Information Security Professionals, Hackers, and tinfoil hat wearing paranoids are a hard bunch to shop for. With just a few days before Christmas, what do you get for the person that rubs their face and sighs when they hear people talk about the cloud? Are you looking for a unique gift that isn't a black t-shirt with a snarky comment in white? Well, look no further!
The below list is 30 items under $100 available via Amazon Prime. If ordered no later than the 22nd using Amazon Prime or by spending $25 to qualify for Two Day Shipping your gift will arrive for Christmas.
The prices and ability to ship via Prime were accurate at the publishing of this post. They may change at Amazon's discretion.
Merry Christmas, Happy Holidays, and check out the list after the break!
Monday, December 21, 2015
Saturday, April 11, 2015
Hiding in Plain Sight - B-Sides Orlando 2015
The abstract, slides, documents, and files associated with my talk at B-Sides Orlando 2015 can be found below.
Hiding in Plain Sight
B-Sides Orlando 2015 - April 11th, 2015
What if penetration testing programs went a step further? Once legal and ethical approvals are obtained, a device could be placed within the organization to test more than network and application security. By placing a “rogue device” within an organization the general user knowledge of physical IT practices, IT security policies, and awareness of devices in the environment can be evaluated.
This talk will cover creating a penetration platform that can be hidden in plain sight for under $200. The device will be housed in a common item found within many offices and places of business. The device will have a number of camouflage techniques that allow it to blend into the environment to avoid detection.
The device will include remote connection capabilities, wireless and wired attack/monitoring functions, and monitoring methods to let the penetration tester know when the device has been discovered.
The talk will cover:
• Device functions and requirements
• Device materials and build
• Creating a device that “blends in” (Dents, organization standards, asset tags, dust)
• Getting alerts when the device is discovered
• Penetration testing capabilities
• Preventing devices like this in your environment.
This talk will demonstrate how to build a low, cost, flexible, remote penetration testing platform for ethical and legal testing programs that can be hidden in plain sight. The talk will also show the audience some of the techniques an attacker may use to hide monitoring devices within organizations. Knowledge of these techniques may help develop and refine IT practices to discover these devices.
Click here for the Google Drive shared folder including:
Hiding in Plain Sight
B-Sides Orlando 2015 - April 11th, 2015
What if penetration testing programs went a step further? Once legal and ethical approvals are obtained, a device could be placed within the organization to test more than network and application security. By placing a “rogue device” within an organization the general user knowledge of physical IT practices, IT security policies, and awareness of devices in the environment can be evaluated.
This talk will cover creating a penetration platform that can be hidden in plain sight for under $200. The device will be housed in a common item found within many offices and places of business. The device will have a number of camouflage techniques that allow it to blend into the environment to avoid detection.
The device will include remote connection capabilities, wireless and wired attack/monitoring functions, and monitoring methods to let the penetration tester know when the device has been discovered.
The talk will cover:
• Device functions and requirements
• Device materials and build
• Creating a device that “blends in” (Dents, organization standards, asset tags, dust)
• Getting alerts when the device is discovered
• Penetration testing capabilities
• Preventing devices like this in your environment.
This talk will demonstrate how to build a low, cost, flexible, remote penetration testing platform for ethical and legal testing programs that can be hidden in plain sight. The talk will also show the audience some of the techniques an attacker may use to hide monitoring devices within organizations. Knowledge of these techniques may help develop and refine IT practices to discover these devices.
Click here for the Google Drive shared folder including:
- Talk Slides and Notes
- Build Guide
- STL Files for 3D Printed Parts
- Avery Template
- RedProx Graphics Files (XCF Format)
Wednesday, January 14, 2015
Weekly Deep Dive: Germany may Secure Communications with Typewriters
This story sat in my draft folder as my human offspring, wife's writing career, shellshock, and poodle consumed my life. I think this story is still an interesting blend of old and new security issues that is worth posting.
This story originally broke in July of 2014.
Miss Germany could not be reached for comment on this story. |
I adore this: low tech foiling of high tech espionage. Billions of dollars in state-of-the-art monitoring brought down by the humble mechanical typewriter.
The German committee already uses encrypted emails, secure electronic communications, and places their phones in a metal box when convened to prevent eavesdropping.
Would creating documents on a mechanical typewriter really stop the interception of communications? What precautions should the German Parliament take if they use mechanical typewriters?
Are you a security professional working for a law firm or financial institution that still uses electric typewriters? If so, this discussion could applicable to you. Anything used to create and store information falls into the domain of the information security professional and must be protected.
After the jump we will discuss how typewriters relate to the CIA triad along with ways mechanical typewriters could be monitored. We will also cover how you can create controls to protect typewriters and the documents made on them.
Monday, January 12, 2015
#PWNED - United States Central Command Twitter Account Hacked
A group claiming to be part of ISIS hacked the US Central Command Twitter profile today in an act
of "cyber terrorism". While the attackers were in control of this account they made threats and posted documents with "sensitive military information".
There are a few very important things to note:
- The information posted, in many cases, was already released. Often it was previously available to the public if you knew how to request it or where to look.
