So, just to not get left out in the cold on this one I’ve spent a good 20 to 30 second thinking up some points that are worth listing. Just to keep on point I’ve restricted myself to the top 3… don’t want to overload you with amazingness this late in the year after all

Shit will happen

There’s nothing you can do to stop this… shit happens all the time. Chances are, shit will happen to you, your friends and your next door neighbours cat. You should learn to live with this, for your own good!

People will panic

OMGWTFBBQ another exploit in Adobe PDF reader… it’s the end of the world as we know it!!!!11111oneoneone

No, it’s not. Just relax, think for a second, and then uninstall that shit! (see point 1)

Life will go on

We’ve lived through MS08-067 (some of you still are apparently), we’ve lived through the “ I L ove You” virus (and the movie it spawned), and we’ve lived through over a year of people thinking Rick Rolling is still an art form (it’s over… no, really!)

People get all stressed up about this shit (see point 1, and point 2). Relax, take a breath. Just remember, it could be worse! You could be at a Justin Bieber concert!

So, what does this mean for us in 2012… other than the phrase “same shit different day” obviously. Well if I were you, and I’m not, I’d take 2012 as the year you go back to basics. Your shiny new WAF/IPS/Firewall Mega box with flashy blue and orange lights is going to do less to protect your enterprise than changing default passwords and making sure your phpMyAdmin is patched and restricted to your management LAN IP range!

It’s not sexy… it’s not even fun… but it’s where we’ve been going wrong for the last X years. You build a tower of security on sand, it’s going to crumble… and you’re going to get sand in your crack! So build a solid foundation!

Have a good 2012, let's try and make it better than 2011 shall we!

What I found on Klout when I signed on was interesting, at least interesting enough for me to share with you guys…

Wow.. look, aren’t I special. I’ve got a Klout of 61! Yes, I have no idea what 61 means, there’s no range here… 61 out of 62 is high… 61 out of 1000 not so much. Great start. So far you’ve reduced me to a number and asked me to share that with the world! I’m gonna go out on a limb here and so, no I won’t be sharing that useless fact!

So… lets see what other gems they have for me shall we. Lets start off with the profile and see what they can tell me that I don’t already know about myself. After all, they know things I don’t I’m sure.

Ok, seriously, I get that 61 is a big thing for you, but I’ve still no idea what the scale is, so for me, it’s kinda like a big sign that say “Dunce”. What else do you have for me. Ok I’m an influencer of 1K (I’m guessing that’s 1 thousand, although I doubt that highly… why would anybody listen to a chump like me for goodness sake!). Ok, now this makes more sense… apparently I’m influential about Information Security, hacking, and popcorn! This must be some sort of weird twisted version of me that likes to eat sweat (and/or salty) snacks and talk about them endlessly on social media! It’s a strange world… but wait a minute. It says I’m a specialist! At least it didn’t say thought leader (hint: checkout my Eurotrash Security co-host @CraigBalding’s Klout page).

So what is a specialist, at least according to Klout. Ah such nice words… I’m not a celebrity (thank fuck for that) but I’m still special… it’s like Klout is somehow there to reinforce people’s ego and make them feel less like the people they really are. Lots of tweeting about a single topic doesn’t make you a specialist… it makes you a loudmouth who doesn’t know when to shut up.

I disagree with your opinions here Mr Klout sir… so, some playing around in the DOM will fix this up quick proper I think! A little tweak here, a correction there….

There, that looks so much better than before. I wonder what other misguided ideas they have about me. Lets take a little look in the score analysis. Ooooh look, pretty charts with lines on them. They go upwards, this must mean that something great is happening right? Pity the history only goes back a month or so. Guess they don’t like large (i.e. realistic) data sets. Well at least they give a scale on some of these things. Still, just a chart on its own doesn’t help much. Lets see if I can compare a chart from me to a chart from somebody who really HAS some Klout… HD Moore for example. (sorry HD, first name that came to mind)

Wow… if there was ever a result that made you realize that these sort of sites were as useless as a chocolate teapot, it’s this one.

