• We interview the InfoSec curmudgeon: Jack Daniel.  Jack talks about a certain security certification organization, BSides, Vegas updates, PCI, getting free drinks because you look like ZZ Top and much more! Also, there are some interesting updates from Defcon provided by dotzero.  Be sure to check out Jack’s blog!
• Don’t forget about Ohio Linux Fest September 10-12th and the Hurricane Labs Hack Challenge September 22nd.

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• We interview Brian Brushwood the host of “Scam School” on Revision3.  From the Revision3 website: Brian is the author of The Professional’s Guide to Fire Eating; Pack the House; and Cheats,Cons, Swindles, and Tricks. He has appeared on dozens of television and radio broadcasts, including “The Tonight Show,” and programs on ABC, NBC, FOX, the BBC, E! and more.  He eats FIRE, knows a thing or two about magic and gives us some great advice on social engineering and techniques on how to pick up girls in a bar.

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• Interview with Joshua “Jabra” Abraham.  Jabra contributes to the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ.  You probably have seen his talks at BlackHat, DefCon, ShmooCon, Infosec World, CSI, OWASP Conferences, LinuxWorld, Comdex and BLUG.  He also codes in Perl! Yeah baby!
• Check out Jabra’s blog.  Great resource for scripts and pentest tools.
• Jabra gave a really good talk at the SANS Pentest Summit “Goal Oriented Pentesting”.  Information on the upcoming release of Fierce 2.
• “Unmasking You” talk with Rsnake and Jabra from Defcon 17
• Be sure to check out everything Dave Kennedy is up to at BlackHat and Defcon this year.  Dave gives an update on the Social Engineering contest at Defcon as well.  Let’s pray for no heart attacks this year Dave!

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• We have our very first out of town guest!  Rafal Los from HP joins us for some *very* lively conversation.  You should really read his blogs.
• Rafal gives an update on THOTCON.  Yes, we want to podcast LIVE from THOTCON next year! It’s in Chicago.  We like Chicago.
• Rafal also did 30 disasters in 30 days (this is the first one). Awesome read!
• Check out Rafal’s talk from Source Boston: Into the Rabbit Hole: Execution Flow-Based Web Application Testing. We have some great discussion about this on why we are failing at web app testing.  Can QA do security?  Should developers be licensed like other industries?
• We end with a discussion on security certifications, degrees, red team vs. blue team and the word “Cyber”….oh my.
• Stay tuned after the podcast for some exclusive LIVE dualCORE and an interesting collection of bumpers.  Enjoy!

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• We interview Steve Ocepek from SpiderLabs about his recent talk at BlackHat EU and NEOISF “Oracle, Interrupted: Stealing Sessions and Credentials“.  Steve talks about his job as head of security research for SpiderLabs, penetration testing Oracle, Layer 2 attacks and much more!
• Chris and Tom provide our Notacon 7 updates.  Notacon was awesome as usual!  We hope to release the audio from our session from Notacon Radio…it was EPIC! If anything you should listen to it just for our interview of 0ph3lia. RAGE!
• Check out our pictures from “Surviving the Zombie Apocalypse”.  We posted some video (you must see the Zombie Q&A from the video), and outtakes from the presentation.  Full video can be downloaded via Torrent (with the other Notacon 7 videos).

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• Froggy and Tyger talk about Notacon 7.  Security Justice will be there…hopefully on Notacon radio.  Come see our talk “Surviving the Zombie Apocalypse” with our friends The Confused Greenies.  See our exclusive preview here! Also, come see Ghostnomad’s talk and all three talks with Myrcurial.
• You should really come to Notacon…April 15-18th in Cleveland Ohio! Other talks worth checking out (besides all of them) include…Int Eighty, dave_rel1k, Tiffany Rad, Rogueclown, Kaospunk, Irongeek and Mick Douglas from Pauldotcom Security Weekly.
• Interview with Ghostnomad who is a real, live, breathing IT Auditor (don’t worry…he’s actually pretty cool ).  We go one-on-one to find out what IT auditors do and how they are really not out to destroy us…or eat our children.  Myrcurial also joins the conversation…with NO Skype fail! Srsly..way to go Dave!

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• A few Shmoocon updates! There was snow! Dave’s pictures posted soon…
• Interview with “John Doe” the Locksmith.  John Doe talks about some of the biggest physical security fails he has seen as well as some great stories of alarm bypass.  He also talks about what are good consumer grade locks, what are his favorite lock picks, the rise of fake locksmiths and more.

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• Chris announces this months open source project worth supporting! Chris recommends donating to pfSense, which is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router.  Each month Chris is going to highlight an awesome open source project worth giving some cash to.
• Hurricane Labs in Cleveland, Ohio is having another awesome Hack Challenge taking place on February 3, 2010.  Special guest Jordan Wiens (DEFCON CTF champion) will be in attendance (he will not be participating in the challenge so don’t worry about getting pwnd).  Hurricane Labs talks about what’s different from last year and how a CTF (Capture The Flag) works.
• Shawn Miller from Woot.com talks about bags of crap and how Woot.com is sponsoring the Shmooball Cannon Contest this year at Shmoocon!  He also talks about the history of Woot.com and how they do Woot off’s and more.
• Dave Kennedy gives us an overview of his Social Engineer Toolkit (SET) as well as a sneak peak of some new things being released for SET during his firetalk at Shmoocon. Also, listen to Dave *butcher* @myrcurial.  Remember Dave…my-cur-i-al.
• Tom is bringing the social zombie apocalypse to Shmoocon with Kevin Johnson and Robin Wood Saturday, February 6th at 11am.
• Be sure to check out the Podcaster Meetup and the Firetalks at Shmoocon.  Security Justice will be there.  More details will be posted soon!
• Remember kids: If your going to Shmoocon…do not eat at Trattoria across the street from the Wardman Park!! See this video for more information.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks to Dave and Shawn for being guests on the show!

Bruce talks to us about Shmoocon 2010, the ticketing process, talks, events and everything else related to Shmoocon 2010.  Just a reminder that the last round of Shmoocon tickets go on sale January 1st at noon EST!  This is your last chance to get a ticket to Shmoocon.  If you don’t get one, Bruce says you can blame our very own Chris Clymer.  Thanks again to Bruce for being our guest on the show and for everyone participating in the live chat via IRC and on the live stream (very special thanks to aricon from PaulDotCom for letting use their Icecast server for the stream).

Jason is probably the most interesting person you will ever meet.  His long list of accomplishments include speaking at pretty much every hacker conference known to man, hosting the fantastic Blockparty for the last three years at Notacon, archiver of the Internet, proprietor of textfiles.com, computer historian, producer of BBS: The Documentary, creator of sockington (the most famous cat on Twitter with well over 1 million followers) and also known as the guy who goatse’d all of MySpace.  We talk to Jason about pretty much everything listed above.  This is truly a EPIC episode going into the two hour mark but well worth the listen!

Thanks again to Jason for being our guest on the show and for everyone participating in the live chat via IRC and on the live stream (it was our largest audience yet)!  Please send show feedback to feedback [aT] securityjustice.com or comment below.

Special Announcements:
We will be podcasting live at the Ohio Information Security Summit October 29-30.  We should be streaming some of the talks and select interviews with some of the speakers.  Be sure to follow our Twitter feed for updates on when we will be live!  Tom, Matt, Dave Kennedy, Alex Hutton, Richard Bejtlich and Wikid Systems (Nick Owen) will all be speaking.

Tom Eston and Kevin Johnson will be speaking at OWASP AppSec DC November 10-13th.  Tom and Kevin will be presenting “Social Zombies: Your Friends Want to Eat Your Brains”

Website Plug(s) of the Month:

Shmoocon CFP is open! Canadian Web Techno Conference CFP is open, ConFoo!

The Social-Engineer.org Podcast.  Be sure to check out the first episode on interrogation and interview tactics.  Really good stuff.  We are hoping that these guys put out more episodes soon!

• The Louisville Metro InfoSec Capture the Flag recap by Dave Kennedy
• Ohio LinuxFest Recap.  Link to the geek wedding here.
• T-Shirt contest design winners!  Rodolfo and ghostnomad…your designs will be incorporated into the t-shirt design!  Congratz!
• Rapid7 Acquires Metasploit.  Dave Kennedy has the strangest analogy about this we have ever heard!
• Poken update
• Wi-Fi signals used to see through walls
• Internet as a Basic Right
• Interview with Wesley McGrew. We talk to Wesley about some of his notable achievements including Yousif Yalda, Script Kiddies in the Mist, Vulnerabilities in SCADA Human-Machine Interface Software, Jesse “GhostExodus” McGraw/ETA and the f0rb1dd3n book review.  Wesley has a great blog over at mcgrewsecurity.com that we highly recommend you add to your daily reading list!  You can also follow Wesley on Twitter.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks to Wesley for being a guest on the show!

Special Announcements:
We will be podcasting at the Ohio Linux Fest with dualCORE! September 25-27th.  Dave and Chris will be streaming live on Saturday 9/26 and dualCORE will be performing live Saturday night.  Stay tuned to our website and Twitter feed for more information this weekend.

Cleveland Locksport is forming!  If your local to the Cleveland area, hit up Chris for information on the next meeting.

If you near the Cleveland, Ohio area check out the Information Security Summit October 29-30

MiniSoOnCon! MiniSoOnCon is a Southern Ontario Hackerspaces / Makers Mini-Conference October 2nd and 3rd, 2009 in Hamilton, Ontario.

Website Plug(s) of the Month:

Social Engineering Framework
Learn all about social engineering!  Put together by an awesome crew including Dave Kennedy who is the creator of the Social Engineer Toolkit (SET).  Check it out!  Really good stuff! http://social-engineer.org/

Malwarebytes is a site dedicated to fighting malware. Malwarebytes has developed a variety of tools that can identify and remove malicious software from your computer.

Here are the topics covered and show notes:

• Interview with Tony Macisco who is a physical security expert.  He has a impressive resume working for the Department of Homeland Security. US Customs and a large financial institution.  If your looking for someone that knows physical security, Tony is your man.  Connect with him on LinkedIn!
• Matt talks about cracking passwords with CUDA video cards and why cracking passwords with video cards is incredibly faster then traditional methods.  CUDA FTW!
• Want to crack passwords with a CUDA supported card?  Check out Pyrit which allows you to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff.  Pyrit also hooks into CoWPAtty.  If you want to brute force MD4/MD5 or NTLM check out CUDA Multiforcer (noted as the worlds fastest password cracker).  If you want a setup for CUDA that works out of the box, check out Backtrack 4…CUDA support is built in!
• Sharing files on a social network might be the end of the world
• POKENS. What are they? Are they secure? Will they catch on?  We have some Pokens for prizes thanks to PokenZoo.com!  See Dave or Chris at Ohio Linux Fest this weekend to find out how to win one!  Congrats to Paul from PaulDotCom Security Weekly for winning a Poken during our live show!
• Want to know how Pokens work and related security?  Check out this really awesome, detailed article created by Didier Stevens.
• Did you know we have a t-shirt design contest?  Neither did we!  Send your ideas to feedback[aT]securityjustice.com and you could win a Poken and MORE! (we just don’t know what “more” is yet)
• What is a Makerbot?  We have a good discussion about basic hardware hacking and hackerspaces…we also wonder why we still don’t have one in Cleveland..<sigh>
  
• Go to MiniSoOnCon! It’s only a 3.5 hour drive from Cleveland.
• Ignore the “hawt chick” on the Security Justice Twitter account (and the base64 encoded messages).  We are not part of a Twitter botnet! Srsly.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Special Announcements:
We will be podcasting at the Ohio Linux Fest with dualCORE! September 25-27th
If you near the Cleveland, Ohio area check out the Information Security Summit October 29-30

Website Plug(s) of the Month:

Irongeek.com
The source for security videos on tools and more! (just don’t look at the robots.txt file, k?)
SocialMediaSecurity.com
New website dedicated to the security and insecurity of social media.  Join the volunteer mailing list to help out!

Here are the topics covered and show notes:

• DEFCON 17 Updates! Pics are posted! Also more stuff on our Facebook fan page.
• BSides in Vegas was awesome
• Cliq locks owned
• New SSL Vulns
• Hacker Pyramid, check out the pics!
• Sky talks
• Podcaster Meetup at DEFCON, we were there..with lots of debauchery
• ATMs haxed
• Great guide with real pictures of multiple ATM skimmers..some really hard to detect
• Zombies ate your brains! Tom and Kevin’s video is up.  If you missed us at DEFCON, we are doing it again at OWASP AppSec DC in November.
• Goatse Lasers
• Oracle Pwned
• Good stuff about “anti-sec”
• Twitter botnet? We told you so…
• On the big breach(s) (Heartland/Hannaford/etc.)
• TSA “Training”
• Social Engineering Framework soon to be released by Dave Kennedy..stay tuned!
• Sockington…the most popular cat on Twitter! Now you can follow Jason Scott’s cat!
• We want t-shirts!! Send your ideas to feedback [at] securityjustice.com.

Open Discussion Topic: The term “hacker”.  What does it mean and why does the media focus on the negative aspects?

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Opening intro by RBCP from Phone Losers of America…please don’t hate us PaulDotCom crew!  We really do love you guys! Music provided by dualCORE!  Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Podcaster Meetup details @DEFCON 17: Tom, Chris and Matt from Security Justice will be at the Podcasters Meetup once again live from DEFCON!  It’s going to take place Saturday night @8pm in Skyboxes 207 and 208.  Even if you won’t be at DEFCON you can listen and watch the podcast live via ustream!  The Podcasters Meetup is sponsored by SquareSpace (use coupon code “defcon” for 10% off the lifetime of your account) and Astaro.  We will post more details as we get them but check out the Podcasters Meetup website for the latest details.

Website Plug of the Month:

dualCORE Music – Get the latest album from dualCORE “Next Level” for only $10! Check out the awesome video preview here.

Here are the topics covered and show notes:

• Lots of epic FAIL with getting the stream up this time…
• HurricaneLabs Hack Challenge Recap.  Special thanks to the guys at HurricaneLabs for hooking us up with space to record…and the special configs to allow us to Skype!
• Tom speaking at DEFCON 17 with Kevin Johnson “Social Zombies: Your Friends Want to Eat Your Brains” 4pm Sunday
• You must go to Hacker Pyramid!  Win 10,000 cents!
• Other talks to see at DEFCON: RogueClown, “Hackerspaces: The Legal Bases”…James Arlen and Tiffany Radd, “Your Mind: Legal Status, Rights and Securing Yourself”
• Intuit support FAIL Twitter story…Twitter can rock for customer support.
• dualCORE interview with int0x80 and his hacker girlfriend…oh, and we like turtles!
• Check out the new Cincinnati hackerspace, Hive13.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Special Announcement: Tom and Chris from Security Justice will be at the Podcasters Meetup once again live from DEFCON 17!  Even if you won’t be at DEFCON you can listen and watch the podcast live via ustream!  The Podcasters Meetup is sponsored by SquareSpace (use coupon code “defcon” for 10% off the lifetime of your account) and Astaro.  We will post more details as we get them but check out the Podcasters Meetup website for the latest details.

Website Plug of the Month:

The new and improved Carnal0wnage blog! Chris Gates and Valsmith (Attack Research) have combined forces. Check out this awesome security and penetration testing blog!

Here are the topics covered and show notes:

• The SJ Crew get’s $2.50 + a virtual beer in sponsorship! w00t!
• dualCORE is releasing a new album!  More details coming soon…
• Interview with James Arlen (@myrcurial) went awesome!  Will be released as a special edition once Dave fixes the audio.
• Tom is speaking at DEFCON 17 with Kevin Johnson- Social Zombies: Your Friends Want To Eat Your Brains
• Matt’s super secret zombie night, DEFCON party invites and “Sushi Deployed!”
• Northeast Ohio Information Security Forum update
• SIEM Implementation: Real World Pitfalls to Watch Out For by Michael Buckwell
• WiKID Commercial Open Source Two-Factor Authentication by Matt Yonchak, Hurricane Labs
• (your monthly web2.0 security update….ha) Short URL service Cli.gs hacked and 2.2 million URLs affected
• Yes, there are dangers to short URL services! *gasp*
• Before getting into our open discussion..we recommend you listen to the IBM Fight Song.  Yeah, srsly!

Security Justice Open Discussion: Hacking the dinosaurs!  Breaking AS400, PBX/VM systems and more! (20:42)

• General IBM hacking tips (If you want to go after mainframes or iSeries/AS400 you will need a TN3270 client)
  IBM Redbooks – Required resource when looking at any IBM product
• Hacking iSeries/AS400 (Commonly referred to as midrange systems.  AS/400 are NOT mainframes!)
  Good book on this called “Hacking iSeries” by Shalom Carmel and his whitepapers.
  Stankdawgs Hope5 AS/400 Talk – AS/400: Lifting the veil of obscurity.
  Be sure to check for default accounts and passwords Commonly have SMTP XPND and VRFY enabled which makes account enumeration easier.  Most have a modem attached for remote diagnostics. Sometimes can be insecure. Same thing goes for accessories such as drive arrays.
• Hacking Mainframes (often a critical system so tread lightly)
  Keep in mind a “Test” mainframe might just be an LPAR (Logical Partition) off the production system. So disruptions to the “test” system could impact production.
• General penetration testing tips
  Users manually sync passwords – If you get a users password from another system try it on the target system.
  Clear text protocols abound. MITM attacks can be your friend. Just don’t take the companies mainframe offline, they probably need that.
• PBX/VM
  Check for default usernames/passwords on voicemail and phone systems and never under estimate wardialing!
  PBX’s often run UNIX-based OS’s
  PBX’s tend to be treated as “appliances” which is a fancy way of saying “we’re not going to patch it”
• TANDEM Security
• Crusty UNIX
  Older AIX versions use crypt() for password hashing, and only support 8 character unsalted passwords.  It will let users set longer passwords, it just only uses the first 8 chars!
  Telnet, rhosts, rlogin, rsh are all commonplace on older big iron UNIX
  Clustered UNIX boxes work by allowing password-less root login between each cluster member.  This can happen over SSH, but often happens over telnet, rsh, rlogin, etc.  Some vendors even still reccomend this!  Own one box, own them all.  Even better, spoof one of the hosts (easy for rtools) and you have root.
• HVAC Systems
  Some connected via modem, others on the network.  Default credentials almost guaranteed bacause they are usually set up by non-security aware HVAC mechanics.  Newer web based management consoles give you full control of the HVAC system.  Use caution when pentesting HVAC systems as messing with these can cause human safety issues!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Website Plug of the Month: Liquidmatrix Security Digest is a fantastic security blog/news site.  Created by Dave Lewis (@gattaca) with guest posts by James Arlen (@myrcurial, creator of the term “cyberdouchery“) , Security Intern (@Securityintern), Matt Johansen (@mattj) and Zach Lanier (@quine).

Here are the topics covered during the podcast and show notes:

• Notacon 6 recap!
• Become our fan on Facebook…it’s a real Facebook page, not designed to pwn you.  We promise!
• Northeast Ohio Information Security Forum update
• New School Man-in-the-Middle
• Finding and detecting Malicious PDF’s. Tyler’s Snort signature. Didier Steven’s fantastic PDF analysis tools.
• Your deleted Tweets are not deleted
• Interview FAIL – You never know who is watching or listening!
• Chris’ adventure with his Dell Mini9
• Census GPS-tagging your home’s front door
• Security Justice Open Discussion(s): Security certifications/training, Microsoft pirated software..not helping the patching problem?  Interesting Apple Mac discussion…Apple security research, patches, iPhone presenter FAIL and more!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Website Plug of the Month: Check out a new security podcast called Exotic Liability.  Hosts are Chris Nickerson, Ryan Jones and DJ Jackalope.  You may remember Chris and Ryan from the Tiger Team TV show.  We actually did a special edition podcast with Chris last year.  Good stuff…be sure to check it out!

Here are the topics covered during the podcast and show notes:

• June 22-26 ISC2 will be in Cleveland, Ohio offering a CISSP Bootcamp at Corporate College East.  Registration info is here.
• Speaker Recap – NEO Infosec Forum
• Buffer Overflows – It’s not as hard as you think by David Kennedy, SecureState
• Want to take an awesome class on writing exploits?  Check out the Cracking the Perimeter course offered by Offensive Security.
• Karmetasploit and Jasager – by Matt Neely, SecureState
• Verizon 2009 Data Breach Report Released
• Twitter StalkDaily Worm Postmortem
• Targeted Blackhat SEO Attack against Ford Motor Co.
• Security Justice Open Discussion: Pentesting…Over Hyped? (New idea we are trying…15-20 minutes of open discussion on one hot topic in the security community.  Bitching, complaining, rants and more…anything goes!) Have a suggestion for the Security Justice Open Discussion?  Comment here or send it to us via email!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Website Plug of the Month: DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation’s DataLossDB.org, asks for contributions of new incidents and new data for existing incidents.

Local in the Cleveland area and looking for Web Application Security training? Check out the great course by Dave Kennedy of SecureState offered at Corporate College East!

Here are the topics covered during the podcast and show notes:

• Speaker Recap – NEO InfoSec Forum
  Coding For Security by Mark W. Schumann, Top 10 Security Breaches of 2008 by Tom
• HD Moore Releases WarVOX Telephonic Security Research Tool
• Rogue Wireless Gets Sneakier
• How to get free wireless in airports and hotels IP-over-DNS or IP-over-ICMP
• The Interceptor released by @digininja
  The Interceptor is a wireless wired network tap. Basically, a network tap is a way to listen in to network traffic as it flows past.
• Diebold malware
• Breaches of the month!
• djbdns pays out
• Security Metrics
• Infragard update
• Chris talks about the Mac Hackers Handbook
• Notacon interview with Froggy!  Don’t forget about Notacon 6!  Chris, Tom and Matt are all speaking!  Security Justice will also be doing a bunch of live stuff with Notacon radio this year.
• Torrent Search – Bit Che searches 60 popular torrent sites
• NSA offering ‘billions’ for Skype eavesdrop solution
• BlueScanner – Bluetooth Scanner for Blackberry Storm
• Mormons demand ICANN plugs net smut hole? what? srsly?
• iWobble for iPhone (possibly NSFW).  Yeah, lots of possibilities…
• iPhone vs. Blackberry Storm. iPhone wins.
• Destroying mobile phones with liquid..even a 1990 Motorola StarTac!
• Dave Kennedy can drink beer…fast.  Really fast!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Website Plug(s) of the Month: A local Cleveland startup called iGuiders is looking for beta testers that work in Information Security!  The Information Security Guider is live and ready to be tested.  Check out the the iGuiders website and watch a quick tutorial on what this Guider is all about.  Your feedback is requested!