- Hacking a Twitter account is hardly a feat available to only the most "1337" of hackers. (He says while double checking his two-factor auth for his Twitter accounts.)
- Twitter is not a DoD network or system. It's Twitter, let's not make this out to be a break in at the National Archives.
- United States Central Command is located in Tampa, FL. Tampa was recently named the most hacked city in the United States. Coincidence? Probably, but these stories right next to each other provide some humor.
There are however a few serious concerns and they aren't items I see making the rounds in news posts.
- I would hope that US Central Command would realize their Twitter account was at least as hackable as these celebrities.
- I've heard no confirmation of two-factor authentication being used which is available to anyone with a phone and a Twitter account for free.
- Why do these accounts exist in the first place? Is there a public outcry for tweets from Central Command about their goings on? #InternationalMilitaryCollaboration #WhereMyAlliesAt
- How did they do it? We may never really know. Password resets are tied to email accounts with wildly varying reset processes and security questions. A breach of the email account used for password reset is as good as a breach of the targeted system. Let this story of account access spiraling out of control serve as a cautionary tale.
What I would bet on is this:
- Somewhere the person in charge of this account is at a table having a terrible, horrible, no good, very bad day.
- The person on the other side of the table is ordering someone in DoD telecom to issue a Blackberry that stays locked in a safe at CentCom. This Blackberry will be used just for two-factor twitter authentication.
- A team of very serious people are combing through a mountain of logs files to determine the source of the unauthorized account access.
In the end... this is a prank. There is egg and that egg is located on someones face. There is no real danger beyond the shame of a major military organization having their Twitter "pwned".
What can you do to secure your Twitter feed?
- Set a secure password and store it somewhere safe.
- Create two factor authentication for Twitter.
- Only login on trusted devices and networks. Avoid "Free WiFi" when possible.
- NEVER login on computers in hotel business centers or Internet kiosks in public areas. These systems are prone to have malware designed to steal your passwords.
- Never use the same password across different accounts. Once one account is compromised, they all are. Your Twitter account may be two-factor, but are all the websites where you use that password enabled for two-factor authentication?
Remember, reputation is just as important as information. Protect your accounts even if the information stored on them is low value. Someone could use that access against you and harm your reputation. Just ask @centcom.
Saturday, January 10, 2015
Security Theater: ATM Admin Panel Publicly Accessible
...SecuritySensesTinglingDroolingIntensifies...
During a stop at my local national chain gas station I found this inexplicable ATM configuration. I did my best to obfuscate a lot of the detail while preserving the details are "there". I also scratched out areas where the chain name is easily seen.
I would've gotten closer, but I didn't want to look like I was casing the place. There is little difference between security research and premeditation. Not to mention, I was not authorized to try and untangle this security rats nest. Observation is all I could really do.
What you see is the backside of the outside facing ATM. You can also see a touchscreen access panel that, at the time, was giving a number of interesting error codes. The top half seems to be a simple double wafer lock. Based on this talk the key could likely be purchased on the Internet for about $10. There are notes on the ATM regarding how and when to put it in supervisor mode, its ID, who to call for support, etc. The supervisor mode is activated by the rear touch screen.
Sure, there are cameras. Sure, there are people in the store. Sure, the cash is in the vault at the bottom and is better protected. However, I would bet if I walked in looking like an ATM repair guy and introduced myself they would be all too happy to let me go about my business. ATMs are not the bastion of security people think they are and they need to have better security than this. Recently two teenagers "hacked" ATMs using the manufacturer default passwords. At Defcon 18 there was a wonderful demo on remotely "jackpotting" ATMs to get them to spit out all their cash. All you needed in the demo was access to that top box and a little know how. Recently these attacks have shown up in Europe.
This is security theater. It makes you feel safe using the device while completely lacking in common sense security.
During a stop at my local national chain gas station I found this inexplicable ATM configuration. I did my best to obfuscate a lot of the detail while preserving the details are "there". I also scratched out areas where the chain name is easily seen.
I would've gotten closer, but I didn't want to look like I was casing the place. There is little difference between security research and premeditation. Not to mention, I was not authorized to try and untangle this security rats nest. Observation is all I could really do.
What you see is the backside of the outside facing ATM. You can also see a touchscreen access panel that, at the time, was giving a number of interesting error codes. The top half seems to be a simple double wafer lock. Based on this talk the key could likely be purchased on the Internet for about $10. There are notes on the ATM regarding how and when to put it in supervisor mode, its ID, who to call for support, etc. The supervisor mode is activated by the rear touch screen.
Sure, there are cameras. Sure, there are people in the store. Sure, the cash is in the vault at the bottom and is better protected. However, I would bet if I walked in looking like an ATM repair guy and introduced myself they would be all too happy to let me go about my business. ATMs are not the bastion of security people think they are and they need to have better security than this. Recently two teenagers "hacked" ATMs using the manufacturer default passwords. At Defcon 18 there was a wonderful demo on remotely "jackpotting" ATMs to get them to spit out all their cash. All you needed in the demo was access to that top box and a little know how. Recently these attacks have shown up in Europe.
This is security theater. It makes you feel safe using the device while completely lacking in common sense security.
Subscribe to:
Posts (Atom)