(Almost) no words come to mind to describe this… but I’ll try, as it is a blog after all.

If you think services like this offer you a realistic outlook on who YOU are, then you really need to rethink these misconceptions.

This whole “everybody is special” thing has been taken to the nth degree. Do you think Klout (or any other such service for that matter) is going to tell you that you suck! That you’re boring and nobody cares what you have to say! No… they’re going to tell you what you want to hear using stats, nice graphs and the virtual pat on the back to tell you that you’re great. You’ve unlocked the “Pat on the back” achievement.

None of this makes a difference. People don’t ignore other people who’s Klout number is less than theirs, and I certainly don’t respect people who have a high Klout number especially. Numbers can say anything you want them to say. They can also lie to you.

TL:DR – Stats like this are based on false logic, bad stats and a desire to make you feel “special” about yourself… be your own little special snowflake and ignore this kind of thing! Talk about what you want to talk about, don’t bow to the pressure to be something you’re not!

I’m sorry, but the Catch22 (in)security blog is currently offline due to the ongoing maintenance window!

This post brought to you in association with #ExoticLiabilty

If you’re wondering what Security YMCA is going to be about, then you’re not the only one… I distinctly remember the twitter message that started it all. Ok, actually I don’t… but I know it was a joke that went badly wrong and I know at some point it got sent in for the CFP! We never thought anybody would be silly enough to vote for it. So, you’ve got nobody but yourselves to blame

Together with @f1nux, @seccubus, and @TheSuggmeister we’re going to do our best to edutain you for 30 minutes….

Be warned however, there will be .:

• Outfits
  • yes, it’s not called Security YMCA just for fun!
  • no, not just outfits for us
• Singing
  • this means you as well!
  • lyrics will be provided
  • dancing optional!
• Facts
  • maybe, we’re working on that
  • hey, you can’t have it all!
• A call to action…

At the very least it will be a talk to remember, for good or for bad

I thought long and hard (at least 20 seconds… no really, I did) about releasing this on the internet. Sometimes you just have to believe and starting #winning

The script –> /exploit/multi/everything/tigerblood.rb

* Please note… this is a dangerous script, as can be seen by the fact that it takes no RHOST input. It owns without mercy…. you have been warned!

photo by Neubie (source: Flickr).

I was shifting through some blog comments last night, and came across one that was more than a little interesting (no, not death threats again… been there, done that)

I’m not usually a follower of underground sites or forums, and I certainly don’t go digging about to get price lists of interesting info (bank accounts, paypals, etc..) . So it was more than a little surprising that it came to me… and in response to a blog entry I wrote about Ian Iftach Amit’s Cybercrime|war talk from Blackhat of all things.

The comment below was posted from 41.210.30.66, an IP in Ghana (owned by Ghana Telecom ADSL DYNAMIC ADDRESS POOL). Maybe it’ll be an interesting tid-bit for some of you. For others, it’s an interesting reminder that our info isn’t worth hardly anything anymore!

Something I took away from this is the big difference in price between a US CVV $3, and an EU CVV $10. I’m not sure for the 3x increase in price, any thoughts?

The post below is slightly edited to cover some numbers and remove some FULL dumps… to protect the hopelessly 0wn3d!

Author : paypal1 (IP: 41.210.30.66 , 41-210-30-adsl-dyn.4u.com.gh)
E-mail : paypal.bank1@yahoo.com

PRICELIST OF STUFFS
Logins
Halifax 10K TO 85K
Hsbc 10K TO 80K
Wells 10K TO 90K
Rbc 10 TO 90K
10K TO 90K
Boa 10K TO 90K
Barclays 10K TO 90K
Citi 10K TO 80K
ALL TYPES OF LOGIN ASLO AVAILABLE…

PAYPAL(COUNTRY)
PAYPAL 10K TO 50K

LEADS(ALL COUNTRY)
MILLINOS LEAD WITH UNLIMITED SMTP FOR INBOX DELIVERY=100$

1 US CVV=3$
1 UK CVV=5$
1 EU CVV=10$
FULL CC with mmn,ssn,dob,pin=pm me for price
PHP Mailers inbox=15$
Webmailer=10$

1 US Fullz=30$
1 UK Fullz=35$
1 EU FULLZ=50$

Dump Writer and Reader Machine
MSR206 Reader/Writer 400$

US Dumps (101)(201)
US Mix (20Gold/20Plats/20Biz&Corp/40MCstandard&Classic)
bin of my choice 20$
US Classic 40$
US Debit Classic 50$
US MC Standard 60$
US Gold 100$
US Platinum 120$
US Business/Corporate 120$
US Purchasing/Signature 150$
US MC World 120$

Canada Dumps (101)(201)
Canada Classic 60$
Canada MC Standard 70$
Canada Gold 120$
Canada Platinum 150$
Canada MC WorlD 120$

Europe Dumps (101)(201)
EU Classic 120$
EU MC Standard 100$
EU Gold 140$
EU Platinum 150$
EU Business/Corporate 150$
EU Infinite 200$

ASIA DUMPS (101)(201)
Asia Classic 50$
Asia MC Standard 60$
Asia GolD 120$
Asia Platinum/Business/Corporate 150$

ITALY DUMPS (101)(201)
ITALY CLASSIC 50 $
ITALY PLATIUM 150 $
ITALYINFINIT 200 $
ITALY MC STANDAR =60$

GERMANY DUMPS (101)(201)
GERMANY classic=50 $
GERMANY BUSINESS/CORPORATE/PLATIUM=150 $
GERMANY GOLD=120
GERMANY MC STANDARD=60$

SPAIN DUMPS (101)(201)
SPAIN CLASSIC=50$
SPAIN PLATIUM=150$
SPAIN MC STANDARD=60$
SPAIN BUSINESS=150$
SPAIN INFINITY=200$

MEXICO DUMPS(101)(201)
MEXICO CLASSIC=50$
MEXICO BUSINESS/CORPORATE/PLATIUM=150$
MEXICO GOLD=120$
MEXICO MC STANDARD=60$

!!!! I HAVE ALL COUNTRIES DUMPS +PIN+BIN!!!!

Transfers WESTERN UNION(w u t r f) AND BANK TRANSFER
WU Transfer 10% upfront of whatever amount you want me to transfer for you…
BANK Transfer 10% upfront of whatever amount you want me to transfer for you…
eg: if you want $1000 you will have to pay $100 upfront.

SAMPLE DUMPS+PIN!!!!!!!!!!
Track1 : Xx2176531046971xx^AMY/HILTON M^xx0610127352005210000xx ,
Track2 : xx176531046971xx=xx03101383678xx
Pin : 18xx

Track1=xx325560610187xxWYATT/ROBERTSONxx071011714100002710000xx
Track2=xx325560610187xx=xx0710110000424000xx
pin:56xx

CVV ALL COUNTRY SAMPLE

Demo US
<STRIPPED DEMO DUMPS>

Demo UK
<STRIPPED DEMO DUMPS>

Demo CA
<STRIPPED DEMO DUMPS>

Demo au
<STRIPPED DEMO DUMPS>

demo FR
<STRIPPED DEMO DUMPS>

demo japan
<STRIPPED DEMO DUMPS>

demo italy
<STRIPPED DEMO DUMPS>

demo ger
<STRIPPED DEMO DUMPS>

Weeds also Available

SSN SOCIAL SECURITY NUMBER
DOB DATE OF BIRTH
DL DRIVING LINCENSE
MMN MOTHER MAIDEN NAME

CONTACT INFORMATION

CONTACT US IF YOU DONT UNDERSTAND ANYTHING ABOUT THIS STUFFS AND ALSO IF YOU WANT TO BUY MORE YOU CAN CALL THE NUMBER BELOW OR EMAIL ME:

YAHOO:paypal.bank1@xxxxx.com
ICQ:604716xxx

VALID AND FRESH INFO FOR SELLE PM ME
WE MAKE SURE YOU ARE SATISFIED WITH WHATEVER YOU ARE BUYING AND YOU GET IMMIDIATE DELIVERY OF STUFFS AFTER PAYMENT………WE DONT GIVE DEMO NOR SAMPLES NOR TEST ….. EVERY STUFFS 100% FRESH AND LIVE.

* Sorry about the long post… Contact me for the unedited version (if you have good reason obviously!)

Flash forward to a month later and the selections are made for mentors and mentees…. so, drum roll please….. Who did I get partnered with….. None other than Jayson E. Street (incase you don’t know him… here is a picture). How ironic… especially considering my comments on Twitter when I made my application. Still, Jayson is a friend and a great guy. So I’m sure this will work out great.

So, to my first steps as a mentee…. time to change my image. It needed an update, the fat English guy look wasn’t working for me anyway. So here it is. The new mentee look…

The journey has only just begun…. there are many choices still to be made, and I’m sure Jayson will guide me through them. The hard ones however, I’ll have to make myself….

Hopefully I’ll have made the choice before DefCon rolls around!

Links

• Who’s your mentor baby –> http://blog.c22.cc/2010/05/05/whos-your-mentor-baby
• InfoSecMentors –> http://infosecmentors.com
• InfoSecMentors (Twitter) –> @InfoSecMentors
• Jayson E. Street –> http://www.dissectingthehack.com
• Jayson E. Street (Twitter) –> @JaysonStreet

Snazzy title eh… Well I thought it was apt for the story I’m about to tell. Take a seat children, this ones getting get interesting.

Now, some people in the security industry might already be aware of a company called LIGATT, run by the self proclaimed “World’s No.1 Hacker” Gregory D. Evans. If you’re not aware of him, then you’re one of the lucky ones. I’ll let you form your own opinions, because everybody should be able to make up their own minds. Still, to the point.

As part of my duties for the Eurotrash Security Podcast, I try to arrange interviews with people I think are interesting to talk to. Be that for good or bad reasons. In this case, Gregory Evans was on my list (oooh I feel like Santa) solely to address a number of questions about his recent “book” (together with the associated plagiarism claims), and a few other topics that can only be referred to as dodgy dealings, misguiding people and general nastiness. So starts the story.

– — – — – — – — – — – –

On the evening of Wednesday 16th, I called the offices of LIGATT in Atlanta and asked to speak to Gregory Evans to arrange an interview. After giving my name, I was put through to speak to Gregory to arrange the details. What followed was a short conversation where I explained who I represented (Eurotrash Security Podcast) and what we’d like… i.e. an Interview. Greg ran through what he though about the plagiarism accusations and we arrange to talk again the next evening for a full interview once the whole Eurotrash crew was assembled. When booking the final appointment with his secretary I provided her with the URL of my blog (blog.c22.cc) and she gave me Gregory’s the Skype ID (ligattsecurity) to add ready for the interview.

Less than 15 minutes later, the following comment was received on my blog under the Books (as in book reviews) section.

Now I’m usually a calm guy. People usually like me and I try to get on with everybody equally. I think I do an OK job at that personally. However I don’t like to be threatened…. and threatening my friends and family is certainly stepping across the line.

Now, some things need to be made clear. This message doesn’t give a name. However the information contained within it leaves very little to the imagination, and little doubt who the originator of the message is. This is only compounded when you look at the IP information and track back where in the world this comment originated from. Cue the WHOIS music….

So the IP Address (74.228.197.214) belongs to BellSouth in Atlanta, Georgia. Surprise, surprise, this is the same town where Gregory Evans has his head offices. The very same place I was calling not 15 minutes earlier. I’m sure that’s just a co-incidence though, right!

Anyway, lets break down these colourful words and niceties to see what’s being said.

Chris, 20Plus or what every you want to go by

I usually go by Chris… this is my name after all. It makes sense.

You dick head. I wish I had known it was you I was just on the phone with.

You did know it was me… or at least you would have if you’d a) being paying attention to your secretary, b) not been too busy raging about how you’ve been hard done by and people are wrong accusing you of plagiarism.

I see you have books listed above but you did not write any of them.

This is correct…. just like you, I’ve never written a book. I do however have a few books I’ve read and like to recommend should people want some good books to read. The CEH Study Guide isn’t on the list however. Sorry. In other news it’s also 2010!

If you think that you are better than me, then put up the money and challenge me! If not shut the fuck up! I can out hack you any day.

Sorry, I don’t have a million dollars, and to be honest if I had to sell myself to get it, I’d rather stay without. However seeing as you’ve already being taken up on your challenge by Chris Nickerson, I fail to see the issue here… that is unless you plan to dodge that response and pretend you never saw it. Here’s a screenshot incase you missed it the first few times you were told.

I will now go after you family first! You fucked up! You let me find out who you really are! Now you must go! Bitch!

Right… so by “let me find out who you really are” you mean, I told you who I was. Unlike you, I’m not hiding from things. This is my blog, I have my name on it. I also gave you my name and affiliations on the phone. You really need to concentrate more. Hacking is all about attention to detail! Feel free to use that quote on your Twitter feed… no attribution required!

I will have my friend in your home country tracked down everyone you are friends with and your family and see what you are all about!

No need for tracking me down…. here’s my GPS coordinates (48.850385,15.096588). Please let me know when you’re coming past, I’ll cook fairy cakes or something. On a side-note, we arrest people in Austria for threatening behavior. Come to think of it, I think you do that in the US too. Anyway, lets move on. There’s more!

I have more money and power than you will every have!

See how good this “nigga” is now!

I don’t see any power… all I see is the threats of a little man who’s lashing out at everything and anything he finds threatening. I pity you, really I do.

Now you might have noticed I’ve resisted saying things like “you threaten my family and my friends again and I’ll cram those words down your throat using a strangely large kitchen utensil“… not because I can’t say them, or because I’d need to waste my precious time hunting for an oversized spatula at the local flea market, but because I’m more of a man than to resort to your childish tactics and lower myself to your level.

I can accept you feeling threatened by me and others in the InfoSec community. Threatening me might have seemed like your best plan of action. Intimidate me into silence. Seems like a fair enough game to play. Still, as I said, I draw the line when it comes to my friends and my family. I suggest you think about what you’ve done, take a timeout and re-evaluate your life.

If the susbtitles are a little large and don’t fit the screen, please click the video and view it directly on YouTube’s site.

TV-Total

09 November 2009

Stefan Raab (Host/SR): Now we have a young man with us that, How should I say, some people may see him as a criminal, but he’s a hacker. He’s a very very sincere hacker. He was the youngest hacker to speak before Microsoft and CIA experts at the worldwide hacker conference in Las Vegas. please welcome, Mr Peter Kleissner.

<entrance music>

SR: Hello Peter, you’re 18 years old ?

Peter Kleissner (PK): Yes that’s right.

SR: So how criminal are the things you do ?

PK: Half criminal

SR: Not criminal at all ?

PK: Half criminal

SR: Oh, half criminal ! Have you already had problems with the authorities ?

PK: Partially, but nothing really serious

SR: Why what have you done ?

PK: Because I haven’t done anything very criminal such as hacking into bank accounts…

SR: But you could when you wanted ?

PK: Theoretically

SR: Theoretically ?

PK: Yes

SR: Na na na <roughly translates to tsk tsk, naughty>

<crowd laughs>

SR: So how endangered are normal computer users without much awareness ?

PK: Well I’ve also hacked your website. Yesterday.

SR: You’ve hacked our website ? What have you hacked ? what can you do with it ?

PK: Well when you go on my blog, or on twitter, there’s a link to the TV Total website that says that the program is cancelled.

SR: You can do things like that ?

PK: Yep. The people read that

SR: And then ?

PK: Then they think the program’s cancelled.

SR: Oh ok. You can do that of thing. Very interesting. Do you already know how long you have to spend in jail for that ? or …

PK: Ui <surprised>

SR: .. hasn’t it arrived in the post yet ?

PK: It’s on its way

SR: Can you only do that kind of thing on websites, or could you get access to the private… the private email account of… “Angela Merkel”

PK: Yes, with enough equipment and time

SR: Really ?

PK: It happens all the time that famous people have their accounts hacked and their emails made public. It happens a lot.

SR: What do you have to take care of if you’re a normal computer user ?

PK: When you get an email from me, I wouldn’t open the attachment.

SR: So that means you have to open the email ?

PK: Yes thats the vulnerability.

SR: So if you don’t open up the email from unknown senders then nothing can happen ?

PK: Yes

SR: or is it enough when I’m just online ?

PK: It depends. There are various possibilities.

SR: So you sit in a car with an antenna looking for wireless networks to hack into, so that you can see which porn sites the other people are looking at currently ?

PK: Yes

SR: You could do that ?

PK: Yes. But I don’t

SR: <laughs> Do people think that you don’t do it ?

PK: No

SR: This opens up loads of possibilities. How did you get into it ? what did you have to learn to be able to do it ? Was it hard to learn ? you’re only 18 after all. How long have been look into this subject ?

PK: I started about 2 years ago, I worked for an Anti-virus company and I learnt everything about viruses there.

SR: You have recently done a presentation at the world-wide hacker conference in Las Vegas, and spoken there with Microsoft and CIA experts. Can they learn something from you ?

PK: definitely !

<crowd laughs>

SR: So they can learn something from me, I can tell you how I got into your website and how to prevent it.. as long as you give me money. Is that your business model ?

PK: My business model is that I tell software developers how to secure their systems.

SR: That’s what I said.

PK: Yeah well, kinda.

SR: So you first find a potential customer and show them the failures in their software. In cases where it might happen again you can sell them a system/process to prevent it ?

PK: Exactly

SR: Isn’t that blackmail ?

PK: No. Only the way you say it.

SR: So it’s a business model…

PK: Yes

SR: .. you would say

PK: definitely

SR: Is that how you want to earn money in the future ?

PK: Yes, I already do like this. It works well

SR: Putting all this aside, the hacking of a website is already a criminal act !

PK: Yes

<Peter looks for nearest exit / crowd laughs>

PK: That’s right.

SR: What kind of fines would you have to pay if you got caught ?

SR: If you hack a site like TV-Total and write that the programs cancelled for example !

PK: But normally nobody is interested in that

<crowd laughs>

SR: If nobody goes to court, then there’s no crime ! <proverb>

<crowd laughs>

PK: There’s still foreign countries I can escape too

SR: Ok, but then you’re never allowed back !

PK: <laughs>

SR: That’s not so… Ah yes, you have to go back to Austria. Austrians look forward to going home !

SR: So what does the future hold for you ? You’re still in school correct ? You’re doing your A-Levels ?

PK: Yes

SR: And then ?

PK: I want to go to University. To study Computer Science (Informatik)

SR: I thought you already knew everything  ?

PK: Not everything, there’s still something to learn.

SR: Ok

PK: … and to brag !

SR: To brag ?

PK: Yes. I have to spend my time somehow.

SR: Do you need some special equipment for what you’re doing ?

PK: No a normal notebook is enough.

SR: A normal notebook ? and then the right knowledge.

PK: Exactly.

SR: Understood. So I wish you, at the very least with your legal activities, every success… and keep your fingers away from illegal stuff. Promise me that ?

PK: Yes

SR: Peter Kleissner ladies and gentlemen.

<entrance music>

There’s only so much information you can fit into a 4 minute lightening talk, luckily enough Paula had arranged a breakout room for Q&A after the talk, and it was packed. Seems like it’s not just me and Benny (@security4all) interested in this topic.

If you want to find out more information about Paula’s talk, and Polyphasic sleep in general check out the following links .:

• http://twitter.com/p4ula
• http://en.wikipedia.org/wiki/Polyphasic_sleep
• http://barcampcologne.mixxt.de/networks/wiki/index._sleephacking
• http://hackaday.com/2005/10/16/hacking-sleep/
• http://www.explosiveapps.com/ (iPhone app)
• http://easywakeup.net/ (iPhoone app)
• ….