Offensive Countermeasures: The Art Of Active Defense: SANSFIRE June 15-16, Blackhat USA July 27-28 & 29-30
Defensive Countermeasures: Foundations for Becoming A Devious Defender: Blackhat USA July 27-28 & 29-30
Check out the entire PaulDotCom crew at BsidesRI June 14-15th!
Sponsored By:
Follow Us On:
Paul, Mick, Larry (and the "intern", and Carlos talk about a tech segment on Jaseger, and we unlock that magic that was gifted to us by unicorns.
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds: 
Just received a nice email from Aaron Searle at Symantec. There is a good write-up about a proof of concept tool called PhoneSnoop that targets Blackberry devices.
The Symantec write-up can be found here and the full write-up of the BlackBerry attack surface can be found here. The PhoneSnoop application is very interesting because it can turn the speakerphone on automatically when a call is received from a specific number.
We often get questions about how someone can get involved and make a difference in computer security. Personally, I see the smart-phone attack surface as one that has not been reviewed enough. While I think the write-up from Symantec is great (thanks Aaron), I think there are other things we need to address as well.
Sometimes malware is not "malware," rather it may be sold as something else entirely. For example, MobileSpy They also have a version called iPhone Spy. Currently, this product works with the iPhone (of course), Symbian OS and Windows Mobile. That is pretty good coverage of the existing market of phones. While these tools are marketed towards parents who want to monitor their teen's smart-phone usage, it could be used in a variety of other "interesting" attack scenarios.
Now currently, these tools require an attacker to have physical access to the phones and that they demonstrate the capabilities of smart-phone malware. When you couple this with the relatively weak security models of the underlying Operating Systems of many of these phones, this area becomes an excellent one for more study.
The reason I am harping on this is because there are some very solid security researchers working on this issue. Just look at the work of Charlie Miller and Collin Mulliner at the last Black Hat.
The thing that gets me is that while the attacks have been cool, I have seen very little from most organizations to try and mitigate the risks associated with these devices. Also, many of our customers have stated, very clearly, that attacking their employee’s phones is off limits for our penetration tests.
This is where the concepts of traditional penetration testing fail. An attacker does not have limitations. As Dave from Immunity said recently, it is hard to model obsession. It is also hard to be a white-hat hacker when there are a number of attack vectors that only black-hats would go after.
So I propose this to most organizations, any device that has any organizational data on it needs to be under the control that organization. The organizational policies also need to reflect that its data does not reside on any non-organizational device.
For all penetration testers out there, we need to start explicitly requesting that these devices be in scope. If the organization says "no" that is okay. We need to document the fact that these devices pose a risk to the organization and the customer requested that they not be tested. I fear that as we progress as a profession, we will be held accountable for what we don't find. In some ways that is okay. However, when the customer ties our hands and we do not discover a risk we need some level of protection.
-strandjs
Ahhh, its that time of year where the beer is especially good, the weather is getting chilly, and the freaks come out of the woodwork (or the brick work if you are in a George Romero film ;)!
Yes, its truly a scary week! Therefore we've filled the show with scary people. First up is Anthony Jacobin, the winner of the most recent Cyber Exercise put on by White Wolf Security. Yes, Anthony is a scary hacker who will come on the show to tell us about his new tool called "BarCrawl"
Next up, scary sock puppets. I don't know about you, but I think that puppets, clowns, and mimes all fall into the same category, creepy! And if that were not enough, we're bringing Jack Daniel into the studio to share his grim view on information security, and scare me with his sock puppets (hopefully the sock puppets don't try to touch me in private places like last time)
So come join us live at 19:30 EDT on Thursday, October 29th for Episode 173 "The Zombie Sock Puppet Edition" of PaulDotCom Security Weekly.
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: PaulDotCom UStream Channel
Icecast: PaulDotCom Radio
Please join us, enjoy the show live, and thanks for listening!
- Paul, Carlos, Larry, Mick, Darren & John.
Wouldn't it be cool if there was a traveling con where you could drink beer and hack systems? Well it turns out there is. Because God knows, we need another con.
At many of the events we present or attend we also try to put on an easy going hacklab/hacker-space that anyone in the local area can attend. We work with the people putting on the event (usually SANS) to open it up to the community as a whole without needing to register for the event. So far these have been a lot of fun. If we are lucky, we run the weekly show from the event live while people are cracking into servers. We also get some cool appearances from people like SpaceRogue, Ed Skoudis and Rob Vanderbrink. Also, the attending members of PaulDotCom do live demos and embarrass themselves in front of actual people, which is different than on the podcast.
Currently, there are two upcoming PaulDotCons:
First, live from London , Friday December 4th from 6:00 till??? This event will be co-hosted by Pieter Danhieux. He is planning on bringing in additional cool challenges to the event. I also think he will bring some cool shirts. Also, at this event we will be releasing the PDC DVD that has many of the cooler tech segments and videos we have produced.
Next up we have SANS New Orleans. This event will be Friday, January 15th from 6:30 till ??? Look, this is New Orleans. I don’t quite know what will happen there. Last time I vaguely remember dancing on a bar and a mechanical bull doing "bad" things to Mike Poor. Or was it the other way around? This event is nuts. New Orleans is one of my favorite SANS events. You have to go.
If you choose to sign up for the full SANS training use the discount code of COINS-JS for 10% off.
There will be others, trust me. So stay tuned.
