We had two special guests on the show, Kevin Amorin from Harvard and co-deveoper of Packet Fence, and Martin Mckeay of the Network Security Podcast.
This episode was also broadcast over SkypeCast, so look for us each week when we record. It will also be announced in our IRC chatroom #Security Weekly on Freenode (irc.freenode.net).
Live from the Paul's Security Weekly Studio....
This episode was also broadcast over SkypeCast, so look for us each week when we record. It will also be announced in our IRC chatroom #Security Weekly on Freenode (irc.freenode.net).
In this first part of Episode 150 we crack the keg, introduce the show, and do a short interview with Lenny Zeltser:
"Much of security advice under the "best practices" umbrella seems to assume that the company is interested in having strong security or in being a high performer of IT/security practices. Yet, most companies (e.g SMBs) don't care about high performance: they just want to survive and conduct business and to have security that's just good enough. So, what advice should we offer to companies who will never be proactive about security, who will never implement defense-in-depth, and who maybe don't need to worry about these issues? That's why I've been creating one-page cheat-sheets to assist companies who haven't prepared, yet a stuck in a tough spot. "
Andrew Case discusses de-anonymizing Live CDs using analysis of the memory
ΒThen better than last week we have security news from the week only half drunk... Larry is sick at home but at least he has skype.
ΒEpisode 241 Direct Audio Download
All the Paul's Security Weekly episodes on our Bliptv archives.
In Part 1 we interview Timothy "Thor" Mullen. As Johnny Long says: "Most recognize Thor as the Norse god of thunder with massive powers of destruction. Few realize that he was also the god of restoration. Likewise, his namesake, Timothy "Thor" Mullen, has spent his entire adult life both destroying and restoring Microsoft-based security systems. Thor's Microsoft Security Bible conveys the wisdom and expertise of the industry legend that has defined the bleeding edge of Microsoft security for over twenty years. I highly recommend this book."
Episode 255 Part 1 Direct Audio Download
Episode Hosts:
Tune in to Paul's Security Weekly TV episodes on our Bliptv channel.
Video Feeds:Live from the Security Weekly out door studios, Paul, Darren, Ian, and Carlos are joined by "Thor", Martin Mckeay, and Josh Corman! What a line-up! We talk passwords, PCI, things most people do wrong when it comes to security, and more!
Episode 255 Part 2 Direct Audio Download
Episode Hosts:
Tune in to Paul's Security Weekly TV episodes on our Bliptv channel.
Video Feeds:Building Your Own pfSense Wireless Access Point:
Use off-the-shelf parts and open source software to build your very own robust access point!
Drunken Security News Weekly - #273:
The latest in the security world, from the drunken people you trust!
Episode 273 - Part 1 - Direct Audio Download
Episode 273 - Part 2 - Direct Audio Download
Episode Hosts:
Dave Kennedy and SET - The Social Engineering Toolkit (And Derbycon stuff):
Dave gives the best man-hugs.
Drunken Security News Weekly - #274:
The latest in the security world, from the drunken people you trust!
Episode Hosts:
Tune in to Paul's Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our Bliptv channel.
Video Feeds:Jon "maddog" Hall - Linux, Open-Source, Beer
Β
Drunken Security News Weekly - #276:
Episode Hosts:
Tune in to Paul's Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our Bliptv channel.
Audio Feeds: Video Feeds:Tune in to Paul's Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.
Adam Shostack Interview:
Drunken Security News Weekly #277:
Episode 277 - Direct Audio Download (mp3)
Episode Hosts:
Tune in to Paul's Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.
Jeremiah Grossman Interview:
Video coming soonβ¦
Drunken Security News Weekly #278:
Video coming soon...
Episode 278 - Direct Audio Download (mp3)
Episode Hosts:
Tune in to Paul's Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.
Martin Bos Interview:
Password Auditing with Nessus & Metasploit:
Drunken Security News #284:
Episode Hosts:
Nick Farr Interview:
Drunken Security News #285:
Episode Hosts:
Tune in to Paul's Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.
Drunken Security News #286:
Tune in to Paul's Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.
Paul's Stories
A Guide To Network Vulnerability Management - Dark Reading - If you want the "training wheels" approach to vulnerability management, then you should read this article. However, the problem goes so much deeper, and this article doesn't even know what tool to use in order to scratch the surface. Sure, you gotta know what services are running on your systems, but it goes so much deeper than that. Environments, threats, systems and people all change, so howdo you keep up? How do you really find, and more importantly fix, the vulnerabilities in your environment?
Old Operating Systems Die Harder - Dark Reading - Okay, here is where you could make a lot of money. Create a company that can actually provide some real security to legacy operating systems. So many of our defenses fail if there is a vulnerability that doesn't have a patch. You can implement some security, but it doesn't really solve the true problem. Once an attacker is able to access the system, its game over. Unless, there is something that can really solve the problem, even thwart the exploit and/or shellcode. Technologies exist, but back-porting to legacy systems is not often done. And this is where we need the help.
Microsoft Disrupts βNitolβ Botnet in Piracy Sweep - Microsoft takes down another botnet. Why is this news? Not-so-sure, as this should be the rule rather than the exception.
Blackhole Exploit Kit updates to 2.0 - Check this out, attackers are implementing security! Check this out, this exploit kit now sports: Dynamic URL generation, so there is no longer a standard URL pattern that could be used to identify the kit.IP blocking at the executable URL, so that AV companies can't just download your binary. This is meant to slow down AV detection. Use of Captcha in the admin panel login page, to prevent brute forcing unauthorized access. If legit defendersonly did all that, well, except for the CAPTCHA, which is useless.
Domino's Pizza says website hacked - One of the most useful things the Internet has ever given birth to, aside from access to free porn, is the ability to order pizza online. So back off! Oh, then there is this: "This is a very unfortunate event which has happened despite the security ecosystem that we have created around our online assets. Some security "ecosystem" you got there.
More SSL trouble - SSL is broken, again, Drink!
Apple unveils redesigned iPhone 5 with 4-inch display - I did not see any mention of improved security, but what a sexy device. Wireless now supports dual band n, which is awesome.
Google helps close 163 security vulnerabilities in iTunes - iTunes is a beast, I use it all the time and well at the end of the day its kind of a resource pig, but gets the job done. However, its pretty crappy software, tons of vulnerabilities, and new ones found by Google! Webkit was to blame for many...#Antivirus programs often poorly configured - New study finds AV is not configured correctly. No huge surprises there... Do weneed to make it easier to configure or are people just lazy or both?
Larry's stories
Who's your GoDaddy - [Larry] - Yup, GoDaddy dns was down for the count. This included their own authoritative DNS as well as for those for the hosted stuff. Of course, now folks are talking about DoS against root name servers, and OMG the sky is falling. Of course, a single Anonymous member took credit, and GoDaddy, said along the lines of "Ooops, we tripped on a cable and corrupted our routing tables". Who do you believe⦠In other notes, a leaf fell from a tree and an individual member from anonymous took credit.
What happens when your encryption is EOL-ed - [Larry] - Victorinox (the Swiss Army folks) are offering full refunds if you return the secure usb thumb drives. Why? As of September 15th the certificate will expire, and they have no intent on renewing and are stopping support for the software. If you don't get your data out of the encrypted volume before then, you'll allegedly lose it. So, what happens when we have something else like this that is significantly more mission critical, we have significant investment and no upgrade path. Choose wisely.
Judge rules WiFi Sniffing Legal - [Larry] - Basically it boils down that is you have an open network and the data is in the clear, you should be able to sniff it. Don't want someone to sniff it? Encrypt it - and yes, WEP would be sufficient for word of law here. So, why did the judge rule this way? Wireless is a shared medium. If you are not allowed to sniff traffic that is not destined to you, then how are you able to determine that the traffic on said network is destined for you? Ruling against it would make all WiFi networks illegal, just by nature of the technology.
ACTUAL Stego in the wild for "legitimate purpose" - [Larry] - I just put this story in for Darren to bust John's stones. But, it appears that Blizzard has been embedding information about the user via stegonaography into screenshots taken by the WoW clients.
Jack's Ruminations
Half of all Androids have Vulns? Also, water is wet. I'm surprised at this, I would have expected much higher. Android phones are at the mercy of their carriers for updates. And carriers are not noted for their mercy.
Chip and Pin, er, PWN Chip and pin research shows that this bandage for the fundamentally obsolete and insecure payment card systems. The EMV protocol has crypto issues, as in "programmers may not be using cryptographic random number generator algorithms to create UNs, and instead may be using counters, timestamps or homegrown algorithms that are not so random."
New FBI Facial Recognition program what could possibly go wrong? From the article "nabbing crooks after a crime is only part of the appeal. The technology also foreshadows upcoming security enhancements that will stop many offenses before they start". That "before they start" bit sounds pretty damned scary to me.
Guest Tech Segment: Charlie Eriksen on Wordpress plugin security
In this technical segment, we will look at Charlie Eriksens research into Wordpress plugin security. By searching large amounts of code for code that is often insecurely written, it is possible to find a large amount of vulnerabilities in plugins running on thousands of Wordpress sites across the internet.
Stories
How Your #Naked Pictures Ended Up on the Internet The Security-Conscious Uncle - Yea, I'm talking about ATM card security. After reading this, and hearing my thoughts and views on Debit cards, I want to keep my money in my own safe. Banks make it so hard to keep your money secure. I don't want a Debit card, its a ridiculous concept that only benefits the bank. I want more than a 4-digit pin number too. My best advice is to only tie your ATM card to an account with a small amount of cash to limit damages, if your bank even allows you to do that. No homecoming queen vote if you don't wear RFID tag? - I'm sorry, I don't want to wear an RFID tag. Tracking students has gotten way out of control. I proved how you can clone RFID tags in a MA CCDC compition. So, students, if you want a lesson on how to become any one of your classmates, please come find me. Hacker wins $60 - Don't get me wrong, I think this is a good thing. The more we encourage legit folks to find vulnerabilities, the better. Firefox 16 pulled offline following security flaw find - Firefox is becoming the new IE! Mobile Brings a New Dimension to the Enterprise Risk Equation - I think I've solved the BYOD problem, just buy all employees brand new iPhone 5s, manage them with an MDM (like Apple Profile Manager) and everyone is happy. I think this comes down to giving the people what they want. Reporting Mistakes - I agree that we need to be forthcoming about where security has failed. I don't get First, talking about the exact way to exploit an 0day makes it easier for more people to exploit it. Learning of a 0Day exploit, and the details, gives us a fighting chance to defend ourselves. I think there has to be some quiet time if you want to involved the vendor, then you gotta tell people. It also depends on the nature of the 0day, maybe the vendor won't listen, or maybe its 0Day in the DNS protocol. James Bond's Dry Erase Marker: The Hotel PenTest Pen - SpiderLabs Anterior - This is just way too super cool, best usage of Arduino and Dry Erase marker EVER (maybe the only usage of the two together). HP Communities - CISO Concerns - Security vs. Usability - CISOs love to bat around terms like security, usability, compliance, affordability, ROI, etc... These are fine, in the right context, but lets not forget, you have the word security in your title, and at some level you have to prevent people from getting pwned. Sometimes I think we lose site of that.
Craig Heffner is a Vulnerability Researcher with Tactical Network Solutions in Columbia, MD. He has 6 years experience analyzing wireless and embedded systems and operates the devttys0 blog which is dedicated to embedded hacking topics. He has presented at events such as Blackhat and DEF CON and teaches embedded device exploitation courses.
Have you ever jumped on a random WiFi connection and you didn't know where it was coming from? Probably. Most people have. But if you're one of Josh Wright's neighbors, or even if he's sipping coffee at the local shop, you might want to be careful about which wireless connection you're jumping on. But if you start seeing images that are out of focus or getting a page that seems about five years out of date or even end up on kittenwars.com, Josh might be the one responsible. Or at least his VM. You can get it on his site http://neighbor.willhackforsushi.com/
Josh is also working on something great for BSides Rhode Island. Check out the video below and he'll explain it. But if you hate the long lines at places like Cheesecake Factory and those stupid little buzzers that notify you when your table is ready, Josh might have some help for that. But you'll need to be at BSides RI to hear about it.
As for the stories of the week, we had a little bit of a lean week. However jokes about Jack's balls, I mean bells, were frequent and fun. After all, it was Mardi Gras and Jack brought beads for the whole crew with the one stipulation that we had to keep out clothes on.
Did you know that on Monday, February 18 at 2 pm, Paul and John will hold a free webinar with SANS. Titled "Active Defense Harbinger Distribution - Defense is Cool Again" the guys will be talking about the new offensive security distro that was built by Black Hills Infosec's Ethan Robish and John Strand. It's free, so sign up at the link above.
As for some of the stories, we knew it was going to be a rough week when Paul showed us the 10 ways to reduce security headaches in a BYOD world and #1 was to secure your data. Ohhhhkayyy. Moving on.
Paul also played the audio from a news broadcast from out west where the zombie apocalypse has begun. It's like a modern day War of the Worlds where people were actually calling the police to see if the story was true.
Jack explained how Mega's KimDotCom (isn't it quite egotistical to just take your first name and stick "dotcom" after it? I mean, seriously) continues to show his brilliance. Where else can you get a solid, top to bottom pentest for only about 10,000 euros. He challenged anyone to hack his site and after a few bugs, he began paying up. Pretty smart.
One story that actually didn't get mentioned on the show but is in the show notes is a quote from Bit9 after their hack this week: "There is no easy answer to a world where there are sophisticated actors continuously targeting every company and individual and whose primary goal is to steal information, whether for profit, power or glory. This is not fear-mongering or hype--everyone in the security business knows this fact. This is the state of cybersecurity today, and we are all frustrated and angered by it." Isn't this exactly why security firms get paid? Because there are bad people out there looking to steal information? If those people didn't exist, then would Bit9 need to exist? That's biting the hand that feeds you.
That's it for this week. We'll be back next week on the usual day, Thursday, February 21 at 6 pm EST! Until then, stay calm and hack naked!
Paul's Security Weekly #329 Interview with Brad Bowers
Paul's Security Weekly #329 Sumit Sumit Siddarth - "The Art of Exploiting Injection Flaws" Free Amazon Socks Proxy to Tunnel to Freedom Drunken Security News
Security Weekly #335 (Part 2) Interview: Bill Stearns Tech Segment: Phil Hagen on logstash