Security awareness training is a key component to building a mature security program. Frequently, security awareness training is rolled out without clear indicators of success or measures of effectiveness. Without these key data points it is impossible to determine if the program is effective and whether the time and money invested in the training program is being spent appropriately. Without clear metrics and measures it is impossible to know if changes to the training program are increasing or decreasing your security posture.

During this presentation, Mr. Neely will outline how to use recurring social engineering tests to measure the effectiveness of a security awareness program, with an ultimate goal of using results to improve the training program. The talk will not focus on tools that can be used to perform or automate social engineering attacks. Instead, it will focus on building a program which provides value to the business.  This talk will contain real world examples and lessons learned from implementing social engineering testing programs at various organizations.

This meeting is free to attend and open to the public, but you must preregister.  If you stop out come up and say hi.

The scanner manufacturer will have a page outlining what firmware updates are available for you scanner and how to apply them.  For example here are links to the GRE and the Uniden firmware update sites.

Want more tips, tricks and how-to's on using scanners when performing penetration tests?  Check out and pre-order my book on the topic Wireless Reconnaissance in Penetration Testing.

Say what you like about Cleveland. One thing you cannot debate is Cleveland has a very strong security community. This can clearly be seen in the number of security groups located in the area. In this blog post I simply provide a list of all the security groups I am aware of in the area. I encourage anyone who is interested in security to attend some of these meetings to learn and network with the security community.

Akron Canton ASIS – Local chapter of ASIS International serving the Akron/Canton area. Group primarily focuses on physical security. Meetings generally occur in the mornings over breakfast and cost $10 to $20. Meetings are not open to the public. If you are interested in attending, either join ASIS or contact me and we can discuss having you attend a meeting as my guest.

ASIS Cleveland - Cleveland Chapter of ASIS International. Like the Akron/Canton group, this one also focuses on physical security. Meetings occur over lunch and cost $15. Meetings are not open to the public. If you are interested in attending, either join ASIS or contact me and we can discuss having you attend a meeting as my guest.

Infragard Northern Ohio Chapter - Infragard is an organization sponsored by the FBI that focuses on protecting critical infrastructure. Meetings are free and often occur in the morning. Meetings that are open to the public are held once a quarter. A number of members-only meetings are also held during the year.

Northeast Ohio Information Security Forum - The NEO InfoSec Forum is an independent security group mainly focusing on technical computer security topics. Meetings occur in the evening on the third Wednesday of the month. Meetings are free and open to the public. A free dinner, usually pizza, is provided.

Northeastern Ohio ISACA – Local chapter of ISACA. Their meetings are generally geared toward auditors and are held every month during the day.

Northeastern Ohio ISSA – Local chapter of the Information Systems Security Association (ISSA). Meetings generally occur monthly and focus on a range of information security topics. A number of years ago this chapter of ISSA went dormant. However, the local chapter is now under new leadership and they have been very focused on rebuilding the chapter. If you have not been to a meeting in a few years I recommend checking them out under the new leadership.

Ohio Chapter of the HTCIA - Ohio Chapter of High Technology Crime Investigation Association (HTCIA). This group mainly focuses on computer forensics and investigations.

OWASP Cleveland - Local chapter of the Open Web Application Security Project (OWASP). This group focuses on web application security. Meetings are held quarterly at noon and usually include a free lunch. This is a great meeting to invite your company’s developers to so they can learn about secure coding practices. The Cleveland Chapter of OWASP is also sponsored by SecureState.

Did I miss any? If I did, mention them in the comments.

Matt Neely will present a lecture and lab on assessing and securing wireless networks.  The session is intended for both management and technical security individuals.  In this lab participants will learn basic information about 802.11 networks, how to locate and assess wireless access points using open source tools and tips on securing 802.11 networks. This two hour session will include both a lecture and hands-on lab.  Lab participants should bring a wireless enabled laptop to the class with an SSH or telnet client installed.

When the date gets closer I'll post information on how you can sign up for this class.

It may be cliché but security is an ever-changing world. I am often asked how I keep up to date on the latest security trends and news in this rapidly changing world. The two primary tools I use to do this are security podcasts and Twitter. Being a consultant I spend a lot of time on the road and have long periods of free time while driving or flying to clients’ sites. While on the road, or during my daily commute, I fill those open hours by listening to podcasts. I am going to discuss the security podcasts I listen to, with a short description of each one. In a future post I’ll discuss how I use Twitter to keep in touch with the security community and stay on top of emerging trends.

