Security Justice Episode 22 – Physical Security, Interview with a Locksmith

February 24th, 2010 Tom

This is the 22nd episode of the Security Justice podcast recorded February 17, 2010 live at Damon’s Grill in Independence, OH.  This episode was hosted by Tom, Dave, Matt and Chris with special guest John Doe the Locksmith.  Music as always provided by dualCORE. Thanks to everyone listening to the live stream and for participating in the chat via IRC.  Here are the show notes:

• A few Shmoocon updates! There was snow! Dave’s pictures posted soon…
• Interview with “John Doe” the Locksmith.  John Doe talks about some of the biggest physical security fails he has seen as well as some great stories of alarm bypass.  He also talks about what are good consumer grade locks, what are his favorite lock picks, the rise of fake locksmiths and more.

Please send show feedback to feedback [aT] securityjustice.com or comment below.

 

 Security Justice Episode 22 [49:39m]: Play Now | Play in Popup | Download (1475)

Posted in Podcast Episodes | No Comments »

Security Justice Episode 21 – Woot.com, Hack Challenge, @dave_rel1k and SET

January 26th, 2010 Tom

This is the 21st episode of the Security Justice podcast recorded January 20, 2010 live at Damon’s Grill in Independence, OH.  This episode was hosted by Tom, Dave, Matt and Chris with special guests Dave Kennedy creator of the Social Engineer Toolkit (SET) and Shawn Miller from Woot.com.  Music as always provided by dualCORE. Thanks to everyone listening to the live stream and for participating in the chat via IRC.  Here are the show notes:

• Chris announces this months open source project worth supporting! Chris recommends donating to pfSense, which is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router.  Each month Chris is going to highlight an awesome open source project worth giving some cash to.
• Hurricane Labs in Cleveland, Ohio is having another awesome Hack Challenge taking place on February 3, 2010.  Special guest Jordan Wiens (DEFCON CTF champion) will be in attendance (he will not be participating in the challenge so don’t worry about getting pwnd).  Hurricane Labs talks about what’s different from last year and how a CTF (Capture The Flag) works.
• Shawn Miller from Woot.com talks about bags of crap and how Woot.com is sponsoring the Shmooball Cannon Contest this year at Shmoocon!  He also talks about the history of Woot.com and how they do Woot off’s and more.
• Dave Kennedy gives us an overview of his Social Engineer Toolkit (SET) as well as a sneak peak of some new things being released for SET during his firetalk at Shmoocon. Also, listen to Dave *butcher* @myrcurial.  Remember Dave…my-cur-i-al.
• Tom is bringing the social zombie apocalypse to Shmoocon with Kevin Johnson and Robin Wood Saturday, February 6th at 11am.
• Be sure to check out the Podcaster Meetup and the Firetalks at Shmoocon.  Security Justice will be there.  More details will be posted soon!
• Remember kids: If your going to Shmoocon…do not eat at Trattoria across the street from the Wardman Park!! See this video for more information.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks to Dave and Shawn for being guests on the show!

 

 Security Justice Episode 21 [70:53m]: Play Now | Play in Popup | Download (2087)

Posted in Podcast Episodes | No Comments »

Security Justice Episode 20 – Shmoocon 2010 Interview with Bruce Potter (@gdead)

December 22nd, 2009 Tom

This is the 20th episode of the Security Justice podcast recorded December 16, 2009 live at Damon’s Grill in Independence, OH.  This episode was hosted by Tom, Dave and Chris with very special guest Bruce Potter founder of the Shmoo Group.  * Photo of Bruce and Heidi from album.textfiles.com.

Bruce talks to us about Shmoocon 2010, the ticketing process, talks, events and everything else related to Shmoocon 2010.  Just a reminder that the last round of Shmoocon tickets go on sale January 1st at noon EST!  This is your last chance to get a ticket to Shmoocon.  If you don’t get one, Bruce says you can blame our very own Chris Clymer.  Thanks again to Bruce for being our guest on the show and for everyone participating in the live chat via IRC and on the live stream (very special thanks to aricon from PaulDotCom for letting use their Icecast server for the stream).

