Welcome to Security Weekly, Episode 138 for January 29th, 2009. A show for security professionals and by security professionals who have way too much access to beer. and computers. and maltego.
* [http://twitter.com/geekgrrl Melissa on Twitter AKA @Geekgrrl] - Self described "Introvert. Geek. Christian. Wife. Admin. ..." and now contributer to the
PaulDotCom Sweeper madness!* [http://securityweekly.com/upcoming-events.html PaulDotCom Upcoming Events] - Security webcast galore and the PaulDotCom weekly planner on all PSW events.* '''Shmoocon!''' - new and improved formula with a PaulDotCom booth, live webcast and shmooball target practice! Also, hear Larry and Dave Lauer speak on building Shmooball launchers [http://www.shmoocon.org/presentations-all.html#shmooball in Washington DC Feb 6]
* [http://www.hacknaked.tv HACK NAKED TV] - Hack Naked TV! Episode 1 and 2 are out. Look for more goodies here!
PaulDotCom SANS Click-Through] - Go there, register for some of the best training available! Go now or we take the shmooball cannon off of 'stun' mode.
* Register for SANS [http://www.sans.org/info/33899 Security 560: Network Penetration Testing and Ethical Hacking]
* [http://www.sans.org/saskatchewan09_cs/description.php?tid=2397&utm_medium=podcast&utm_content=affiliate_link1&utm_campaign=PaulDotCom&ref=2071 SANS Saskatechewan] - Larry is teaching the 6 day wireless track (SEC 617) in Regina on March 23 - 28, 2009. Come help keep him warm!
* One Schmoocon ticket donor asked us to mention the SANS class [http://www.sans.org/training/description.php?tid=3032 SEC606 - Data and Drive Forensics]
* Best Of Webcast Series - Part I - Best Of Network Penetration Testing Tools - [http://forum.
pauldotcom.com/viewtopic.php?id=179 Get the slides and listen to the archived presentation here]
** ''Best presentation I've seen all year!'' - hevnsnt, [http://www.i-hacked.com www.i-hacked.com]
[http://www.news.com.au/story/0,27574,24964224-401,00.html Social Engineering To Become A Police Officer]
[http://feeds.feedburner.com/~r/AntonChuvakinPersonalBlog/~3/526989288/compliant-0wned.html 0wned By Compliance] - [
PaulDotCom] - Anton goes through some seemingly realistic scenarios as to why/how a merchant can be 0wned, even if PCI compliant. Yes, PCI still has merit as a "Standard", but this does not mean they are secure. I think this is where people go wrong, PCI, in my opinion, just proves that you are doing some stuff in the name of security. This is important when companies want to work together, they can ask, "Are you PCI compliant" and have some sense that they are implementing security. Or are they? Anton points out it depends on who is doing the audit, anyone can walk in and ask "Do you have a firewall?", answer: "yes". Reminds me of a story about a firewall with two holes in it, through which an Ethernet cable was being passed, therefore all traffic was "going through the firewall".
[http://www.padjack.com/main/page_home.html PADJACK, really?] - [
PaulDotCom] - I hate to rip on companies. I believe in hard work and a free market, and I like to think that in every company there are honest people working their butts off. However, I'm going to go out on a limb here and say, wow this is stupid. My bet, Larry can bypass this in about 5 seconds and gain access to the port. This is just the wrong way to approach the problem. A piece of plastic is not going to stop an attacker, it may slow them down for a few seconds, but does not provide enough security to make it worth while.
[http://usefulfor.com/security/2009/01/30/dradis-v2/ Dradis v2] - Larry - Dradis is a tool (linux) used for sharing information across multiple folks on a pen test. Looks pretty cool, and I'm going to check it out. We've talked about using a wiki for this in the past, but it can easily get overwhelmed with disorganized information. Dradis features a nice hierarchical structure that may work for some people..
[http://isc.sans.org/diary.html?storyid=5761&rss USB Drive Threat & Solutions] - [
PaulDotCom] - Its no question, there are threats that USB drives pose to your organization. I like to use the Coke example. Coca Cola has the secret recipe to its famous Coke soda. Its locked away somewhere in the Coke factory. For the purposes of this example, lets say that its on the network somewhere, and not just written down on paper. You can train the users all you like, someone is going to plug something into the computer that could steal the coke recipe, or be used to make a copy of it. The solution? There is software on the market that will limit which devices you can plug into your systems in the domain. I won't mention vendors, you should evaluate all the options and make a decision for your self. The one I tested worked well, provided you were not admin on the machine. The software does limit the USB pen testing scenario we talk about, however to steal something make sure there is no CD-Writer in the machine :)
[http://www.dallasnews.com/sharedcontent/dws/news/localnews/transportation/stories/013009dnmetzombies.1595f453.html Zombies ahead!] - [Larry] - Nice job to the i-hacked guys. Beware, Zombies! They illustrated how to change the output on those traffic signs on the side of the road, which was incredibly easy to change (go figure, they need to be usable by a diversely educated crowd). I find it amusing that now Texas (and allegedly the country) are "scrambling" to secure these devices. Looks like in the past the default passwords were left, slightly changed, or written inside the boxes. Texas DOT claims the boxes were locked, but how many of us think that it is true? How easily are padlocks bypassed? I think what this really boils down to is the total commitment to apathy on security in other fields...if they didn't want this stuff messed with, you should take steps to make it "un-messable".
* Man in the Middling Everything with The Middler, Jay Beale
* Building Wireless Sensor Hardware and Software, Travis Goodspeed and Joshua Gourneau
* Storming the Ivy Tower: How to Hack Your Way into Academia, Sandy Clark (Interesting, I gave a similar [http://www.
pauldotcom.com/owning_academia.pdf presentation] a loooong time ago. Go easy, it was a looong time ago and it well, okay it kinda stinks, but some cool stuff in there still, I think).
Best talk title: 802.11 ObgYn or "Spread Your Spectrum", Rick Farina
[http://www.indepthdefense.com/2009/01/i-know-where-you-live-or-at-least.html Youtube and Geotagging] - [Larry] - I had the pleasure of chatting with Mark about this one. Mark's been doing some research with google and youtube and the geotagging of the videos. It seems pretty random where the geotageed data comes from, but we're both betting that some folks know how it got there. Marks method is great for taking the youtube ID and tracking it to a location. Mark thinks he might know where a few internet celebrities live. Hello Obama girl!
[http://feeds.feedburner.com/~r/AndyItguy/~3/526304717/ 25 Random Reasons I Won’t Tell You 25 Random Things About Me] - [
PaulDotCom] - So I read this article earlier in the week, and thought "Wow, thats a wicked stupid idea, why would people put 25 things about themselves online?". Then I got home and my wife was telling me about other people that had done this. She knows better, then said she did one and put all sorts of personal information about us on it. Then I got mad, then she laughed because she was only kidding :) Seriously folks, this is stupid, and furthermore nobody cares. I've been told some people have mentioned their bad password habits in the list! Something like, "I always use the same four numbers based on my birthday for my pin number". WHAAAT!
[http://www.damnvulnerablelinux.org/index.php/eng/Damn%20Vulnerable%20Linux%20Distro/Damn%20Vulnerable%20Linux/Download%20Mirrors%20and%20Torrent%20for%20Damn%20Vulnerable%20Linux%201.5%20(Infectious%20Disease) Damn Vulnerable Linux 1.5 is out!] - [Larry] - DVL is a great way to put a system in your lab that you can test against. It has plenty of holes so you're almost guaranteed a successful compromise.