Security Justice – Episode 14

July 1st, 2009 Tom

This is the 14th episode of the Security Justice podcast recorded June 17th 2009 live at Mavis Winkle’s Irish Pub. This episode was hosted by Tom, Matt, Dave and Chris with special guests dotzero and much0mas. Music provided by dualCORE!  Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Special Announcement: Tom and Chris from Security Justice will be at the Podcasters Meetup once again live from DEFCON 17!  Even if you won’t be at DEFCON you can listen and watch the podcast live via ustream!  The Podcasters Meetup is sponsored by SquareSpace (use coupon code “defcon” for 10% off the lifetime of your account) and Astaro.  We will post more details as we get them but check out the Podcasters Meetup website for the latest details.

Website Plug of the Month:

The new and improved Carnal0wnage blog! Chris Gates and Valsmith (Attack Research) have combined forces. Check out this awesome security and penetration testing blog!

Here are the topics covered and show notes:

• The SJ Crew get’s $2.50 + a virtual beer in sponsorship! w00t!
• dualCORE is releasing a new album!  More details coming soon…
• Interview with James Arlen (@myrcurial) went awesome!  Will be released as a special edition once Dave fixes the audio.
• Tom is speaking at DEFCON 17 with Kevin Johnson- Social Zombies: Your Friends Want To Eat Your Brains
• Matt’s super secret zombie night, DEFCON party invites and “Sushi Deployed!”
• Northeast Ohio Information Security Forum update
• SIEM Implementation: Real World Pitfalls to Watch Out For by Michael Buckwell
• WiKID Commercial Open Source Two-Factor Authentication by Matt Yonchak, Hurricane Labs
• (your monthly web2.0 security update….ha) Short URL service Cli.gs hacked and 2.2 million URLs affected
• Yes, there are dangers to short URL services! *gasp*
• Before getting into our open discussion..we recommend you listen to the IBM Fight Song.  Yeah, srsly!

Security Justice Open Discussion: Hacking the dinosaurs!  Breaking AS400, PBX/VM systems and more!

• General IBM hacking tips (If you want to go after mainframes or iSeries/AS400 you will need a TN3270 client)
  IBM Redbooks – Required resource when looking at any IBM product
• Hacking iSeries/AS400 (Commonly referred to as midrange systems.  AS/400 are NOT mainframes!)
  Good book on this called “Hacking iSeries” by Shalom Carmel and his whitepapers.
  Stankdawgs Hope5 AS/400 Talk – AS/400: Lifting the veil of obscurity.
  Be sure to check for default accounts and passwords Commonly have SMTP XPND and VRFY enabled which makes account enumeration easier.  Most have a modem attached for remote diagnostics. Sometimes can be insecure. Same thing goes for accessories such as drive arrays.
• Hacking Mainframes (often a critical system so tread lightly)
  Keep in mind a “Test” mainframe might just be an LPAR (Logical Partition) off the production system. So disruptions to the “test” system could impact production.
• General penetration testing tips
  Users manually sync passwords – If you get a users password from another system try it on the target system.
  Clear text protocols abound. MITM attacks can be your friend. Just don’t take the companies mainframe offline, they probably need that.
• PBX/VM
  Check for default usernames/passwords on voicemail and phone systems and never under estimate wardialing!
  PBX’s often run UNIX-based OS’s
  PBX’s tend to be treated as “appliances” which is a fancy way of saying “we’re not going to patch it”
• TANDEM Security
• Crusty UNIX
  Older AIX versions use crypt() for password hashing, and only support 8 character unsalted passwords.  It will let users set longer passwords, it just only uses the first 8 chars!
  Telnet, rhosts, rlogin, rsh are all commonplace on older big iron UNIX
  Clustered UNIX boxes work by allowing password-less root login between each cluster member.  This can happen over SSH, but often happens over telnet, rsh, rlogin, etc.  Some vendors even still reccomend this!  Own one box, own them all.  Even better, spoof one of the hosts (easy for rtools) and you have root.
• HVAC Systems
  Some connected via modem, others on the network.  Default credentials almost guaranteed bacause they are usually set up by non-security aware HVAC mechanics.  Newer web based management consoles give you full control of the HVAC system.  Use caution when pentesting HVAC systems as messing with these can cause human safety issues!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

 

 Security Justice - Episode 14 [1:09:38m]: Play Now | Play in Popup | Download (244)

Posted in Podcast Episodes | No Comments »

Security Justice – Episode 13

June 5th, 2009 Tom

This is the 13th episode of the Security Justice podcast recorded May 20th 2009 live at Mavis Winkle’s Irish Pub! This episode was hosted by Tom, Dave and Chris with special guest The Security Shoggoth! Music provided by dualCORE!  Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Website Plug of the Month: Liquidmatrix Security Digest is a fantastic security blog/news site.  Created by Dave Lewis (@gattaca) with guest posts by James Arlen (@myrcurial, creator of the term “cyberdouchery“) , Security Intern (@Securityintern), Matt Johansen (@mattj) and Zach Lanier (@quine).

Here are the topics covered during the podcast and show notes:

• Notacon 6 recap!
• Become our fan on Facebook…it’s a real Facebook page, not designed to pwn you.  We promise!
• Northeast Ohio Information Security Forum update
• New School Man-in-the-Middle
• Finding and detecting Malicious PDF’s. Tyler’s Snort signature. Didier Steven’s fantastic PDF analysis tools.
• Your deleted Tweets are not deleted
• Interview FAIL – You never know who is watching or listening!
• Chris’ adventure with his Dell Mini9
• Census GPS-tagging your home’s front door
• Security Justice Open Discussion(s): Security certifications/training, Microsoft pirated software..not helping the patching problem?  Interesting Apple Mac discussion…Apple security research, patches, iPhone presenter FAIL and more!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

 

 Security Justice - Episode 13 [54:09m]: Play Now | Play in Popup | Download (815)

Posted in Podcast Episodes | No Comments »

Security Justice Special Edition – Hacking your Car with OpenOtto

May 12th, 2009 Tom

In this special edition of Security Justice Dave, Tom and Chris interview Tiffany Rad who is one of the co-founders of the OpenOtto project.  The goal of the OpenOtto Project is to provide complete free and open access to the networked electronic devices in an automobile.  Yes, you can turn your car into a car like Knight Rider (without David Hasselhoff…sorry ladies), create your own “OnStar” and even improve your gas mileage!  Here is a short summary of OpenOtto from Tiffany’s blog:

“You don’t have to be David Hasselhoff in Knight Rider to have your car talk to you. OpenOtto is a platform for developing vehicle aware products for the consumer and industrial markets. While it will not ask you how you’re doing this evening, most people don’t realize how much information your car’s computer can tell you. OpenOtto consists of a hardware interface to your car’s OBD II connector as well as an extensible software platform for communicating with all networked electronic devices in the car. Designed for flexibility and scalability, it is easily expandable to future vehicle capabilities.”

Tiffany Rad is president of ELCnetworks, LLC., a technology and business development consulting firm and is also a part-time professor in the computer science department at the University of Southern Maine teaching computer law and ethics.

You can find out more about the OpenOtto project via Tiffany’s blog and the official OpenOtto web site.  Thanks again to Tiffany for being a guest on our show.  Please send show feedback to feedback[aT]securityjustice.com or comment below.

 

 Security Justice Special Edition - Hacking your Car with OpenOtto [46:17m]: Play Now | Play in Popup | Download (975)

Posted in Podcast Special Editions | 1 Comment »

Security Justice – Episode 12

May 3rd, 2009 Tom

This is the 12th episode of the Security Justice podcast recorded April 15th 2009 live at Mavis Winkle’s Irish Pub! This episode was hosted by Tom, Dave and Chris with special guests Dave Kennedy (ReL1K).  Music provided by dualCORE!  This was our one year anniversary episode!! Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Website Plug of the Month: Check out a new security podcast called Exotic Liability.  Hosts are Chris Nickerson, Ryan Jones and DJ Jackalope.  You may remember Chris and Ryan from the Tiger Team TV show.  We actually did a special edition podcast with Chris last year.  Good stuff…be sure to check it out!

Here are the topics covered during the podcast and show notes:

• June 22-26 ISC2 will be in Cleveland, Ohio offering a CISSP Bootcamp at Corporate College East.  Registration info is here.
• Speaker Recap – NEO Infosec Forum
• Buffer Overflows – It’s not as hard as you think by David Kennedy, SecureState
• Want to take an awesome class on writing exploits?  Check out the Cracking the Perimeter course offered by Offensive Security.
• Karmetasploit and Jasager – by Matt Neely, SecureState
• Verizon 2009 Data Breach Report Released
• Twitter StalkDaily Worm Postmortem
• Targeted Blackhat SEO Attack against Ford Motor Co.
• Security Justice Open Discussion: Pentesting…Over Hyped? (New idea we are trying…15-20 minutes of open discussion on one hot topic in the security community.  Bitching, complaining, rants and more…anything goes!) Have a suggestion for the Security Justice Open Discussion?  Comment here or send it to us via email!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

 

 Security Justice - Episode 12: Play Now | Play in Popup | Download (823)

Posted in Podcast Episodes | No Comments »

Some great speakers and events not to miss @Notacon 6!