 

 Security Justice Episode 20 - Shmoocon 2010 Interview with Bruce Potter [71:26m]: Play Now | Play in Popup | Download (2367)

Posted in Podcast Episodes | 1 Comment »

Security Justice Episode 19 – Epic Interview with Jason Scott (@textfiles)

November 27th, 2009 Tom

This is the 19th episode of the Security Justice podcast recorded November 18, 2009 live at the Chris Clymer Bar & Grill (his basement actually).  This episode was hosted by Tom, Matt, Dave and Chris with very special guest Jason Scott from textfiles.com (picture of Jason in this post courtesy of roy-sac).

Jason is probably the most interesting person you will ever meet.  His long list of accomplishments include speaking at pretty much every hacker conference known to man, hosting the fantastic Blockparty for the last three years at Notacon, archiver of the Internet, proprietor of textfiles.com, computer historian, producer of BBS: The Documentary, creator of sockington (the most famous cat on Twitter with well over 1 million followers) and also known as the guy who goatse’d all of MySpace.  We talk to Jason about pretty much everything listed above.  This is truly a EPIC episode going into the two hour mark but well worth the listen!

Thanks again to Jason for being our guest on the show and for everyone participating in the live chat via IRC and on the live stream (it was our largest audience yet)!  Please send show feedback to feedback [aT] securityjustice.com or comment below.

 

 Security Justice Episode 19 - Jason Scott [134:27m]: Play Now | Play in Popup | Download (2635)

Posted in Podcast Episodes | 2 Comments »

Security Justice Episode 18 – Louisville InfoSec, Rapid7, Interview with Wesley McGrew

October 27th, 2009 Tom

This is the 18th episode of the Security Justice podcast recorded October 21st 2009 live at Mavis Winkle’s Irish Pub. This was the last episode recorded at Mavis Winkle’s.  Apparently, they can’t handle any more of the “justice”.  This episode was hosted by Tom, Matt, Dave and Chris with special guests Wesley McGrew from McGrewSecurity.com and Dave Kennedy (ReL1K).  Music as always provided by dualCORE. Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Special Announcements:
We will be podcasting live at the Ohio Information Security Summit October 29-30.  We should be streaming some of the talks and select interviews with some of the speakers.  Be sure to follow our Twitter feed for updates on when we will be live!  Tom, Matt, Dave Kennedy, Alex Hutton, Richard Bejtlich and Wikid Systems (Nick Owen) will all be speaking.

Tom Eston and Kevin Johnson will be speaking at OWASP AppSec DC November 10-13th.  Tom and Kevin will be presenting “Social Zombies: Your Friends Want to Eat Your Brains”

Website Plug(s) of the Month:

Shmoocon CFP is open! Canadian Web Techno Conference CFP is open, ConFoo!

The Social-Engineer.org Podcast.  Be sure to check out the first episode on interrogation and interview tactics.  Really good stuff.  We are hoping that these guys put out more episodes soon!

• The Louisville Metro InfoSec Capture the Flag recap by Dave Kennedy
• Ohio LinuxFest Recap.  Link to the geek wedding here.
• T-Shirt contest design winners!  Rodolfo and ghostnomad…your designs will be incorporated into the t-shirt design!  Congratz!
• Rapid7 Acquires Metasploit.  Dave Kennedy has the strangest analogy about this we have ever heard!
• Poken update
• Wi-Fi signals used to see through walls
• Internet as a Basic Right
• Interview with Wesley McGrew. We talk to Wesley about some of his notable achievements including Yousif Yalda, Script Kiddies in the Mist, Vulnerabilities in SCADA Human-Machine Interface Software, Jesse “GhostExodus” McGraw/ETA and the f0rb1dd3n book review.  Wesley has a great blog over at mcgrewsecurity.com that we highly recommend you add to your daily reading list!  You can also follow Wesley on Twitter.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks to Wesley for being a guest on the show!

 

 Security Justice Episode 18 [77:08m]: Play Now | Play in Popup | Download (1883)

Posted in Podcast Episodes | 1 Comment »

Security Justice Episode 17 – Pokens, CUDA, Physical Security Exercises, Makerbots, Hawt Chicks

September 24th, 2009 Tom

This is the 17th episode of the Security Justice podcast recorded September 16th 2009 live at Mavis Winkle’s Irish Pub. This episode was hosted by Tom, Matt, Dave and Chris with special guests Tony Macisco and much0mas. Music provided by dualCORE and Pokens provided by PokenZoo.com.  Did you know we have a Facebook Fan Page?  We promise it’s non malicious! Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Special Announcements:
We will be podcasting at the Ohio Linux Fest with dualCORE! September 25-27th.  Dave and Chris will be streaming live on Saturday 9/26 and dualCORE will be performing live Saturday night.  Stay tuned to our website and Twitter feed for more information this weekend.

