Security Justice – Episode 14

July 1st, 2009 Tom Posted in Podcast Episodes | 2 Comments »

This is the 14th episode of the Security Justice podcast recorded June 17th 2009 live at Mavis Winkle’s Irish Pub. This episode was hosted by Tom, Matt, Dave and Chris with special guests dotzero and much0mas. Music provided by dualCORE!  Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Special Announcement: Tom and Chris from Security Justice will be at the Podcasters Meetup once again live from DEFCON 17!  Even if you won’t be at DEFCON you can listen and watch the podcast live via ustream!  The Podcasters Meetup is sponsored by SquareSpace (use coupon code “defcon” for 10% off the lifetime of your account) and Astaro.  We will post more details as we get them but check out the Podcasters Meetup website for the latest details.

Website Plug of the Month:

The new and improved Carnal0wnage blog! Chris Gates and Valsmith (Attack Research) have combined forces. Check out this awesome security and penetration testing blog!

Here are the topics covered and show notes:

• The SJ Crew get’s $2.50 + a virtual beer in sponsorship! w00t!
• dualCORE is releasing a new album!  More details coming soon…
• Interview with James Arlen (@myrcurial) went awesome!  Will be released as a special edition once Dave fixes the audio.
• Tom is speaking at DEFCON 17 with Kevin Johnson- Social Zombies: Your Friends Want To Eat Your Brains
• Matt’s super secret zombie night, DEFCON party invites and “Sushi Deployed!”
• Northeast Ohio Information Security Forum update
• SIEM Implementation: Real World Pitfalls to Watch Out For by Michael Buckwell
• WiKID Commercial Open Source Two-Factor Authentication by Matt Yonchak, Hurricane Labs
• (your monthly web2.0 security update….ha) Short URL service Cli.gs hacked and 2.2 million URLs affected
• Yes, there are dangers to short URL services! *gasp*
• Before getting into our open discussion..we recommend you listen to the IBM Fight Song.  Yeah, srsly!

Security Justice Open Discussion: Hacking the dinosaurs!  Breaking AS400, PBX/VM systems and more! (20:42)

• General IBM hacking tips (If you want to go after mainframes or iSeries/AS400 you will need a TN3270 client)
  IBM Redbooks – Required resource when looking at any IBM product
• Hacking iSeries/AS400 (Commonly referred to as midrange systems.  AS/400 are NOT mainframes!)
  Good book on this called “Hacking iSeries” by Shalom Carmel and his whitepapers.
  Stankdawgs Hope5 AS/400 Talk – AS/400: Lifting the veil of obscurity.
  Be sure to check for default accounts and passwords Commonly have SMTP XPND and VRFY enabled which makes account enumeration easier.  Most have a modem attached for remote diagnostics. Sometimes can be insecure. Same thing goes for accessories such as drive arrays.
• Hacking Mainframes (often a critical system so tread lightly)
  Keep in mind a “Test” mainframe might just be an LPAR (Logical Partition) off the production system. So disruptions to the “test” system could impact production.
• General penetration testing tips
  Users manually sync passwords – If you get a users password from another system try it on the target system.
  Clear text protocols abound. MITM attacks can be your friend. Just don’t take the companies mainframe offline, they probably need that.
• PBX/VM
  Check for default usernames/passwords on voicemail and phone systems and never under estimate wardialing!
  PBX’s often run UNIX-based OS’s
  PBX’s tend to be treated as “appliances” which is a fancy way of saying “we’re not going to patch it”
• TANDEM Security
• Crusty UNIX
  Older AIX versions use crypt() for password hashing, and only support 8 character unsalted passwords.  It will let users set longer passwords, it just only uses the first 8 chars!
  Telnet, rhosts, rlogin, rsh are all commonplace on older big iron UNIX
  Clustered UNIX boxes work by allowing password-less root login between each cluster member.  This can happen over SSH, but often happens over telnet, rsh, rlogin, etc.  Some vendors even still reccomend this!  Own one box, own them all.  Even better, spoof one of the hosts (easy for rtools) and you have root.
• HVAC Systems
  Some connected via modem, others on the network.  Default credentials almost guaranteed bacause they are usually set up by non-security aware HVAC mechanics.  Newer web based management consoles give you full control of the HVAC system.  Use caution when pentesting HVAC systems as messing with these can cause human safety issues!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Be Sociable, Share!

• 

Security Justice - Episode 14 [ 1:09:38 ] Play Now | Play in Popup | Download (5373)