Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

26C3: Lightning Talks – Day 2

After yesterdays late night with TCP, I decided to kick-off day 2 with a look at the lightning talks. Yesterday’s lightening talk from p4ula on sleep hacking was really interesting (if a little brief), so hopefully there#ll be something here to keep my interest.

The information on the lightning talks at 26C3 can be found on the CCC wiki

MFCUK = MiFare Classic Universal toolKit

MFCUK is an open-source implementation (GPL) that implements the “Nested authentication attack” and “DarkSide attack” using crapto1 libraries. This toolkit is a merger of existing projects – MFOC and MiFare Classic DarkSide Key Recovery.

The MiFare standard is used in a variety of different places, including :

  • Credit-cards
  • Transport
  • Student ID cards
  • Building Access cards/systems

RFID Standard 14443A 13.56 MHz

The next revision of the tool will increase compatibility with card readers and possibly implement support for the Nokia NFC 6131/6212

Stali – Static linux

Primary focus is on statically linked binaries. This distribution is designed to have no dynamically linked libraries.

Project goals:

  • Statically linked binaries only
  • Hand-selected collection of best tools
  • Radically cleansed filesystem structure
  • Focus on end-user adoption

Pros of static linking:

  • Smaller binaries (really!)
  • Less memory footprint
  • More secure userland
  • Better startup performance

More information can be found at http://suckless.org or http://sta.li

Designing for socialization


Looking to create a new iPhone application designed to help people communicate and break out of their social shell.

  • @meetforreal
  • @amonter5

DIY Bookscanner

Scan your own books to allow for full text searching and portable access to physically owned books.

Checkout the website for some great photos of other DIY scanners.

Crypto Stick (Version 2)

GPF Crypto Stick – Is a combination of OpenPGP Card v2 and a smartcard reader. RSA keys length up to 3072 bit (improvement over v1). 3 independent keys (authentication, encryption and signature)

This USB stick is used to store secret keys for things like GnuPG v2, Thunderbird+Enigmail, SSH, etc… The USB device is supported on Linux, Windows and Mac OSX (?). The project is based on open-source hardware and software.

Version 1 (Current)

  • Available for €38 incl. MwSt
  • order: info@privacyfoundation.de

Version 2 (Developement)

  • Includes encrypted flash (MicroSD)
  • dm-crypt/LUKS compatible
  • Strong Aluminium case
  • Securest portable data storage available

More information can be found at http://www.privacyfoundation.de/crypto_stick/ or by emailing info@privacyfounda

Hacking hearing devices

Features of hearing devices :

  • Small and (nearly) invisible
  • Microphones and speakers
  • Powerful signal processing (recognize acoustic settings, direction, filter)
  • Talk to each other
  • Talk to other hardware (phones etc…)

Why hack them – If you can’t open it, you don’t really own it. Free the information and technically interesting. Current information and hardware is proprietary. This means that the devices are expensive, aren’t permitted to be sold on services like eBay (medical devices are prohibited).


  • Allow for parameter adjustment
  • Affordable bluetooth support – Currently very costly
  • Write your own signal processing –  Filter out specific voices 😉
  • Hear more than normal people
  • Use device to spy/record

More information, or to help with the future of the project can be found at http://hackandhear.com or through email at helgar@hackandhaear.com

The distributed rainbow table project. So far over 1.5tb of tables created and indexed.

Focus is on LM/NTLM, MD5, SHA1 (with future work on MySQL (SHA-1) tables)

Common myth – Everyone uses SALTed hashes
Actuality – Systems still used unSALTed hashes on a regular basis

Future developments:

  • More tables
  • Maybe new format (smaller, faster)
  • Maybe cooperation with other projects
  • Maybe YOU as contributor
  • More tables — Less mishaps !

More information can be found at the following locations :

OWASP Favicon enumeration project

Identify software running :

  • Web Server
  • Web app: CMS, Forum, Wiki

For the paranoid, you can change the favicon to prevent enumeration.
Gather the data using modified version of favicon.nse:
nmap -v -sT -iR 0 -p80 -n -PN –script=http-favicon-get.nse -oN nmap-p80-ir-favicon

More information is available at http://kost.com.hr/favicon.php , http://www.owasp.org/index.php/Category:OWASP_Favicon_Database_Project or through twitter @OWASPfavicon

2 responses to “26C3: Lightning Talks – Day 2

  1. kost January 7, 2010 at 01:31

    Thanks for mentioning OWASP favicon. Correct URL of twitter OWASPfavicon is: http://twitter.com/OWASPfavicon

    keep rocking!

  2. ChrisJohnRiley January 10, 2010 at 18:12

    Thanks for the correction. I’ve changed it in the post. Great presentation. Hope to see the project results soon 😉

%d bloggers like this: