Episode121

From Security Weekly Wiki
Jump to navigationJump to search


Sponsors

Core Security

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

Tenable

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Astaro

Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.

One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.

Announcements & Shameless Plugs

Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 120 for August 28st, 2008

Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals.

"I met you yesterday at SANS and was wondering if you could help me promote my mentor session of SEC508 starting on September 23rd. If you could forward this invitation onto your network of contacts, that would be awesome." - Evan

Listener Feedback: Listener Scott Is Evil

"Sorry if you spoke about this, but I'm still catching up on your shows. I'm not an expert on how the browser and SSL works, but I worry about this being true. Also, if this works, I'm a little hesitant to mention this because it could be used. I was wondering about using the DNS vulnerability to hijack domains. I hear a lot of people saying people can't hijack SSL secured domain because the certificate wouldn't validate. Well I can see that you can't spoof the root certificate authorities because the certificates are preloaded in the browser. However, can someone get a certificate able to issue other certificates from a trusted root certificate authority and then sign the phony paypal.com web page with it. This way when my browser goes to the phony paypal.com website, it will tell my browser it was signed by "evilCA.com", then my browser should check to see if "evilCA.com" is valid, and it would pass because it was signed by a root CA. So by browser should be happy and not even alert me anything is wrong and give me an SSL pad lock, maybe even an extended certificate, if you can issue those from a normal cert (because I doubt bad people would front a business for an EV cert). Is this how the browser chain of trust works? What did I miss to prevent people from doing this? Thanks and I promise to catch up on all the past shows. Scott"