-strandjs
Paul, Mick, Larry (and the "intern", and Carlos talk Flash vulnerabilities with the expert web application security engineer from HP Prajakta Jagdale, tech segment on Jaseger, and we unlock that magic that was gifted to us by unicorns.
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
PaulDotCom in Tokyo!!! PaulDotCom will be hosting a hacklab in Tokyo for all who wish to participate tomorrow night, hosted by strandjs.
Come on down to:
Akihabara UDX South Wing 6F
4-14-1 Sotokannda
Chiyoda-ku, Tokyo 101-0022 Japan
There will be beer and machines for you to break into. We will also be demonstrating some cool attacks live. This event is open to the public, so come on down and hack some systems, or bring some cool systems to hack.
The fun starts at 5:45PM and goes until UDX kicks us out.
See you there.
-strandjs
Anytime there is a security tool which uses "Magic that was gifted to us by unicorns!", it causes us to perk up our ears and listen. Join us live at 18:45 EDT on Thursday October 22nd for Episode 172 "The Unicorn Edition" of PaulDotCom Security Weekly, where Prajakta Jagdale discusses HP's SWFScan tool and Larry & Darren promise "pwnage with jaseger on the lafonera, pt 1".
The live stream should be active around 6:45 EDT (22:45 UTC), tonight. Please keep in mind that the recording time may float like a butterfly, but sting like a bee.
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: PaulDotCom UStream Channel
Icecast: PaulDotCom Radio
Please join us, enjoy the show live, and thanks for listening!
- Paul, Carlos, Larry, Mick, Darren & John.
Let me start by saying that these are the opinions of a contributor. To this day I have contributed to the project 3 Auxiliary Modules and 16 Meterpreter scripts to the project and I had the honor and privilege to present with HD in Defcon 17 in the Metasploit Trac. I was initially in shock when I saw the news on my iPhone while stuck in traffic, when I saw the news I could not believe it, I thought it was a joke. When I got to my office I quickly checked the web pages and listen to the Risky Business Podcast where they interviewed about the acquisition and read all of the tweets of people in favor and against it, their worries, rants and comments. After all of this I mentioned,I came to the conclusion that this is a great thing for the project for a lot of time this project has been the labor of love of the members of the Metasploit project, with very few active committers and summiteers other than a handful, each putting of their own free time, sacrificing long nights, family time and money to work on the project. Some wrote code to scratch their own itch and solve problems they had others just did it for the same motivation that have pushed hackers everywhere to write code, the fun of creating something and learning how stuff works. In my case I stopped doing penetration tests and security audits many years ago and in December of last year decided to get back in to the game by sharing stuff in my blog, forums and turning a lot of the stuff I knew in to tools and scripts, in that process I started writing code for Metasploit and I never found in any other project a community so patient and willing to help. HD has given me tips that made me a better coder, he was always patient and cotius with me and other contributors, the members of the team have also always been helpful like Natron, ET, Chris Gates and MC with each piece of code I wrote (which many time was ugly as hell). HD is now a father and as a dad also of little girl I know how hard it is to spend time coding to contribute to a community and sacrifice the precious time one has with something as precious as ones own child, what he did will give him more time to spend with his family and still work on the project he loves as well as for some of the members of the Metasploit team. Here is a list of the advantages I see:
The fears I have seen express by many have been:
To this I answer, HD has put long hours and money to fund this project by himself, he has expressed that he will continue to keep the project open source as well as support the community and to this I say he has more than earned our support and trust. I trust HD and keep him to his word. The project is under BSD license so the same community that has made Metasploit grow can fork it and keep it going, but for now my trust is on HD and the Dev team. So lets keep supporting the project by contributing, testing the code, reporting bugs and make this and even better framework. I do say I envy HD and Egyp7 from the team, they are now working full time on what they love so I say to them and the rest of the Metasploit team congratulations and my best wishes.
Paul, John, Larry, and Carlos gather around some beer to talk about Microsoft patches, John does a tech segment on Windows Prefetch, and we discuss possibly the most hilarious and disgusting story ever on the show!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Join us live at 18:45 EDT on Thursday October 15th for Episode 171 of PaulDotCom Security Weekly, where John "Whiskey" Strand will discuss MS Windows Prefetch.
The live stream should be active around 18:45 EDT (6:45 PM), Thursday. Please keep in mind that the recording time can be as fluid as our Daily Special.
Consider a strong drink and join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: PaulDotCom UStream Channel
Icecast: PaulDotCom Radio
Please join us, enjoy the show live, and thanks for listening!
- John, Paul, Larry, Carlos, & Mick.
Paul, John, Larry, Mick, and Carlos all apear on the show and we're MAD AS HELL and we're not going to take it anymore!
Larry does a great technical segment on username harvesting from Social Media. The crew then discusses the latest computer security news such as Moxie's trouble with Paypal, Netgear's new "killer router", watching your logs, and much more!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Join us live at 20:30 EDT on Friday October 9th for Episode 170 of PaulDotCom Security Weekly, where Larry "HaxorTheMatrix" Pesce will discuss "Username harvesting from Social Media", and where you can always get the "Three for the price of Three" special.
The live stream should be active around 20:30 EDT (8:30 PM), Friday. Please keep in mind that the recording time can be as fluid as our Blood/Alcohol content.
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: PaulDotCom UStream Channel
Icecast: PaulDotCom Radio
Please join us, enjoy the show live, and thanks for listening!
- Larry, Mick, Paul, Carlos, & John.
In Part 2 of this episode we interview Thomas Wilhelm!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds: