Monday, December 21, 2015

Last minute gifts for Information Security Professionals - 30 under $100 with Amazon Prime

Information Security Professionals, Hackers, and tinfoil hat wearing paranoids are a hard bunch to shop for. With just a few days before Christmas, what do you get for the person that rubs their face and sighs when they hear people talk about the cloud? Are you looking for a unique gift that isn't a black t-shirt with a snarky comment in white? Well, look no further!

The below list is 30 items under $100 available via Amazon Prime. If ordered no later than the  22nd using Amazon Prime or by spending $25 to qualify for Two Day Shipping your gift will arrive for Christmas.

The prices and ability to ship via Prime were accurate at the publishing of this post. They may change at Amazon's discretion.

Merry Christmas, Happy Holidays, and check out the list after the break!

Saturday, April 11, 2015

Hiding in Plain Sight - B-Sides Orlando 2015

The abstract, slides, documents, and files associated with my talk at B-Sides Orlando 2015 can be found below.

Hiding in Plain Sight

B-Sides Orlando 2015 - April 11th, 2015
What if penetration testing programs went a step further? Once legal and ethical approvals are obtained, a device could be placed within the organization to test more than network and application security. By placing a “rogue device” within an organization the general user knowledge of physical IT practices, IT security policies, and awareness of devices in the environment can be evaluated.

This talk will cover creating a penetration platform that can be hidden in plain sight for under $200. The device will be housed in a common item found within many offices and places of business. The device will have a number of camouflage techniques that allow it to blend into the environment to avoid detection.

The device will include remote connection capabilities, wireless and wired attack/monitoring functions, and monitoring methods to let the penetration tester know when the device has been discovered.

The talk will cover:
• Device functions and requirements
• Device materials and build
• Creating a device that “blends in” (Dents, organization standards, asset tags, dust)
• Getting alerts when the device is discovered
• Penetration testing capabilities
• Preventing devices like this in your environment.

This talk will demonstrate how to build a low, cost, flexible, remote penetration testing platform for ethical and legal testing programs that can be hidden in plain sight. The talk will also show the audience some of the techniques an attacker may use to hide monitoring devices within organizations. Knowledge of these techniques may help develop and refine IT practices to discover these devices.

Click here for the Google Drive shared folder including:

  • Talk Slides and Notes
  • Build Guide
  • STL Files for 3D Printed Parts
  • Avery Template
  • RedProx Graphics Files (XCF Format)

Wednesday, January 14, 2015

Weekly Deep Dive: Germany may Secure Communications with Typewriters

This story sat in my draft folder as my human offspring, wife's writing career, shellshock, and poodle consumed my life. I think this story is still an interesting blend of old and new security issues that is worth posting.

This story originally broke in July of 2014.

Miss Germany could not be reached
for comment on this story.
Multiple stories detailed a German parliamentary committee that examined ways to address NSA spying within Germany. One of the options discussed: switching to mechanical typewriters. You read that correctly, not just typewriters, but mechanical typewriters. The fear is electronic typewriters may prove to have some ability to be monitored.

I adore this: low tech foiling of high tech espionage. Billions of dollars in state-of-the-art monitoring brought down by the humble mechanical typewriter.

The German committee already uses encrypted emails, secure electronic communications, and places their phones in a metal box when convened to prevent eavesdropping.

Would creating documents on a mechanical typewriter really stop the interception of communications? What precautions should the German Parliament take if they use mechanical typewriters?

Are you a security professional working for a law firm or financial institution that still uses electric typewriters? If so, this discussion could applicable to you. Anything used to create and store information falls into the domain of the information security professional and must be protected.

After the jump we will discuss how typewriters relate to the CIA triad along with ways mechanical typewriters could be monitored. We will also cover how you can create controls to protect typewriters and the documents made on them. 

Monday, January 12, 2015

#PWNED - United States Central Command Twitter Account Hacked

A group claiming to be part of ISIS hacked the US Central Command Twitter profile today in an act
of "cyber terrorism". While the attackers were in control of this account they made threats and posted documents with "sensitive military information".

There are a few very important things to note:
There are however a few serious concerns and they aren't items I see making the rounds in news posts.
  • I would hope that US Central Command would realize their Twitter account was at least as hackable as these celebrities.
  • I've heard no confirmation of two-factor authentication being used which is available to anyone with a phone and a Twitter account for free. 
  • Why do these accounts exist in the first place? Is there a public outcry for tweets from Central Command about their goings on? #InternationalMilitaryCollaboration #WhereMyAlliesAt
  • How did they do it? We may never really know. Password resets are tied to email accounts with wildly varying reset processes and security questions. A breach of the email account used for password reset is as good as a breach of the targeted system. Let this story of account access spiraling out of control serve as a cautionary tale. 
I often wonder if accounts like this are not a form of honeypot. A nice sticky gooey Twitter account just begging to be defaced by script kiddies the world over. It's off the DoD network and can be used to gather information about groups that would attack DoD systems were this low hanging fruit not there. A curious thought for sure.

What I would bet on is this:

  1. Somewhere the person in charge of this account is at a table having a terrible, horrible, no good, very bad day.
  2. The person on the other side of the table is ordering someone in DoD telecom to issue a Blackberry that stays locked in a safe at CentCom. This Blackberry will be used just for two-factor twitter authentication.
  3. A team of very serious people are combing through a mountain of logs files to determine the source of the unauthorized account access. 
In the end... this is a prank. There is egg and that egg is located on someones face. There is no real danger beyond the shame of a major military organization having their Twitter "pwned". 

What can you do to secure your Twitter feed?
Remember, reputation is just as important as information. Protect your accounts even if the information stored on them is low value. Someone could use that access against you and harm your reputation. Just ask @centcom.

Saturday, January 10, 2015

Security Theater: ATM Admin Panel Publicly Accessible


During a stop at my local national chain gas station I found this inexplicable ATM configuration. I did my best to obfuscate a lot of the detail while preserving the details are "there". I also scratched out areas where the chain name is easily seen.

I would've gotten closer, but I didn't want to look like I was casing the place. There is little difference between security research and premeditation. Not to mention, I was not authorized to try and untangle this security rats nest. Observation is all I could really do.

What you see is the backside of the outside facing ATM. You can also see a touchscreen access panel that, at the time, was giving a number of interesting error codes. The top half seems to be a simple double wafer lock. Based on this talk the key could likely be purchased on the Internet for about $10. There are notes on the ATM regarding how and when to put it in supervisor mode, its ID, who to call for support, etc. The supervisor mode is activated by the rear touch screen.

Sure, there are cameras. Sure, there are people in the store. Sure, the cash is in the vault at the bottom and is better protected. However, I would bet if I walked in looking like an ATM repair guy and introduced myself they would be all too happy to let me go about my business. ATMs are not the bastion of security people think they are and they need to have better security than this. Recently two teenagers "hacked" ATMs using the manufacturer default passwords. At Defcon 18 there was a wonderful demo on remotely "jackpotting" ATMs to get them to spit out all their cash. All you needed in the demo was access to that top box and a little know how. Recently these attacks have shown up in Europe.

This is security theater. It makes you feel safe using the device while completely lacking in common sense security.

Sunday, November 23, 2014

Hidden War Dialer Build: Rechristening 2.0

WHAT YEAR IS IT!? Is this a Palm Pilot?
MY LIFE IS A LIE! Nevermind. Raspberry Pi you say?
Tell me more.
Duties in life and work took me away from this project. The end of the year leaves me with some much needed time off. I choose to use some of that time to rededicate myself to this blog and some of its projects. My hope is to present some of these projects at Bsides conferences in 2015.

First, we should talk about the elephant in the room: originally the build was a war dialer hidden inside an APC UPS using an old Sony CliƩ. That project hit some significant roadblocks.
  • Testing the modem
    • Finding an analog phone line bordered on hilariously difficult. In my circle of friends and places I work these things simply do no exist. You would have thought I was looking for a Pony Express stable that could get an urgent package to the "udder sidea the call-r-ada river." 
    • I finally got access to an analog line, but it had its own complications. It was located at an office I did not have access to at the odd intervals I may have time to test. It also did not have a handset nearby to test if the line was actually working.
  • Using the modem
    • The war dialing software was almost a decade old on a platform that is no longer supported using a fork of the PalmOS software and a modem that was not specified in the manual for the war dialer. It was a problem, wrapped in a riddle, where the people that wrote the riddle have all moved on with their lives because the tools are ancient and the idea perfectly insane. Reaching a solution may require a Delorean inside a Tardis.
This is not to say I gave up. I have moved on for now. The project was rechristened: Hidden War Dialer Raspberry Pen Test Build.

Effort will be focused on something a bit more worthwhile: hiding a Raspberry Pi Model B in an APC UPS with a cellular modem and an Ethernet passive tap. The work already started with a 3D print that should be here on the 26th of November. The test print is for the Raspberry Pi case mount that will hold the additional devices in the APC UPS.

The end goal will be to present a device that can be built for around $100 for pen testing that blends seamlessly with a cube farm (Read: Office). 

I will write a follow-up post with what the system should deliver and the desired goals. 

Look for more soon.

Sunday, July 13, 2014

Hidden War Dialer Build: Update

Say hello to my bulky little friend.
This weekend I visited one of my favorite places: SkyCraft in Winter Park, FL. For those not familiar it's an electronics surplus store with all manner of gadgets, old electronics, parts, etc. To be certain it's a Maker heaven and what Tony Stark's trashcan must look like... parts and parts and parts. It has to be seen to truly be understood.

As part of the Back to the Hack series and related to my hidden war dialer project I decided to see if there was a better option to hide my war dialer, Arduino, or Raspberry Pi. In my previous post I said I would use a gutted APC-350 UPS. A trip to SkyCraft and $15 dollars later I found myself with a APC-420. I love how it's well worn, scratched, and has little dents. The device will look like its been tucked away at a target facility for years. It will be a much roomier home for all my hack-a-tronics and will blend into any cube farm, IDF, or MDF perfectly.

After the jump see the tear down and some of my first thoughts heading into the hidden war dialer build.

Doctor, we are going to need to AMPutate. 

The device I purchased was already sans battery which for my use was perfect. I just need a power strip with a place to hide things. There are boards, transformers, and all manner of other stuff that must be removed. Let's get to gut'in.

It's a pretty decently sized beast. You can see it's size using the standard Internet measurement for scale, a banana.

This is where the real goodness happens and why this device is perfect for the task. It will basically function like a power strip once gutted leaving most users unaware of its malicious (Read: Research Project) oriented nature. It will provide power for the electronics on the inside and a network pass-through (either RJ-11 or RJ-45, more on that later).

The inside: Look at that transformer! Just compare it to the banana, it's huge! We are looking at a full partsectomy here.

As if by magic all the parts have been removed. I must advise as not your lawyer or a trained electrician: do not do anything I just did. These devices deal with high voltage and capacitors that may store charge long after the device has been unplugged. Do not open, touch, remove, lick, feed after midnight, bathe, take to prom, share a lease, or perform any other activity not listed by the manufacturer as approved use. Any other use or action could result in a mild to severe case of death. You have been warned.

This part will need to be salvaged. This is the network bypass. The board can be mounted to the case and will leave the outside with a clean professional look. This will also create a connection for the war dialer or can be used later to create a passive network tap.

I may cut it up and then solder wires between the pins. I may get fancy and have a new board custom printed. I'm not sure yet.

The front control panel ribbon connector was directly soldered to the main board. I cut the ribbon leaving the board in place. My intention is drill out or wire in a new LED that lights up when the device is powered. This should simulate what the device looks like when it's in normal operation.

The inside is pretty straight forward as power goes. I should be able to connect these directly to the inbound power and add another outlet on the inside to power my devices.

Here is one of the first problems: the removed main board has the serial port attached. To make this a clean build the serial port hole needs to be filled. Leaving the hole would definitely raise suspicions.

The front bezel leaves an excellent area to hide antennas for WiFi or cellular connections to be included in future builds. Placing any antennas outside the metal box, but covered by the plastic bezel, should work very well.

Gutted and ready to start building! The main concern here will be weight. The device is now very light. Metal plates will need to be added. If someone were to pick up the device after deployment the lack of weight may cause question.

More than enough room for the war dialer or a Raspberry Pi or both!


Next steps:
  1. Wire a third internal power outlet.
  2. Fabricate either 3D printed mounts for hardware or hand build them.
  3. LED light to fake normal operation of the unit.
  4. Modify RJ-11/RJ-45 bypass for war dialer or Raspberry Pi.
  5. Adjust for the weight of the missing transformer and battery.
  6. Fill in serial hole with a DB-9 serial port.