Sep 18, 2012
Show Notes: http://securityweekly.com/wiki/index.php/Episode301
Answers to Allison's Puzzle Contest, Paul's Stories:
100,000 Vulnerabilities - Security vulnerabilities measured in numbers is sometimes a scary thing. At some level there you can prove strength or weakness in numbers. If you count vulnerabilities, for better or worse, how are you qualifying them? Severity? Exploitability? Ubiquity? All those things, and more, can impact your view on the matter, in fact it can make it matter, or not. The point being, try not to play the numbers game. There is a "shit ton" of vulnerabilities out there, and what we do to prevent them from happening in the first place and how we deal with them in the real world is what matters.
Schneier on Security: CSOs/CISOs Wanted: Cloud Security
Questions - This is one topic which we did not debate, that is the
cloud. I think, like security vs. obscurity, its a simple solution
on the surface. For example, if you care about your data, don't
store it in the cloud. Similarly, if you care about the security of
anything, don't just obscure it, secure it. Wow, that sounds even
cheesier than I thought.
Secret account in mission-critical router opens power plants to
tampering | Ars Technica - This speaks to the continued lack of
awareness in device manufacturers when it comes to security. I'm
baffled that they have not solved the problem. The common problems
they have, such as easily exploitable vulnerabilities, are easy to
fix. It requires two things: Awarenesss training for developers and
QA (ala Rugged/DevOps) and regular security assessments. In the
grand scheme of things, it doesn't cost all that much. In the end,
you produce a better product. Hopefully the market has changed, and
customers value security as one component of a great product. Or
maybe I live in a dream world...
The Social-Engineer Toolkit (SET) v3.7 Street Cred has been released. « - Java 0-Day is in SET. Coupled with the other Java payloads, this ensures your phishing success. On the defense side, I disagree with everyone saying "Disable Java" or "Disable Flash". There is going to be users that require this technology. Those are the users we will target. Sure, it reduces your attack surface, and that does help. But I believe what people miss the boat is just how deep "security" needs to go. Its more than layers. Its more than awareness and technology. Its about doing all sorts of things to keep your organization resilient to attacks, and having a plan to deal with successful attacks and minimize damage.
Cracking Story – How I Cracked Over 122 Million SHA1 and MD5 Hashed Passwords « Thireus' Bl0g - Nice crack...ing.
BYOD creates generation of workaholics - Saying that BYOD adds 20 hours to your work week is ridiculous. How much work can you really get done on your smartphone? If your spending that much time in email or some such thing, you need to re-evaluate your strategy. Devices and technology should make you more productive or your doing it wrong. However, it does increase the threat landscape.
3 security mistakes your management is making now - I have to say, and this usually never happens, I agree with Roger, at least on the first point of testing vendor products. I think a lot of people get this wrong. It goes deeper than what Roger stated. Sure, you should test out products before you buy them, and even use them on real production networks. Also, you have to understand your problems, develop requirements, and research the right way to test, install and configure the said products. Many don't do this and end up with the wrong products for the wrong reasons. Along these lines, products that work for others may not work for you, so don't put too much stake in what works for others. I also agree that priorities couldn't be more wrong. Attacker are successfully phishing you, so lets buy an IPS and firewall. WTF? The whole thing about "drift" is bit puzzling, but I think it just needs better clarification. Configuration management is important. The first thing most do wrong is never define a secure configuration. If you've made it that far, most don't do much to keep the systems in a secure state. The toughest organizations to break into are ones that have a secure config and work to keep systems that way.
[papers - How to Use PyDbg as a Powerful Multitasking Debugger] - Love the Python debugger, just sayin'.