April 14th, 2009 Tom

It’s almost here!  Notacon 6 starts this Thursday at 7pm with a special free preview of the conference!  Some of the speakers will be there giving some information about their talks and be sure to stick around for Jason Scott from textfiles.com around 9pm.

Security Justice will be at Notacon this year in full effect!  Almost the entire podcast crew is speaking or volunteering (Matt, Tom, Dave and Chris) at Notacon this year.  Here is a schedule of where you can find us as well as some other talks we recommend you attend given by some of the friends of the show:

Friday, April 17th
Noon (West Ballroom)
Injection Rejection, or How I Learned To Stop Worrying and Love Bobby Tables – Mark W. Schumann (catfood)

2pm (East Ballroom)
Time To Replicate The Real Threat: Client Side Penetration Testing- Chis Gates (CG) & g0ne

3pm (East Ballroom)
Fast-Track: Advanced penetration techniques made easy – Dave Kennedy (ReL1K)

7:30pm (East Ballroom)
Notacon Mythbusters: Is Personal Data Stored on Hotel Keys? Using Magstripe Analysis Tools to Discover the Answer – Matt Neely (Zamboni)

Saturday, April 18th
Noon (East Ballroom)
The State of Apple Security – Chris Clymer

1pm (East Ballroom)
From a Black Hat to a Black Suit – The Econopocalypse Now Edition – James Arlen (Myrcurial)

5pm (East Ballroom)
The Rise of the Autobots: Into the Underground of Social Network Bots – Tom Eston (agen0×0)

6pm (West Ballroom)
Building, Securing, and Living With Game Servers – Bruce Potter

Security Justice Live on Notacon Radio
We should be recording special interviews and also will be live on Notacon Radio this year!  Follow us on twitter or check out our site for updates on when we will be live.

Lock Picking Village
Bring your picks and your lock picking skillz to Notacon this year at the Lock Picking Village presented by the Fraternal Order of Locksport (FOOLS).  Gringo Warrior will also be taking place!

DualCORE Live Saturday @9pm
Our friends and podcast sponsors DualCORE will also be performing live at Notacon starting at 9pm on Saturday night.  They always rock the house!  Don’t miss it!

These are just a few of the highlights of Notacon…but there is so much more!  For more details on the full line up of speakers and events check out the Notacon web site.  If you are not registered you can get a ticket at the door.  Listen live on Hak5Radio tomorrow night at 9pm EST (4/15) for special details about some of the talks and where you can find Security Justice at Notacon.  Hope to see you there!

Posted in Security Justice News | No Comments »

Live Recording Notice – Episode 12

April 14th, 2009 Tom

We will be recording Security Justice Episode 12 and will stream live at Mavis Winkle’s Irish Pub (Independence location) this Wednesday, April 15th beginning around 9pm EST right after the Northeast Ohio Information Security Forum meeting.  We will have Notacon updates as well as Dave Kennedy (ReLiK) joining us once again for your listening pleasure!

Listen to the podcast live on Hak5radio.com and chat with us on IRC at irc.freenode.net #securityjustice or follow us on Twitter during the podcast.  IRC n00b? Follow this guide to get started.  We should be live around 9PM EST.

Join us for security talk, beer and audience participation! Thanks for listening and supporting the Cleveland security community!

Posted in Podcast Announcements | No Comments »

Security Justice – Episode 11

March 27th, 2009 Tom

This is the eleventh episode of the Security Justice podcast recorded March 18th 2009 live at Mavis Winkle’s Irish Pub! This episode was hosted by Tom, Matt, Dave and Chris with special guests Dave Kennedy (ReLiK), Dotzero, Froggy, Tiger, Jeremy (Notacon) and Mark W. Schumann.  Music provided by dualCORE!  Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Website Plug of the Month: DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation’s DataLossDB.org, asks for contributions of new incidents and new data for existing incidents.

Local in the Cleveland area and looking for Web Application Security training? Check out the great course by Dave Kennedy of SecureState offered at Corporate College East!

Here are the topics covered during the podcast and show notes:

• Speaker Recap – NEO InfoSec Forum
  Coding For Security by Mark W. Schumann, Top 10 Security Breaches of 2008 by Tom
• HD Moore Releases WarVOX Telephonic Security Research Tool
• Rogue Wireless Gets Sneakier
• How to get free wireless in airports and hotels IP-over-DNS or IP-over-ICMP
• The Interceptor released by @digininja
  The Interceptor is a wireless wired network tap. Basically, a network tap is a way to listen in to network traffic as it flows past.
• Diebold malware
• Breaches of the month!
• djbdns pays out
• Security Metrics
• Infragard update
• Chris talks about the Mac Hackers Handbook
• Notacon interview with Froggy!  Don’t forget about Notacon 6!  Chris, Tom and Matt are all speaking!  Security Justice will also be doing a bunch of live stuff with Notacon radio this year.
• Torrent Search – Bit Che searches 60 popular torrent sites
• NSA offering ‘billions’ for Skype eavesdrop solution
• BlueScanner – Bluetooth Scanner for Blackberry Storm
• Mormons demand ICANN plugs net smut hole? what? srsly?
• iWobble for iPhone (possibly NSFW).  Yeah, lots of possibilities…
• iPhone vs. Blackberry Storm. iPhone wins.
• Destroying mobile phones with liquid..even a 1990 Motorola StarTac!
• Dave Kennedy can drink beer…fast.  Really fast!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

 

 Security Justice - Episode 11 [58:44m]: Play Now | Play in Popup | Download (1095)

Posted in Podcast Episodes | No Comments »

Security Justice – Episode 10

February 28th, 2009 Tom

This is the tenth episode of the Security Justice podcast recorded February 18th 2009 live at Mavis Winkle’s Irish Pub! This episode was hosted by Tom, Matt, Dave and Chris with special guests Chris Mills from Securabit, Dan, Steve(s) and many other locals.  Music provided by dualCORE!  Sorry for some of the Skype quality issues.  Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Website Plug(s) of the Month: A local Cleveland startup called iGuiders is looking for beta testers that work in Information Security!  The Information Security Guider is live and ready to be tested.  Check out the the iGuiders website and watch a quick tutorial on what this Guider is all about.  Your feedback is requested!

Local in the Cleveland area and looking for Web Application Security training?  Check out the great course by Dave Kennedy of SecureState offered at Corporate College East!

Here are the topics covered during the podcast and show notes:

• Notacon 6!  Chris, Tom and Matt are all speaking!  Security Justice will also be doing a bunch of live stuff with Notacon radio this year.
• Shmoocon update! Matt and Tom talk about some of the great talks.  Chris knows how to “brute force” high security locks.  Tom talks about roaches.  Yum!  Don’t eat at Trattoria across the street from the Wardman Park Marriott.  Seriously.
• We posted pictures and videos from Shmoocon.  Hey…where is the hackerspace in Cleveland?  The one that HacDC has is really impressive.
• Reminder: Don’t use hotel kiosks or ATM’s in the hotel during a hacker conference.
• Some updates from the NEO InfoSec Forum February meeting.
• phpbb hacked via third party application.  Don’t forget about third-party apps installed on a web server!
• The Middler is released!
• JanusPA Hardware Privacy Adapter now available.  Check out the JanusVM…route your traffic through Tor/Privoxy in a VM…sweet!
• Chris gives the fastest news update…ever.
• Backtrack 4 released.  Check out this guide to install it on a USB drive with persistent changes.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

 

 Security Justice - Episode 10 [44:27m]: Play Now | Play in Popup | Download (1021)

Posted in Podcast Episodes | 2 Comments »

Live Recording Notice – Episode 10

February 17th, 2009 Tom

We will be recording Security Justice Episode 10 and “attempting” to stream live at Mavis Winkle’s Irish Pub (Independence location) this Wednesday, February 18th beginning around 9pm EST right after the Northeast Ohio Information Security Forum meeting.

Listen to the podcast live on Hak5radio.com (note the new link) and chat with us on IRC at irc.freenode.net #securityjustice or follow us on Twitter during the podcast.  IRC n00b? Follow this guide to get started.  We should be live around 9PM EST.

Join us for security talk, the Shmoocon recap, beer and audience participation! Thanks for listening and supporting the Cleveland security community!

Posted in Podcast Announcements | No Comments »

Security Justice Special Edition – Notacon 2009 with Froggy and Tyger

February 13th, 2009 Tom

This fun special edition episode was recorded last year at the Ohio Linux Fest.  The reason it took so long to release was mostly because of the “editing challenges” (Froggy likes to hijack our podcasts) and we wanted to release this at the beginning of 2009 to drum up some hype for Notacon 6 which will be held April 16th – 19th, 2009 in Cleveland Ohio.

Dave and Tom interview two of the Notacon founders, Froggy and Tyger.  Froggy and Tyger talk about what Notacon is, some of the cool talks this year and why you need to go!  Froggy also gives some details on the new venue and what you can expect this year.

Want more information about Notacon and how to register?  Check out the Notacon web site for all the details.  Security Justice will be there!

 

 Security Justice Special Edition - Notacon 2009 with Froggy and Tyger [16:29m]: Play Now | Play in Popup | Download (280)

Posted in Podcast Special Editions | No Comments »