pwnage is not a good thing, (just ask the Pentagon's office for the Joint Strike Fighter project ) so don't miss our next Late-Breaking Computer Attack Vectors webcast!

The Webcast will be held on:

Wednesday, April 29, 2009 2:00 pm EDT (GMT -04:00, New York)

Register Here For This Webcast

This month we will discuss some of the latest attacks, including:

• Twitter Worms
• Smart Grids
• OSX, Router Botnets
• Remote Network Tap
• DoS is sexy?
• FAIL Of The Month (FOTM)

This webcast will run about 45 minutes and will focus on hand picked cutting-edge attacks and defenses.

The PaulDotCom Crew

In the spirit of epic sequels, we are pleased to announce the follow-on Webcast to the highly successful Zen and The Art Of An Internal Penetration Testing Program.

This webcast is the second part of a series presented by Paul Asadoorian in collaboration with Core Security Technologies. The presentation will be full of tips and tricks for tying vulnerability scanning, penetration testing and reporting into an efficient, repeatable testing process.

Whether you are a third-party performing penetration tests or want to test your internal network and systems, this webcast is for you! In Part II we will cover the following topics:

Sign up here (Registration Required)

Forum: Online forum discussion for the Webcast series.

- PaulDotCom Crew

Awards

We are all truly honored and flattered to be winners of the RSA 'Social Security Awards Best Security Podcast'. It has truly been a wild ride for the past four years and we are so glad that everyone enjoys the show! We get together to record every Thursday evening, and since January of this year we have not missed a week. So, I want to make sure that I thank our families (especially my ever-so-patient wife) for supporting us in this effort. There are a lot of people that help make this show happen, including all of our staff, sponsors, and especially you listeners! We would also like to thank all of the other security podcasts out there, we listen to all of you, and you inspire us to keep improving, so keep up the great work! Great job to all, and thanks for listening! Don't think that we will sit around and bask in our glory for too long, in fact, we're done with that. We are working hard to keep improving and growing PaulDotCom to the next level. So stay tuned, we've got good things coming! This includes continuing to point out where security fails, and offering suggestions for improvement, like tiny nets.

PaulDotCom Episode 150

At various points in the life of our podcast we like to sit back and marvel at what we've accomplished. Okay, not really, we just use this as an excuse to drink more beer! In all seriousness, we do like to have an excuse to celebrate and put on a special show. Episode 150 of PaulDotCom Security Weekly is going to be one of those shows. We have decided to podcast for 12 hours! (What a way to celebrate 150 and our award eh?). We have an absolutely jam packed schedule, will be talking about the latest topics in information security, and joined by some of the top people in our field. Check out the show schedule below:

We will be streaming live audio and video of the entire event and releasing the recorded versions of all segments. You can find all of the detailed information in the PaulDotCom Episode 150 Show Notes Page (including the live stream links, call-in information, detailed roundtable questions, etc...).

The PaulDotCom crew drink, hack, and get merry with our new sponsor Cenzic, we teach you about Argus and UPnP Nmap hacking, and announce our 12 Hour podcast!

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

The live stream should be active around 18:45 EDT (6:45PM Eastern), Thursday, April 16th. We should begin recording the live show around 19:00 EDT. Please keep in mind that these times are estimates.

Our Technical Segment will be given by Michael "Mick" Douglas on A Quick Introduction to Argus - the Real Time Flow Monitor / IP network traffic auditing tool. Our guest for this episode is Mandeep Khera.

Mandeep will share his opinions on the relevance of PCI compliance and discuss Web Application Security. Mandeep has this to say on how online companies spend their security dollars:

" What's surprising is that [e-tailers] are still spending money on network security. With 80 percent to 90 percent of Web applications vulnerable, and with 75 percent of attacks occurring through the Web sites, this budget allocation defies logic. . . . Web applications are among the top assets with your customer information that need to be protected."

We'll also unveil our plans for the 150th Episode Special 12-Hour Podcast on April 30th from 12:00PM-12:00AM!

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: PaulDotCom UStream Channel

Icecast: PaulDotCom Radio

Please join us, and thanks for listening!

- John, Paul, Larry & Mick.

Paul's laptop lives, but the soundboard doesn't, talking shop about MQ series and security FAIL, sniff wireless on all 14 channels AT THE SAME TIME! All brought to you by the fine acoustic sound of the McDonald's drive-thru.

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

The live stream should be active around 18:45 EDT (6:45PM Eastern), Thursday, April 9th. We should begin recording the live show around 19:00 EDT. Please keep in mind that these times are estimates.

We have a special guest this episode, T.Rob Wyatt.

T.Rob will be speaking about IBM's Service-Oriented Architecture facilitating WebSphere MQ (WMQ) messaging backbone product. T.Rob has this to say on the topic:

"If you use WebSphere MQ and haven't taken a close look at your security, we need to talk. Most places I go I can gain administrative access to the WMQ network in about 5 minutes. So even if you *have* taken a close look at your WMQ security...we probably need to talk anyway."

Our Technical Segment will be given by Larry "HaxorTheMatrix" Pesce on Sniffing Eleven 802.11b channelsl, simultaneously (!) using Kismet .

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: PaulDotCom UStream Channel

Icecast: PaulDotCom Radio

Please join us, and thanks for listening!

- Larry, Paul & John

This week we have special guests from www.i-hacked.com, the show gets hijacked, Paul's laptop gets thirsty, one crazy show!

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

For those who regularly read our blog often and listen to our podcast, you already know I spent a little more than a week in lovely Regina, Saskatchewan to teach SANS 617: Wireless Ethical Hacking, Penetration Testing, and Defenses. While we were there we noticed some very interesting wireless traffic during several of the course exercises.

The wireless traffic was traced to a local business (in close proximity to the training site), that apparently implemented a WIDS with Rogue AP Containment. As the week progressed, we got more info on the story: the wireless had been installed for nearly a year but only turned up since the Friday before class. There was apparently great confusion about the WIDS configuration and results were being misinterpreted. Regardless of the situation the students got some great real world examples and traffic captures. The local company was also very responsive to our concerns and we all worked together to attempt to resolve the issues.

What did this mean to the class? Well, the class uses 3 different APs configured by the instructor for use with some of the labs. When I set mine up, I did the right thing; I set them on the 3 non-overlapping channels of 1, 6 and 11. When fired up, the WIDS with Rogue-AP Containment started firing off De-authentication and Disassociation floods to all of the clients, spoofing the BSSIDs of the class APs. Certainly this is an effective containment method in order to keep clients in your organization from connecting to unknown APs introduced into the environment. This also made it difficult for the students and instructor to remain connected to, or generate traffic on, the class APs.

As the week went on, the students were able to make several observations ad assumptions about the situation. We also had a discussion about the appropriate deployment of Rogue-AP containment methods: If you don't do it right, you can essential create denial of service attacks against legitimate, third party networks. In many jurisdictions, denying service to a legitimate service that is not your own is considered a crime. So, here are a few of the lessons that the class was able to make over the week:

1.) De-authentication and Disassociation floods to all of the clients can be effective. Not perfectly so, but just enough to be annoying to have folks call your Help Desk to report that their network isn't working or is slow. Our class network wasn't working, but the regional municipal wireless provider worked at a snail's pace. A block away outside of the range of the WIDS, the municipal wireless worked like a champ.

2.) Properly test and configure Rogue-AP containment if you wish to use it in your environment. Turning it on before a weekend and not monitoring the wireless traffic afterwards is probably not in your best interest, especially if means you are breaking the law as a result.

3.) Consider all of your options when deploying a WIDS. Based on cost, know the risks and rewards for both. Do you go with an integrated solution using the existing infrastructure to do WIDS and serve clients at the same time, or an overlay deployment adding a separate infrastructure on top of the client serving network, or a hybrid approach?

4.) If implementing an integrated solution be careful about your deployment or consider a hybrid approach. In an integrated solution, the radios in the APs when serving client become locked on those predefined channels and no longer hop, looking for Rogues on other channels. If you have deployed your APs with WIDS on channels 1, 6 and 11, the APs will only have insight to (and launch containment against) rogues on those channels when serving clients. In a hybridized approach, depending on individual solutions, APs containing two separate radios may be segregated to different tasks; one radio for serving clients and the other channel hopping and performing containment.

5.) When WIDS with Rogue AP Containment is deployed in an integrated fashion (without a hybridized approach) while serving clients, it is possible to install "Rogue APs" in the environment on different channels. For example, APs with WIDS serving clients are installed at channels 1, 6 and 11, they will be unable to detect or perform containment against Rogue APs on other channels, such as 3, 7 and 10. Ultimately this was how we were able to use the 3 class APs, as the WIDS had no way to see our APs on channels other than 1, 6 and 11. This is something to take into consideration during deployment and is certainly something that want to test in your environment, or while performing a wireless assessment. This is certainly a "feature" that can be leveraged by the bad guys with minimal effort.

After all was said and done the students had a great, albeit frustrating, time figuring out what was going on with the classroom wireless network. This was an educational exercise dealing with real world deployments and associated problems. Learning from someone else's "mistakes" has it's benefits. Go forth and deploy secure wireless networks. Be careful with your Rogue AP Containment!

Larry Pesce

Conficker, say it with me now, "Con-Fick-er". I don't even need to link to anything. All you have to do is read any website about information security this week and you can read something about Conficker. Its been covered to death, but like a flesh eating Zombie, it keeps coming back for more. It got ALL the press today (as I write this on April 1, 2009). I woke up this morning and started watching the news, they were talking about Conficker. I got to work (I work from home, so this means I walked downstairs to my office) and my bosses laptop crashed. Everyone joked that it was Conficker. I then proceeded to write a blog posting about Conficker and the cool ways it can be detected. Twitter was buzzing with talk of Conficker, what will it do? Has anyone seen anything? If it wasn't a blog post centered around an April fool's joke (okay, some were really funny, like the ASS certification), it was a post about Conficker. Why does a virus/worm get so much press? I've struggled to come up with a good reason. It defies logic in my opinion. Lets pretend that I become frustrated with being a jedi whitehat and make the switch to the dark side because I was confused and thought my powers could be used by evil to do good. The first thing I would want to do in order to take over the universe would be to create a botnet, which means I need a worm. I want my botnet to be large and powerful, which means it needs lots of compromised systems. The LAST thing I want is the code I use to achieve supremacy over the universe to be talked about on every major news outlet, blog, twitter, web site, and analyzed by researchers across the globe. So what gives? It certainly could not be the author's intention to gain popularity. We can speculate all day and night about why we made a big deal about this, but in the end I have to wonder, what else went on this week (and especially today) that we all missed because we were to busy Confickering?

Paul Asadoorian

The live stream should be active about 18:45 EDT (or 6:45PM Eastern :), Thursday, April 2nd. We should begin recording the live show at about 19:00 EDT. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

This week we have special guests, "hevnsnt" & "Surbo" from www.i-hacked.com. They will be talking about hacking road signs, zombies, bypassing airport security, lock picking, and more!

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: PaulDotCom UStream Channel

Icecast: PaulDotCom Radio

Please join us, and thanks for listening!

- Larry, Paul & John