Live from the Core Security Technologies offices in Boston, MA. we are proud to bring you an exclusive interview with CTO and co-founder Ivan Arce.

Paul and Larry discuss many topics with Ivan:

• How Ivan got started in computers and computer security
• Vulnerability disclosure
• The future of penetration testing
• Exploiting the client, and new research in this area
• New features in Core Impact, a penetration testing framework
• And much more!

Hosts: Larry Pesce, Paul Asadoorian
Email: psw@pauldotcom.com

Direct Download

Live from the PaulDotCom Security Weekly Studio....

In this first episode Paul, Larry, and Twitchy take on listener questions and feedback. Be certain to send us your questions!

Skype: pauldotcom
Phone: 401.369.9820

Hosts: Larry Pesce, Paul Asadoorian, "Twitchy"
Email: psw@pauldotcom.com

Direct Download

Live from the PaulDotCom Security Weekly Studio....

This episode was also broadcast over our Icecast server. Details will be announced in our IRC chatroom #pauldotcom on Freenode (irc.freenode.net) and on the PaulDotcom blog.

• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• You should register for SANS Las Vegas 2006, we will be there doing a live show!
• Please go update our frapper map!
• Full Show Notes

Hosts: Larry Pesce, Paul Asadoorian, "Twitchy"
Email: psw@pauldotcom.com

Direct Audio Download
No Video This Week, we are working on the next episode, hoping for an August release.

We are so excited to be able to put this event together for our listeners! We will be doing a live recording of PaulDotCom Security weekly, here are the details:

Where: SANS Network Security 2006, Las Vegas, Nevada
When: October 3, 2006 5:30PM-7:00PM
Who: Paul, Larry, and.....TWITCHY!

We are still working out the details, but you can check the official SANS conference web page for updates. We plan to have beer, an open mic, and a good time! So, if you are in the area or going to SANS make sure that you come check us out.

We will have boatloads of free stuff, including the new Official PaulDotCom Security Weekly T-Shirts. Here is a sneak preview:

Official PaulDotCom Security Weekly T-Shirt - Front
Official PaulDotCom Security Weekly T-Shirt - Back

Hope to see you there!

Paul.com

Myself and many other security professionals get together every couple of weeks and do a podcast called Security Round Table.

In episode 3 I discussed vulnerability disclosure with the following crew:

• Michael Santarcangelo
• Martin McKeay
• Jamal Khan
• Alan Shimel

• Ron Woerner (Security Catalyst Contributor)

Direct Download

You can also subscribe via iTunes.

Let me know what you think!

Paul.com

With everyone on vacation or at conferences we finally decided to take a week off. Many people in general also seem to be on vacation and enjoying the summer, so we thought we would too!

We will be back next week in full force, anticipating some cool stuff coming out at HOPE, Blackhat, and Defcon.

In the mean time, please send us your feedback/questions/comments to psw@pauldotcom.com. We have decided to start devoting entire shows to answering listener questions and topics for discussion, so send them along!

Also, feel free to leave us some voice mail at our Skype account "pauldotcom" or calling 401.369.9820.

See you all next week!

PaulDotCom Security Weekly Crew

Live from the PaulDotCom Security Weekly Studio....

This episode was also broadcast over our Icecast server. Details will be announced in our IRC chatroom #pauldotcom on Freenode (irc.freenode.net) and on the PaulDotcom blog.

• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• Sponsored by The SANS Institute, listen to the discount code for SANSFIRE this summer for 5% off this conference
• Please go update our frapper map!
• Full Show Notes

Hosts: Larry Pesce, Paul Asadoorian
Email: psw@pauldotcom.com

Direct Audio Download
No Video This Week, we are working on the next episode, hoping for a July release.

I stumbled across this great "living" document that I'm calling an "Anatomy of a Pentest".  It is a great visual representation of all the steps one should think about when performing a pentest, with all of the most handy command line switches.  The author is taking feedback from the community on the document, and is updating it accordingly.

I just need to find someone with a plotter to print a couple of copies. 

- Larry

Anatomy of a Pentest

Ron over at SecurityCatalyst had a great posting on our responsibilities as security professionals.  He raises a great analogy that we should be like "brakes on an automobile".  To quote:

"Security allows the user (driver) to reach their goal (destination) in a safe, yet quick manner. If you (security professionals) and your customers (users) are doing it right, security should allow the business to go faster, have control, and reach their goals safely without crashing."

That is a fantastic analogy.  Now of course, we as security professionals cannot act as that brake, without significant buy in form the company.  Without that buy in, this automobile has no brakes.

Thanks Ron!  Sometimes these creative analogies are what it takes to bring this stuff home.

- Larry

Being a good brake - Security as a stress reducer

Our well respected peer Bruce Schneier as an interesting post about an article on the failure of two factor authentication. 

According to the article, phishers are using some new techniques to bypass the two factor authentication that some banks are using for account access.  The phishers are spoofing the bank sites elsewhere (as ususal), and are including the fields for the token entry for login.  When the unsuspecting user enters the token into the ohisher's site, the site then contacts the real bank and presents the credentials as provided bu the user - so if the token is wron, they can modify the spoofed error page until they get a correct one.

Pretty slick.

The article refers to this as a "man in the middle attack", and while I don't agree with that description (in the traditional sense), I think that it sums it up for the end user. 

Now, I certainly don't think that two factor authentication is dead, but at least take a good look at how the whole system works.  And now it appears that we need to account for these type of issues when designing two facto authentication systems.

- Larry

Failure of Two-Factor Authentication

Here's a report of phishers defeating two-factor authentication using a man-in-the-middle attack.

The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.

I predicted this last year.

We mentioned these on the last show, but I wanted to make a posting that lists and describes each, in no particular order. I also wanted to say that this is not a list of our favorite blogs, per se, but a listing of blogs we most often pull stories for the show. We try not to talk about the news that everyone else is talking about, and the following resources give us the best material:

• http://isc.sans.org/ - Sponsored and run by the SANS Institute, the ISC incident handlers do a fantastic job of summarizing the latest security trends, research, vulnerabilities, and exploits.
• http://www.darknet.org.uk/ - Always full of the latest and greatest hacking news, Mr. Darknet reports on new security tools, updates to security tools, and other underground security topics that are interesting to read and usually not mainstream.
• http://www.schneier.com/blog/ - What can we say, Bruce's commentary is spot on, and has been for as long as I can remember. You will often find insightful commentary on stories that you may pass over or just plain miss. Don't miss the Friday squid blogging either.
• http://www.professionalsecuritytesters.org/ - Absolutely one of the best resources for penetration testers. Good news and information with a focus on quality rather than quantity. You will find tool updates and other interesting factoids for penetration testers.
• http://www.f-secure.com/weblog/ - This has become one of my favorite blogs in recent months. The F-Secure team does an outstanding job of making some of the best and most interesting security related posts. Their research team rocks, frequently posting about bluetooth security and malware analysis.

The PaulDotCom Security Weekly Crew

Live from the PaulDotCom Security Weekly Studio....

This episode was also broadcast over SkypeCast, so look for us each week when we record. It will also be announced in our IRC chatroom #pauldotcom on Freenode (irc.freenode.net).

• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• Sponsored by The SANS Institute, listen to the discount code for SANSFIRE this summer for 5% off this conference
• Please go update our frapper map!
• Full Show Notes

Hosts: Larry Pesce, Paul Asadoorian
Email: psw@pauldotcom.com

Direct Audio Download
No Video This Week, we are working on the next episode, hoping for a July release.

Ok, first off Skypecast today!  We should be starting about 6:00 PM EST. Want to listen live? Go to http://skypecasts.skype.com and search for "PaulDotCom" (without the quotes). It may not show up untill we start, so check back in at the time listed above.

Second, Twitchy Nick is at SANSFIRE this week. So, if you are there look him up!  He's got PauldotCom Stickers, shwag from Core Security Technologies, and free books from Syngress!  We're leaving it up to Nick to come up with (legal) means of acquiring said items - most, just ask.

How do you find Nick?  He's taking Security 504 - Hacker techniques, Exploits & Incident Handling with Ed Skoudis.  He also looks almost like a younger version of Professor Severus Snape.

- Larry

I think that this one may have slipped under the radar, so I'm bringing it up.  I mean, who doesn't have an Adobe reader on their system nowadays?  Sure there are plenty of alternatives to the Adobe reader, but that should be a different discussion.

According the the noice, they lumped a bunch of updates in to one advisory.  The advisory addresses just about every major OS at various levels of risk.  Some of the risks include remote code execureion, as interpreted form the advisory.

Go update your Acrobat reader, or switch to an alternative. 

- Larry

Vuln: Adobe Reader Multiple Unspecified Security Vulnerabilities

Kaspersky Labs are reporting that they have discovered a Proof of Concept (PoC) virus that can infect both Linus ELF files and Windows PE files. Kaspersky states that clearly this is only a PoC.

We have all seen this before - it doesn't take long for a PoC to become reality.  I'm wondering how long it takes for something like this to be come a reality, and in fact to be come "standard practice" for virus writers.

Just a reminder, just because you run OS X, Linux or other *nix variant, doesn't mean that you are immune form viruses.  Practice Defense in depth, because the threats are out there for every OS.

- Larry

New PoC virus can infect both Windows and Linux

Researchers at the University of Cambridge discovered a way to DoS users in China using China's own firewall/filter against them.

To quote the article (linked below), "the Chinese firewall can be used to launch denial-of-service attacks against specific IP addresses within China, including those of the Chinese government itself.

The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a "sensitive" keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time."

Nice.

 The article goes on to say that Internet access could be denied by using this method to individual members of covernment.  I say, however that any bot herder with a political agenda on human rights, could potentially deny internet access for ALL of China.

The researchers did send their findings to the Chinese CERT. 

Human rights issues aside, it looks like they may need to rethink how they apply the technology, and we can learn a lesson as well.  Apparently, the Chinese firewall is not mindful of state - if the firewall can be fooled by just one spoofed packet, it is clear that it has no concept of state   Sure, statefull inspection at a scale this large would require massive computing power - but understand the technology and design your systems appropriatley!

- Larry

Academics break the Great Firewall of China

University of Cambridge computer experts say they breached firewall and can use it to launch denial-of-service attacks.