ASIS Security Management Podcast is a monthly podcast containing highlights from the ASIS Security Management magazine. The magazine and podcast tend to be heavily focused on physical security, but there is some information security mixed in also. This is a great podcast if you want to learn more about physical security.

Crypto-Gram Security Podcast is simply Bruce Schneier’s monthly Crypto-Gram newsletter read aloud by Dan Henage. If you don’t have time to read the printed version of Crypto-Gram, this is a great way to keep up to date on a fascinating newsletter. If you haven’t read the Crypto-Gram newsletter you owe it to yourself to check out this podcast. I leave every podcast thinking about a security problem or issue in a new way.

CyberSpeak is a podcast focused on forensics. It is hosted by two formal federal agents who have spent their careers doing data forensics work. This show covers everything from basic to cutting edge forensic techniques. Whether you are a novice in forensics or an experienced forensics examiner, you will learn something from each episode.

Eurotrash Security Podcast comes to us from a band of security professionals and hackers based in Europe. This is one of the few podcasts that covers information security from a European point of view, so it is curious to see how security concerns over there line up and differ from the concerns in the States.

Exotic Liability Podcast is often offensive, usually informative, but always a fun time. This podcast is definitely not safe for work. So be careful where you listen to it. I recommend skipping this podcast if you are offended at obscene language and concepts. Topics usually focus on penetration testing and social engineering. The hosts also have some entertaining war stories about penetration testing.

OWASP Security Podcast focuses on all aspects of web application security. Many of the episodes are short interviews with experts in this field. This podcast is a wonderful way to learn about or keep on top of web application security topics.

Network Security Podcast is a weekly security news podcast covering new stories from the previous week. This show covers all aspects of security. The hosts comment on the news stories, often adding insight which makes the program well worth the listen.

PaulDotCom Security Weekly focuses on the technical side of security. Shows usually include a technical segment, new stories from the previous week, and interviews with special guests. If you want to learn more about the technical side of security this is a podcast you must check out. They also provide very detailed show notes which can be helpful when trying to implement an attack discussed on the show. An episode of PaulDotCom Security Weekly often is broken into two parts and the entire weekly show usually runs two to three hours. If I am running short on podcast time in a week, I also will use the show notes to determine what topics are of interest so I can fast forward to that portion of the podcast.

Risky Business is a news show which focuses on security from down under. The host of the show, Patrick Gray, does a very good job of explaining security concepts and concerns. Patrick also has a good handle on the importance of balancing security with business requirements, something many security folks forget. Because of these two factors, this is a great show for someone just getting into security.

SANS Audio Cast is a short weekly newscast produced by SANS. Episodes tend to be ten to fifteen minutes long so it is a great way to quickly catch up on the hot security news from the previous week. Even if I am running behind on podcasts, I try to listen to this one the week it is released while the information is still fresh.

SecuraBit Podcast is a security news podcast that focuses on technical security topics. I mainly listen to SecuraBit for the special guests they have, who tend to be big names in the security community.

Security Justice is hands down the best security podcast ever made. This monthly podcast covers a variety of security topics but tends to lean more toward physical security and the convergence of physical and logical security. This also is the only security podcast recorded live in a bar. Because this podcast is recorded in a bar, expect bar like language that may not be safe for work. Also in the interest of full disclosure, I should state the author of this post is also a co-host on this show so his views of the show are most likely biased.

Social Media Security Podcast focuses on the security concerns related to social media sites such as Facebook, Twitter, MySpace, and LinkedIn. The team that runs socialmediasecurity.com hosts the show. This podcast is a great way to learn about the threats in the emerging area of social media. The show also provides great case studies and stories that can be used for end user education and awareness training.

Social-Engineering.org Podcast is a monthly podcast focusing on social engineering. Produced by the team that run social-engineering.org, the podcast covers a number of topics related to social engineering. This podcast brings in some amazing guests. At first the guest’s or show topic’s relationship to social engineering might not be clear, but hang in there and the team always ties in how they relate. At its roots this podcast is about how to influence people, which is an important skill for any security professional to have. So even if you are not interested in social engineering, I still recommend you check out a few episodes of this podcast.

