Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: projects

3 Years in the making…

Back on the 21st August 2007 I was sitting at home in Austria writing my first ever blog post. It wasn’t well thought out (I’m sure most things I write aren’t), but it signified a big turning point that has changed my life in so many different ways.

So many things happened 3 years ago, most of which readers to this blog won’t really be interested in. I quit my job as a SysAdmin in Germany. I moved to Austria. I started to REALLY learn German (finally)…. oh, and I went to India for 6 weeks.

The one thing I really remember from that time though, was getting back into things that I’d long forgotten. I spent a lot of time as a kid programming from books (just copying BASIC code from magazines and playing with it mostly). I also spent a lot of time early on in my career really playing with technology, seeing what it could do and how to make things do other more interesting things. Somewhere along the road though, I lost that drive and started to just accept things as they were. I guess using Microsoft technology for too long will force that realization on you. Wow, how depressing…

So what really turned me around and made me love technology again. I attended my first Hacker con…. and yes, it was a REAL hacker con, and not a security conference. I spent a glorious week in a field near Berlin at the Chaos Computer Camp. It was without a doubt the best thing I’ve ever done. Scary as hell… very little German language skill, no friends in the “community”, and no idea where I was going to sleep even (that was sorted by the every friendly Nick “Hackers on a Plane” Farr however…. and for that I’m forever thankful). Even though I came back thinking negative about everything (I realized how little I really knew), I picked myself back up and started on this journey into security.

A little more than 3 years and 267 blog posts on (3 or 4 of which might actually be categorized as “reasonable”), and I still feel like I don’t know anything… but at least I know why now. There’s just too much for 1 person to learn. Security is just such a big field, that you need to pick and choose your targets. Yeah, I’m still not good at that, as can be seen at how much the blog contents twists and turns between topics depending on my mood and interest at the time. Still, people seem to like it. At least the blog stats for the last few years are encouraging.

It still mystifies me somewhat that people come here to read things I write. I’m not the most experienced writer, and sometimes I look back on things I’ve written and feel an overwhelming urge to just click the “Move to Trash” icon. Still, things can only get better… after all, the way I write, they couldn’t get much worse could they :D

So what was this post all about? Well, nothing really. I just didn’t want to let another anniversary slip past without telling that story… oh and next year is the return of the Chaos Computer Camp (it runs on a 4 year cycle). Lets hope I come back feeling more positive this time eh ;)

So here’s to another 3 years. Lets hope I can keep up the pace…

26C3: Lightning Talks – Day 2

After yesterdays late night with TCP, I decided to kick-off day 2 with a look at the lightning talks. Yesterday’s lightening talk from p4ula on sleep hacking was really interesting (if a little brief), so hopefully there#ll be something here to keep my interest.

The information on the lightning talks at 26C3 can be found on the CCC wiki

MFCUK = MiFare Classic Universal toolKit

MFCUK is an open-source implementation (GPL) that implements the “Nested authentication attack” and “DarkSide attack” using crapto1 libraries. This toolkit is a merger of existing projects – MFOC and MiFare Classic DarkSide Key Recovery.

The MiFare standard is used in a variety of different places, including :

  • Credit-cards
  • Transport
  • Student ID cards
  • Building Access cards/systems

RFID Standard 14443A 13.56 MHz

The next revision of the tool will increase compatibility with card readers and possibly implement support for the Nokia NFC 6131/6212

Stali – Static linux

Primary focus is on statically linked binaries. This distribution is designed to have no dynamically linked libraries.

Project goals:

  • Statically linked binaries only
  • Hand-selected collection of best tools
  • Radically cleansed filesystem structure
  • Focus on end-user adoption

Pros of static linking:

  • Smaller binaries (really!)
  • Less memory footprint
  • More secure userland
  • Better startup performance

More information can be found at http://suckless.org or http://sta.li

Designing for socialization

http://www.meetforeal.com/

Looking to create a new iPhone application designed to help people communicate and break out of their social shell.

  • @meetforreal
  • @amonter5

DIY Bookscanner

Scan your own books to allow for full text searching and portable access to physically owned books.

Checkout the website for some great photos of other DIY scanners.