Cleveland Locksport is forming!  If your local to the Cleveland area, hit up Chris for information on the next meeting.

If you near the Cleveland, Ohio area check out the Information Security Summit October 29-30

MiniSoOnCon! MiniSoOnCon is a Southern Ontario Hackerspaces / Makers Mini-Conference October 2nd and 3rd, 2009 in Hamilton, Ontario.

Website Plug(s) of the Month:

Social Engineering Framework
Learn all about social engineering!  Put together by an awesome crew including Dave Kennedy who is the creator of the Social Engineer Toolkit (SET).  Check it out!  Really good stuff! http://social-engineer.org/

Malwarebytes is a site dedicated to fighting malware. Malwarebytes has developed a variety of tools that can identify and remove malicious software from your computer.

Here are the topics covered and show notes:

• Interview with Tony Macisco who is a physical security expert.  He has a impressive resume working for the Department of Homeland Security. US Customs and a large financial institution.  If your looking for someone that knows physical security, Tony is your man.  Connect with him on LinkedIn!
• Matt talks about cracking passwords with CUDA video cards and why cracking passwords with video cards is incredibly faster then traditional methods.  CUDA FTW!
• Want to crack passwords with a CUDA supported card?  Check out Pyrit which allows you to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff.  Pyrit also hooks into CoWPAtty.  If you want to brute force MD4/MD5 or NTLM check out CUDA Multiforcer (noted as the worlds fastest password cracker).  If you want a setup for CUDA that works out of the box, check out Backtrack 4…CUDA support is built in!
• Sharing files on a social network might be the end of the world
• POKENS. What are they? Are they secure? Will they catch on?  We have some Pokens for prizes thanks to PokenZoo.com!  See Dave or Chris at Ohio Linux Fest this weekend to find out how to win one!  Congrats to Paul from PaulDotCom Security Weekly for winning a Poken during our live show!
• Want to know how Pokens work and related security?  Check out this really awesome, detailed article created by Didier Stevens.
• Did you know we have a t-shirt design contest?  Neither did we!  Send your ideas to feedback[aT]securityjustice.com and you could win a Poken and MORE! (we just don’t know what “more” is yet)
• What is a Makerbot?  We have a good discussion about basic hardware hacking and hackerspaces…we also wonder why we still don’t have one in Cleveland..<sigh>
  
• Go to MiniSoOnCon! It’s only a 3.5 hour drive from Cleveland.
• Ignore the “hawt chick” on the Security Justice Twitter account (and the base64 encoded messages).  We are not part of a Twitter botnet! Srsly.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

 

 Security Justice Episode 17 [1:00:24m]: Play Now | Play in Popup | Download (2971)

Posted in Podcast Episodes | No Comments »

Security Justice – Episode 16 DEFCON Recovery with @dave_rel1k

September 1st, 2009 Tom

This is the 16th episode of the Security Justice podcast recorded August 19th 2009 live at Mavis Winkle’s Irish Pub. This episode was hosted by Tom, Matt, Dave and Chris with special guests Dave Kennedy (ReL1K) and dotzero.  Music provided by dualCORE!  Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Special Announcements:
We will be podcasting at the Ohio Linux Fest with dualCORE! September 25-27th
If you near the Cleveland, Ohio area check out the Information Security Summit October 29-30

Website Plug(s) of the Month:

Irongeek.com
The source for security videos on tools and more! (just don’t look at the robots.txt file, k?)
SocialMediaSecurity.com
New website dedicated to the security and insecurity of social media.  Join the volunteer mailing list to help out!

Here are the topics covered and show notes:

• DEFCON 17 Updates! Pics are posted! Also more stuff on our Facebook fan page.
• BSides in Vegas was awesome
• Cliq locks owned
• New SSL Vulns
• Hacker Pyramid, check out the pics!
• Sky talks
• Podcaster Meetup at DEFCON, we were there..with lots of debauchery
• ATMs haxed
• Great guide with real pictures of multiple ATM skimmers..some really hard to detect
• Zombies ate your brains! Tom and Kevin’s video is up.  If you missed us at DEFCON, we are doing it again at OWASP AppSec DC in November.
• Goatse Lasers
• Oracle Pwned
• Good stuff about “anti-sec”
• Twitter botnet? We told you so…
• On the big breach(s) (Heartland/Hannaford/etc.)
• TSA “Training”
• Social Engineering Framework soon to be released by Dave Kennedy..stay tuned!
• Sockington…the most popular cat on Twitter! Now you can follow Jason Scott’s cat!
• We want t-shirts!! Send your ideas to feedback [at] securityjustice.com.

Open Discussion Topic: The term “hacker”.  What does it mean and why does the media focus on the negative aspects?

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

 

 Security Justice - Episode 16 [1:07:38m]: Play Now | Play in Popup | Download (2074)

Posted in Podcast Episodes | 4 Comments »

Security Justice – Episode 15 dualCORE Interview with int0×80!

July 25th, 2009 Tom

This is the 15th episode of the Security Justice podcast recorded July 15th 2009 live from HurricaneLabs in Cleveland Ohio. This episode was hosted by Tom, Matt, Dave and Chris with special guests int0×80 from dualCORE and his hacker girlfriend.

Opening intro by RBCP from Phone Losers of America…please don’t hate us PaulDotCom crew!  We really do love you guys! Music provided by dualCORE!  Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Podcaster Meetup details @DEFCON 17: Tom, Chris and Matt from Security Justice will be at the Podcasters Meetup once again live from DEFCON!  It’s going to take place Saturday night @8pm in Skyboxes 207 and 208.  Even if you won’t be at DEFCON you can listen and watch the podcast live via ustream!  The Podcasters Meetup is sponsored by SquareSpace (use coupon code “defcon” for 10% off the lifetime of your account) and Astaro.  We will post more details as we get them but check out the Podcasters Meetup website for the latest details.

Website Plug of the Month:

dualCORE Music – Get the latest album from dualCORE “Next Level” for only $10! Check out the awesome video preview here.

Here are the topics covered and show notes:

• Lots of epic FAIL with getting the stream up this time…
• HurricaneLabs Hack Challenge Recap.  Special thanks to the guys at HurricaneLabs for hooking us up with space to record…and the special configs to allow us to Skype!
• Tom speaking at DEFCON 17 with Kevin Johnson “Social Zombies: Your Friends Want to Eat Your Brains” 4pm Sunday
• You must go to Hacker Pyramid!  Win 10,000 cents!
• Other talks to see at DEFCON: RogueClown, “Hackerspaces: The Legal Bases”…James Arlen and Tiffany Radd, “Your Mind: Legal Status, Rights and Securing Yourself”
• Intuit support FAIL Twitter story…Twitter can rock for customer support.
• dualCORE interview with int0×80 and his hacker girlfriend…oh, and we like turtles!
• Check out the new Cincinnati hackerspace, Hive13.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

 

 Security Justice - Episode 15 [52:12m]: Play Now | Play in Popup | Download (2312)

Posted in Podcast Episodes | 3 Comments »

Security Justice – Episode 14

July 1st, 2009 Tom

This is the 14th episode of the Security Justice podcast recorded June 17th 2009 live at Mavis Winkle’s Irish Pub. This episode was hosted by Tom, Matt, Dave and Chris with special guests dotzero and much0mas. Music provided by dualCORE!  Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Special Announcement: Tom and Chris from Security Justice will be at the Podcasters Meetup once again live from DEFCON 17!  Even if you won’t be at DEFCON you can listen and watch the podcast live via ustream!  The Podcasters Meetup is sponsored by SquareSpace (use coupon code “defcon” for 10% off the lifetime of your account) and Astaro.  We will post more details as we get them but check out the Podcasters Meetup website for the latest details.

Website Plug of the Month:

The new and improved Carnal0wnage blog! Chris Gates and Valsmith (Attack Research) have combined forces. Check out this awesome security and penetration testing blog!

Here are the topics covered and show notes:

• The SJ Crew get’s $2.50 + a virtual beer in sponsorship! w00t!
• dualCORE is releasing a new album!  More details coming soon…
• Interview with James Arlen (@myrcurial) went awesome!  Will be released as a special edition once Dave fixes the audio.
• Tom is speaking at DEFCON 17 with Kevin Johnson- Social Zombies: Your Friends Want To Eat Your Brains
• Matt’s super secret zombie night, DEFCON party invites and “Sushi Deployed!”
• Northeast Ohio Information Security Forum update
• SIEM Implementation: Real World Pitfalls to Watch Out For by Michael Buckwell
• WiKID Commercial Open Source Two-Factor Authentication by Matt Yonchak, Hurricane Labs
• (your monthly web2.0 security update….ha) Short URL service Cli.gs hacked and 2.2 million URLs affected
• Yes, there are dangers to short URL services! *gasp*
• Before getting into our open discussion..we recommend you listen to the IBM Fight Song.  Yeah, srsly!

Security Justice Open Discussion: Hacking the dinosaurs!  Breaking AS400, PBX/VM systems and more! (20:42)

• General IBM hacking tips (If you want to go after mainframes or iSeries/AS400 you will need a TN3270 client)
  IBM Redbooks – Required resource when looking at any IBM product
• Hacking iSeries/AS400 (Commonly referred to as midrange systems.  AS/400 are NOT mainframes!)
  Good book on this called “Hacking iSeries” by Shalom Carmel and his whitepapers.
  Stankdawgs Hope5 AS/400 Talk – AS/400: Lifting the veil of obscurity.
  Be sure to check for default accounts and passwords Commonly have SMTP XPND and VRFY enabled which makes account enumeration easier.  Most have a modem attached for remote diagnostics. Sometimes can be insecure. Same thing goes for accessories such as drive arrays.
• Hacking Mainframes (often a critical system so tread lightly)
  Keep in mind a “Test” mainframe might just be an LPAR (Logical Partition) off the production system. So disruptions to the “test” system could impact production.
• General penetration testing tips
  Users manually sync passwords – If you get a users password from another system try it on the target system.
  Clear text protocols abound. MITM attacks can be your friend. Just don’t take the companies mainframe offline, they probably need that.
• PBX/VM
  Check for default usernames/passwords on voicemail and phone systems and never under estimate wardialing!
  PBX’s often run UNIX-based OS’s
  PBX’s tend to be treated as “appliances” which is a fancy way of saying “we’re not going to patch it”
• TANDEM Security
• Crusty UNIX
  Older AIX versions use crypt() for password hashing, and only support 8 character unsalted passwords.  It will let users set longer passwords, it just only uses the first 8 chars!
  Telnet, rhosts, rlogin, rsh are all commonplace on older big iron UNIX
  Clustered UNIX boxes work by allowing password-less root login between each cluster member.  This can happen over SSH, but often happens over telnet, rsh, rlogin, etc.  Some vendors even still reccomend this!  Own one box, own them all.  Even better, spoof one of the hosts (easy for rtools) and you have root.
• HVAC Systems
  Some connected via modem, others on the network.  Default credentials almost guaranteed bacause they are usually set up by non-security aware HVAC mechanics.  Newer web based management consoles give you full control of the HVAC system.  Use caution when pentesting HVAC systems as messing with these can cause human safety issues!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

 

 Security Justice - Episode 14 [1:09:38m]: Play Now | Play in Popup | Download (2370)

Posted in Podcast Episodes | 2 Comments »

Security Justice – Episode 13

June 5th, 2009 Tom

This is the 13th episode of the Security Justice podcast recorded May 20th 2009 live at Mavis Winkle’s Irish Pub! This episode was hosted by Tom, Dave and Chris with special guest The Security Shoggoth! Music provided by dualCORE!  Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Website Plug of the Month: Liquidmatrix Security Digest is a fantastic security blog/news site.  Created by Dave Lewis (@gattaca) with guest posts by James Arlen (@myrcurial, creator of the term “cyberdouchery“) , Security Intern (@Securityintern), Matt Johansen (@mattj) and Zach Lanier (@quine).

Here are the topics covered during the podcast and show notes:

• Notacon 6 recap!
• Become our fan on Facebook…it’s a real Facebook page, not designed to pwn you.  We promise!
• Northeast Ohio Information Security Forum update
• New School Man-in-the-Middle
• Finding and detecting Malicious PDF’s. Tyler’s Snort signature. Didier Steven’s fantastic PDF analysis tools.
• Your deleted Tweets are not deleted
• Interview FAIL – You never know who is watching or listening!
• Chris’ adventure with his Dell Mini9
• Census GPS-tagging your home’s front door
• Security Justice Open Discussion(s): Security certifications/training, Microsoft pirated software..not helping the patching problem?  Interesting Apple Mac discussion…Apple security research, patches, iPhone presenter FAIL and more!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

 

 Security Justice - Episode 13 [54:09m]: Play Now | Play in Popup | Download (2216)

Posted in Podcast Episodes | No Comments »