The Southern Fried Security Podcast looks at security from the CSO and management level, which is a welcome change from the often technical-heavy security podcasts. The podcast focuses on integrating security into a business and the importance of balancing the business needs with security. Most security professionals have a hard time achieving this balance, so do your self a favor and listen to at least a few episodes of this podcast.

If any of these podcasts sound interesting to you, I recommend you download a few episodes and give them a listen.

What security podcasts do you listen to? Any podcast you think I should start listening to? If so, tell me why in the comments.

At tomorrow night's NEO InfoSec Forum meeting I'll be presenting "Unleash the Power of CUDA: Cracking Passwords With Video Cards".  Below is a quick abstract of the talk:

Being able to quickly crack passwords is an important part of a penetration test. Even with the advent of rainbow tables and pass-the-hash attacks, bruteforce cracking of passwords is often still required. During this talk I’ll discuss how CUDA enabled video cards can be used to greatly increase the speed of password attacks. Demonstrations of a CUDA powered attack will be given.

NEO InfoSec meetings are free, open to the public and include free pizza.  Food arrives around 6:00 PM and the meeting starts at 6:30 PM.  More information on the meetings can be found here.

I look forward to seeing you there!

Here are some links with directions and meeting details.

The party starts at 6:00.  I hope to you see you there!

Today the Bus Pirate speaks eight protocols (1-Wire, UART, I²C, SPI, JTAG, raw 2-wire, raw 3-wire and PC AT keyboard).  The raw 2-wire and raw 3-wire can be used to interface with proprietary serial protocols.  The Bus Pirate also contains some other handy features such as a on-board 3.3 and 5 volt power supply, 0-6 volt measurement probe, a frequency measurement probe and frequency generator.

I was not adventurous enough to etch my own circuit board so I decided to build the Bus Pirate kit made by Fundamental Logic.  The kit includes all the parts you need.  Fundamental Logic even preprogrammed the PIC so you can build the kit without a PIC programmer.  The online assembly directions for the kit are very clear and easy to follow.  Before you start be sure to visit their tools page to make sure you have all the tools you need.

Overall the project took me about two hours to complete. A lot of that time was spent setting up and getting back into the swing of soldering.  Overall it was not a very difficult project.  The kit uses all through-hole components and the circuit board is not too densely populated.  In terms of difficulty I rate this kit as medium to medium-low.  I recommend this kit to anyone who wants to build a Bus Pirate.  However if you are new to electronics and soldering this is probably not the best project for you to cut your teeth on.

Truthfully I had more problems getting my serial port and terminal program configured properly than I did assembling the kit.  In the future I'll post some notes on getting the Bus Pirate to work in Windows and Linux.  I'll also cover how to get it working with a serial-to-USB converter.

So the Bus Pirate sounds like a cool geek toy but how does it relate to security?  First off when assessing hardware it is often helpful to communicate with the hardware directly.  This will allow you to skip over the vendor's APIs and applications which may place limitation on what can be sent to the hardware.  If you can talk to the hardware directly you can bypass these limitations.  From the security point of view I am especially interested in the Bus Pirate's ability to speak JTAG, 1-wire and raw 2-wire serial protocols.

JTAG is a diagnostic protocol that can be used to communicate with electronic circuits and chips.  JTAG is commonly used to restore bricked routers when an installation of OpenWRT or similar firmware fails.  However JTAG can also be used to directly query the memory in most embedded devices.

iButton Image By Stan Zurek1-wire is a protocol used by the iButton line of products. iButtons are frequently used in physical access control systems.

The raw 2-wire mode can be used to communicate with a number of smart cards.

I'll let your imagination ponder why I would want to communicate with these devices.

Notacon Mythbusters: Is Personal Data Stored on Hotel Keys? Using Magstripe Analysis Tools to Discover the Answer

For years emails and rumors have circulated that personal information such as credit card numbers, names and addresses are stored stored on hotel room keys.

The talk starts with an introduction to magstripe cards and how information is encoded onto the cards. The next section discusses what tools can be used to read and analyze magstripe cards. Next we test the myth by looking at data collected from a large number of hotel keys to determine what personal information is stored on them. The talk concludes with a discussion of advanced magstripe analysis, data manipulation techniques and how these techniques can be used during penetration tests and security assessments.

On a related note I hope to get back into updating this blog. One of my first priorities is to finish up the series on magstripe analysis. Thank you for reading and stay tuned for more updates!