Episode252

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security


Announcements

PaulDotCom Security Weekly - Episode 252 for Thursday July 21st, 2011.

  • Los episodios de PaulDotCom Espanol con Julio Canto, Lorenzo Martinez, Chema Alonso y Ruben Santamarta esta disponible aqui. Tenemos mas entrevistas en las semanas que vienen....
  • Sign up for Blackhat Training Courses:
    • PaulDotCom Blackhat Training Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!

Episode Media

MP3

Interview: Matt Yoder

Matt is a lover of fine pens and paper, and a pencrafter. He has also spent time, in multiple stints, performing direct security consulting, including assessment and auditing, security systems support, and firewall deployment. He currently spends his days, and earns something resembling an income, assisting with server administration for a major University in the midwest, which prefers to go unnamed.

7:30 PM

  1. How did you get your start in information security?
  2. Tell us about your Death Envelope research and Death Envelope website
  3. Do you think you have a different take on security due to your work at a University?
  4. Any good university incidents you can share?
  5. Tell us about your past work with B-Sides Las Vegas. What was the 1st B-Sides LV like?

Matt on twitter

Stories For Discussion

Media

Watch the live video version of this segment above. For more videos and to subscribe to PaulDotCom TV visit http://pauldotcom.blip.tv

Paul's Stories

  1. Is Your Voicemail Wide Open? - if you haven't changed your PIN number, you should think about it. We've talked about this problem in the past, as it turns out none of the major providers have fixed it. AT&T, Sprint and T-Mobile all do not require subscribers to force entry of a PIN number to access voice mail. Of course, if they did, people would just assign 1234 as the PIN... Or better yet, how about not allowing spoofed caller-id to access your voicemail systems? A little help here? The real problem is there is 0 financial incentive for providers to make voicemail insecure, until their own C-level excutives get pwned, wait, don't take that as a suggestion..il.
  2. The Rise Of Security Monkeys - As much as possible we need to automate security testing. I know this always starts a flame war, however with the complexity of networks growing, espcially with virtualization, its more important. Example, Netflix released their network management approaches, and its a sharp contrast to the way we've managed in the past. In the past, its been a "OMG don't touch it, you might break it". Well, if you can break it, there's something that needs to be fixed, and if you don't know what's broken, how can you fix it? Netflix even goes so far as to take down portions of the network and see how it reacts. Now, as Mortman says, careful with live ammo. But this is how I always wanted to manage a network. In a controlled environment test performance, reliability, and security. Then, fix the problems you find. If you have fail-over, force it to fail over. Scan the network constantly, if stuff crashes or has vulnerabilities, fix them. Its almost as if we need a QA department within every IT department to test it on a regular basis and track the fixes. Better you find the weaknesses than wait for an attacker or "network anomoly" to find it for you, then go into "firefighting mode" and try to fix it with management breathing down your neck.
  3. Rental Laptops - We can SEE you - So, if you rent a laptop, unbeknownst to you, the webcam is used to spy on you. Not cool, as a couple found out. Apparently they didn't want to be webcam superstars. But wait, why would you want to rent a laptop? You can get laptops for a few hundred dollars, and be in control of your own webcam shows. Also, always tape over the camera on your laptop if you are paranoid. This is going to get interesting, will privacy erode to reveal what we are all doing in the "privacy" of our own homes?
  4. Serial virus writer jailed for orange cartoon octopus malware - I just had to mention this: "28-year-old Masato Nakatsuji wrote malware known locally as "ika-tako" (squid-octopus) which spread via the Winny peer-to-peer file-sharing network in May to July last year, changing replacing affected files with an image of an orange cartoon octopus." Bonus: He wrote the virus while on probation. Nice.
  5. Stroke development versus not drowning - No, this is not a porn story. When teaching people how to swim they reach a point where they are just going to be better swimmers, because, well, they know how to float and swim "good enough". We do the same thing in IT security, we get the network to a point where its "good enough", incidents are down, or so we believe, and management is leaving us alone. We progress to high levels of angry birds and have office LAN parties, but we should be striving for better. What's the next big thing we will have to secure? This cycle needs to be broken. Never stop trying to grow the business and keep it secure, if you do, then an incident happens, then you have all these big projects. Slow and steady wins the race.
  6. Is there a hacking epidemic? - Groups hacking into organizations is not new, the press if just covering it! I totally agree, attackers are always doing their thing, but its just the in thing to to in the media to cover the big hacks. Information flows so freely now, its hard not to catch wind of a major breach. Attackers were after targets as early as "The Cuckoos Egg"....
  7. Hackers Shift Attacks to Small Firms - "Unbeknownst to owner Joe Angelastri, cyber thieves planted a software program on the cash registers at his two Chicago-area magazine shops that sent customer credit-card numbers to Russia. MasterCard Inc. demanded an investigation, at Mr. Angelastri's expense, and the whole ordeal left him out about $22,000." Similar to the trend of "smaller botnets" this makes sense with small businesses. Its so easy for small businesses to get online and become credit card merchants, and they are so easy to hack as they lack andy form of an IT department, let alone a security program, or monitoring.