Local in the Cleveland area and looking for Web Application Security training?  Check out the great course by Dave Kennedy of SecureState offered at Corporate College East!

Here are the topics covered during the podcast and show notes:

• Notacon 6!  Chris, Tom and Matt are all speaking!  Security Justice will also be doing a bunch of live stuff with Notacon radio this year.
• Shmoocon update! Matt and Tom talk about some of the great talks.  Chris knows how to “brute force” high security locks.  Tom talks about roaches.  Yum!  Don’t eat at Trattoria across the street from the Wardman Park Marriott.  Seriously.
• We posted pictures and videos from Shmoocon.  Hey…where is the hackerspace in Cleveland?  The one that HacDC has is really impressive.
• Reminder: Don’t use hotel kiosks or ATM’s in the hotel during a hacker conference.
• Some updates from the NEO InfoSec Forum February meeting.
• phpbb hacked via third party application.  Don’t forget about third-party apps installed on a web server!
• The Middler is released!
• JanusPA Hardware Privacy Adapter now available.  Check out the JanusVM…route your traffic through Tor/Privoxy in a VM…sweet!
• Chris gives the fastest news update…ever.
• Backtrack 4 released.  Check out this guide to install it on a USB drive with persistent changes.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

• Website Plug of the Month: Sick of teaching your friends and family about PC security issues?  Send them to The Academy Home!  They have great videos showing installations and configurations of security products and a lot of other great content.  We recommend the cool video on how to install and use KeePass, a fantastic open source password manager.
• Tom, Dave and Matt will be at ShmooCon!  Dave is speaking…so let the Shmoo Ball Cannon carnage begin!  Full details on Security Justice at ShmooCon are here.  Join us at the Podcaster Meetup!  We might be renting out Dave’s Shmoo Ball Cannon to support the EFF at ShmooCon.  Stay tuned for the announcement!
• Payment Processor Breach May Be Largest Ever
• Security at Obama inauguration is tight and high-tech
  
• Throw your hard drive away, Google’s Gdrive arriving in 2009.  All your data is going to the “cloud”…
• Twitter haz been hacked…Tom and Dave talk about it on SecuraByte 5
• Looking for good security podcasts focused on security awareness and business? Checkout The Streetwise Security Zone and The Security Catalyst
• Matt tells us what DECT is and the about the DECT presentation at CCC
• Matt’s magstripe analysis blog series.  Part 1 and Part 2.
• Chris tells us about penetration testing without your toolbox
• New massive Oracle patch release.  Oracle hacking via Carnal0wnage.
• MD5 and rouge CA’s.  200 Playstation 3′s were used not 200 Wii’s!
• Mystery girl hijacks the podcast and says we are a “think tank”.  Dotzero interviews her and Tom argues the merits of the Playstation 3.  She asks some good security questions!  Sorry SecuraBit crew…shes ours.
• Angela our waitress is a geek.  More from her next episode!
• Check out the new videos on our YouTube channel.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Trivia Contest Details
For this episode we did a special holiday “dual” live podcast with SecuraBit to win a copy of the new Nmap Network Scanning book and a $25 gift card to Chili’s/Macaroni Grill/Maggiano’s Restaurants.  There were two trivia questions you needed to answer.  One was given on SecuraBit Episode 17 and the other on Security Justice Episode 8 (and during the live podcasts on December 17th).  Listen for the first trivia question on SecuraBit Episode 17 and the second trivia question on Security Justice Episode 8.  Send your answers to feedback[aT]securabit.com.  The first listener to correctly answer both questions will win both the book and the gift card.

Here are the topics covered and show notes:

• Penetration Testing Dead in 2009? Many don’t think so (including us).  There are lots of different opinions.
• Dave’s Shmooball Cannon test fire!  See what happened to Bruce Potter at Notacon this year!
• Core Impact Essential and new XSS/Blind SQL Injection modules
• Secure State SQL Injection Tool released at Defcon
• The story of the fired accountant…resetting the domain admin account in a Windows Server 2003 domain.  Use the ophcrack livecd to get the local admin account on the domain controller first.
• Did you check out the new VMware vCenter Converter? It’s really cool! Correction..Tom actually converted several Windows boxes to VM’s..converting Linux is not supported *yet*.
• Chris provides details of his experience with the TSA and “security theater”.  He observed with pictures.
• Chris and his SANS DC class.  Anyone want to be a SANS instructor?  Chris tells you how and what SANS requires.
• Dave talks about his new Asus EEE PC.  Here is a great guide done by @kriggins to install Backtrack 3 to USB/SD with persistant changes.  How to install XP to an SD card.
• Dave got his Fon router…shout out to Hak5 for the idea!  Dave is looking for something other then a pineapple…perhaps a lamp?
• New IE 0day.  Out of band patch released!  Awesome article on how the vulnerability works and is exploited.  Thanks to @geekgrrl for the link!
• Greg on the impact of malware
• Check out this blog post if you want to know what all the hype is about Christmas Ale here in Cleveland!

Stay tuned after the podcast for some special holiday tunes and outtakes.  Leave feedback by commenting below or via Twitter.  Happy Holiday’s from Security Justice!

• Speaker recap from the Northeast Ohio InfoSec Forum
• PCI Fact or Fiction or Why Compliance is Not American by Bill Mathews, Lead Geek, Hurricane Labs
• Malware Analysis Competition by Tyler Hudak & Greg Feezel…Results released!
• New WPA cracking technique and WEP is even easier to crack!
• Exploit-MS08-067 Bundled in Commercial Malware Kit
• Metasploit 3.2 Released
• Cool stuff to install on your iPhone
• Software program duplicates physical keys…without the key
• Social Network Anti-Patterns
• Lotus Notes sux…If you use or have used Notes, check this out!
• New Facebook phish
• Facebook Launches Registration for Application Verification Program
• LinkedIn adds applications…becomes more like Facebook/MySpace. Let’s not forget OpenSocial was hacked in 45 minutes!
• Default r00t access on your Android G1 phone, thanks Google!
• Extortion used in Express Scripts database breach
• Shut down of EST Domains and McColo
• White House Networks accessed by Chinese Hackers?
• A radioactive cheese grater at landfill points out toxic dangers from Chinese products
• Shut down blogs.pi.edu
• Kevin Mitnick detained, released after Colombia trip
• Some discussion about the old “Hackers” movie.  Matt is really “Zero Cool“, (you didn’t know?) and Angelina Jolie (Acid Burn) was really not that hot in the movie (Tom’s opinion…).  What’s the true story behind Emmanuel Goldstein a.k.a. Cereal Killer?
• If you really want to know what “Lemon Party” means (NOT recommended)…then search for it on your own if you feel like you must.  Lemon Party is NSFW! We will not be responsible for your eyes burning!  You have been warned!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

• Ohio Linux Fest Recap. Pictures posted here.
• Greg Feezel from the Ohio Information Security Summit
• Malware Challenge update
• Speaker Recap – NEO InfoSec Forum
• Information Gathering with Maltego – Tom Eston
• Protecting website users from each other – Brian Shura
• Facebook dataset released.  How anonymous is it?
• Elcomsoft Claims WPA/WPA2 Cracking “Breakthrough”…not really
• What’s on your Simcard? Check out Larry Pesce’s Simcard Forensics Presentation
• Scammers introduce ATM skimmers with built-in SMS notification
• OWASP NY update.  Videos now online!
• Chris Nickerson special edition recorded…ready to launch.  Check out Chris in the latest issue of Information Security Magazine (page 56).
• Oops, teacher mistakenly messages cop for pot buy
• Conspiracy Goes Mainstream: CNBC’s Big Brother, Big Business
• RoboDump 1.0
• Encrypt your Ubuntu 8.04 installation…It’s easy when creating a fresh install and with a separate “snapshot” volume
• McCain burps like Quagmire? hmmm….
• Yes, Matt is getting married! Congrats to Matt!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

• We have stickers! W00t!  They will be distributed at OWASP NY and Ohio LinuxFest.
• Tom and Dave will be podcasting live at the Ohio LinuxFest on October 11th.
• NEO InfoSec Forum Speaker Recap…
• Showing Up Uninvited: 4 years of being the bearer of bad news by Ryan Macfarlane
• SANS Virtualization Summit Briefing by Tom Evans
• What’s Tom up to?
• Dan Kaminsky chimes in…you can now get all the Dan you want, anytime!
• Sarah Palin’s Yahoo Email Account Hacked.  Full details here.
• Google enters the Browser Wars with Chrome.  Vulnerabilities already found.
• United Airlines Stock Crash (Sherri Davidoff/philosecurity)
• Malware Challenge officially released!  The contest begins October 1st!  Winners announced at the Ohio Information Security Summit.
• Tyler talks about stupid botmasters
• Dumb but funny picture – Opens you up for an attack
• Big Brother wants every single e-mail, text
• Real punishment: Russian Viagra spammer murdered
• Killer app: Game consoles contain hazardous chemicals
• Tom’s Tech Segment- Dradis: Information sharing for security testers
• Dradis installation notes on Ubuntu.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  The next live podcast will hopefully be broadcast over Hak5 radio!  We will post/tweet about the next live audio stream.  We can also sometimes be found in our IRC chatroom at irc.freenode.net #securityjustice.  Thanks for listening!

• NEO InfoSec Forum Speaker recap…
• Mitigating Phishing through Email Authentication: SPF, SIDF, DK, DKIM, SSP and ADSP
• Matt solidifies our “explicit” rating and Tom talks about his childhood fantasies of Carrie Fisher in her Slave Leia outfit.
• Hacking Without Tools Part 1: Linux/UNIX
• Tom’s Black Hat/Defcon recap (talk recap, sexyhacking.com girls exposed, Hofbrahaus beat down, Gringo Warrior, parties with Chris and Jay from Securabit and others, our one fan becomes Tom’s bodyguard and more…)
• Defcon storytime with dotzero: Swag whores, Bunnies for priest and priests’ balls…it’s not explicit…honest!
• High level security pro’s being targeted
• Lock vulnerabilities released at Defcon, Hope and Blackhat
• Matt talks about creating a medecoder
• New information gathering attack against Axis cameras
• Tyler talks about recent CNN/MSNBC malspam
• Dave talks about “diversion safes” and the TSA searching through your dirty clothes (yuck)
• You want to see the lettuce safe! (scroll down to the middle of the page)

Stay tuned after the podcast for some classic SJ bloopers.  Please send show feedback to feedback [aT] securityjustice.com or comment below.  The next live podcast will be broadcast over Hak5 radio!  Stay tuned for an announcement of our IRC channel as well.  Thanks for listening!

• Speaker Recap – NEO InfoSec Forum
• NEO InfoSec Myth Busters: Is Personal Data Stored on Hotel Keys? Using Magstripe Analysis Tools to Discover the Answer by Matt Neely, SecureState
• Unetbootin, FreeSBIE, miniBSD
• CF cards and photo booth hacking
• Massive DNS vulnerability
• eWaste and China
• New low budget independent hacker film: Insecurity
• “Hackers are people too” premier at DefCon 16!
• WarGames 25th Anniversary
• “Sexy Hacking” (Thanks to PaulDotCom for finding this site! WARNING: NSFW!)
• Sexyhacking.com censorship FAIL! (Blog post by McGrew Security)
• Moan My IP…also NSFW!
• Bill Gate’s enjoys the same issues as the rest of us
• Audience magstripe results
• WSUS issue mentioned by Dave

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Stay tuned for announcements on special edition podcasts that will be recorded before our next monthly podcast.  Thanks for listening!

• Welcome and what is Security Justice drinking?
• Web site launch
• Mavis Winkle’s Network Night
  
• Dual Core latest album (correction from the podcast…album is called “Super Powers“)
• Speaker recap from the Northeast Ohio Information Security Forum meeting
• Announcement about special edition podcast with Dave Kennedy of SecureState (Fast-Track developer for Backtrack 3) coming soon!
• Online Social Networks: 5 threats and 5 ways to use them safely
• Evolved Badware, Joe Kovacic from ITSoftware
• Security Hot Topics
• Verizon Data-Breach Study
• Updated ransomware (correction…that’s a 1,024-bit key!), malware that takes control of your router via default passwords
• Beer break!
• Stumbling upon security issues and vulnerability disclosure
• Dave comments on the 2003 blackout
• Stupid human tricks seen by Dave and Tom
• Audience participation!

Please send show feeback to feedback@securityjustice.com (might not work yet) or comment below.  Stay tuned for announcements on special edition podcasts that will be recorded before our next monthly podcast.  Thanks for listening!

• Introducing the Security Justice team
• Dave talks about social engineering
• Tom talks about recent website hijacks (Comcast, Metasploit.com)
• Phone Losers of America – Voice Authentication
• Matt talks about his voice authentication research
• Interesting local ATM theft and other ATM goodies
• What’s up with these Chinese hackers? Hackers on an island?!?
• Chinese hackers pwn Dave’s watch…
• Picture frames used for hacking
• Projects and research Security Justice is working on
• Shout outs to PaulDotCom, Hak5, Securabit, and thanks!

Music for Security Justice is provided by Dual Core! Check out Dual Core for some of the coolest nerdcore music around!

You can listen to the podcast right from this web site by clicking the “play” button below…or download our podcast into any podcatcher (iTunes, Podnova, Odeo, etc…) via our FeedBurner feed.

Next podcast will be recorded live at Mavis Winkle’s Irish Pub in Independence, Ohio right after the Northeast Ohio Information Security Forum on June 18th. Come on out for some great brew and join our live audience!