Crypto Stick (Version 2)


GPF Crypto Stick – Is a combination of OpenPGP Card v2 and a smartcard reader. RSA keys length up to 3072 bit (improvement over v1). 3 independent keys (authentication, encryption and signature)

This USB stick is used to store secret keys for things like GnuPG v2, Thunderbird+Enigmail, SSH, etc… The USB device is supported on Linux, Windows and Mac OSX (?). The project is based on open-source hardware and software.

Version 1 (Current)

  • Available for €38 incl. MwSt
  • order: info@privacyfoundation.de

Version 2 (Developement)

  • Includes encrypted flash (MicroSD)
  • dm-crypt/LUKS compatible
  • Strong Aluminium case
  • Securest portable data storage available

More information can be found at http://www.privacyfoundation.de/crypto_stick/ or by emailing info@privacyfounda

Hacking hearing devices

Features of hearing devices :

  • Small and (nearly) invisible
  • Microphones and speakers
  • Powerful signal processing (recognize acoustic settings, direction, filter)
  • Talk to each other
  • Talk to other hardware (phones etc…)

Why hack them – If you can’t open it, you don’t really own it. Free the information and technically interesting. Current information and hardware is proprietary. This means that the devices are expensive, aren’t permitted to be sold on services like eBay (medical devices are prohibited).

Visions:

  • Allow for parameter adjustment
  • Affordable bluetooth support – Currently very costly
  • Write your own signal processing –  Filter out specific voices ;)
  • Hear more than normal people
  • Use device to spy/record

More information, or to help with the future of the project can be found at http://hackandhear.com or through email at helgar@hackandhaear.com

The distributed rainbow table project. So far over 1.5tb of tables created and indexed.

Focus is on LM/NTLM, MD5, SHA1 (with future work on MySQL (SHA-1) tables)

Common myth – Everyone uses SALTed hashes
Actuality – Systems still used unSALTed hashes on a regular basis

Future developments:

  • More tables
  • Maybe new format (smaller, faster)
  • Maybe cooperation with other projects
  • Maybe YOU as contributor
  • More tables — Less mishaps !

More information can be found at the following locations :

OWASP Favicon enumeration project

Identify software running :

  • Web Server
  • Web app: CMS, Forum, Wiki

For the paranoid, you can change the favicon to prevent enumeration.
Gather the data using modified version of favicon.nse:
nmap -v -sT -iR 0 -p80 -n -PN –script=http-favicon-get.nse -oN nmap-p80-ir-favicon

More information is available at http://kost.com.hr/favicon.php , http://www.owasp.org/index.php/Category:OWASP_Favicon_Database_Project or through twitter @OWASPfavicon


Projects are like buses

Photo by by angelocesare (CC)I know, I know, what a strange title for a blog post. Then again, I’ve never really been known for  being the most normal of people bloggers. Then again projects really are like buses. There’s none for ages then 2 come along at once ;) Things have been a little quiet on the blog for several reasons. The first was my nagging neck problem, which I’m hoping is back under control. The second is the start of a few projects that have been in the works for a while now.

  • €urotrash security podcast
  • PenTester Scripting

The €urotrash security Podcast has been in the planning phase for a while now, with the initial meeting to discuss particulars at the recent BruCON conference in Brussels. Episode 1 has just been released, so head over to http://www.eurotrashsecurity.eu and grab a copy. Let us know what you think. As with any new Podcast we’re looking for feedback on how to make things better and cover what you want us to cover. You can load up your favourite RSS reader HERE for updates on the next Podcast release..

The second project I’m involved with came out of a simple remark on Twitter. I’m not much of a scripter, but it’s something I’m looking at improving. When I commented that a SANS course cover scripting for Penetration Testers would be a good thing, Kevin Johnson agreed and the project was born. PenTesterScripting is still in it’s early phases, but we hope it will turn into a place for Penetration Testers to come and find useful scripts to help automate some of the more tedious and long-winded parts of penetration testing. Head over to the site and vote on our logo competition, and feel free to email us scripts you want us to host on the site.

For updates to both projects, follow me on twitter as @ChrisJohnRiley, or follow the projects directly, @PenTesterScript and @EurotrashSec

Follow

Get every new post delivered to your Inbox.

Join 129 other followers