiwoim, Jsbaby, and Smarturtle smartwatches being sold on Amazon that could be exploited by attackers to eavesdrop on and track children. Same default password (1213456), Amazon hasn't decided to pull them. Primary difference between the watch models is the box.
    4. Web-hosting firm 1&1 hit by almost €10 million GDPR fine over poor security at call centre Largest GDPR fine so far. Fine being appealed, security approved, initially too easy to obtain other customer data.
    5. iPR Software Exposed Thousands via a Humongous Corporate Data Leak Marketing firm iPR Software exposed thousands of customer records for a month through protected S3 bucket. Organizations affected include General Electric, Dunkin Donuts, CenturyLink, Xerox, Nasdaq, California Courts and Mercury Public Affairs. Bucket open 10/15-11/26/19.
    6. FBI assesses Russian apps may be counterintelligence threat Particular concerns over FaceApp and Russian laws which permit government access to device and user data.
    7. Apple Releases multiple updates Updates for iOS, WatchOS, tvOS, MacOS, Safari and XCode released.

    Tyler's Stories


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+