EvilPacket

Low-Cost Heads-Up Display Technology

2008-06-25T15:39:00.000-07:00

http://www.grandideastudio.com/news/patent-granted-for-low-cost-heads-up-display/

"... describes a low-cost method of displaying information optically on an existing eyewear lens."

*drool* please make it into a product someday soon..please!

Fridge Magnet Exploit Code

2008-06-24T15:10:00.000-07:00

Matasano has a great idea.

"It’s a perforated sheet of refrigerator magnets with exploit words on them"

Team psychoholics and Back to the basics

2008-06-23T22:16:00.000-07:00

With Defcon 16 right around the corner that means so is the Mystery Challenge. Flirzan, lastnight (possibly) and I are registered as team psychoholics and are excited to be competing.

In other news I'm excited to be getting more into locksport. I have been interested in lockpicking for a while, but always seem to get distracted by some other shiny object. I need to start with the basics and get some new tools. To get back into the swing of things I ordered a 22 piece pickset from Southord as well as a pimp practice lock from learnlockpicking.com

Is your Wireless Network Secure?

2008-01-25T10:57:00.000-08:00

DC509 Presents: "Is Your Wireless Network Secure?"

DC509, a group of Tri-Cities security professionals, presents their inaugural community outreach presentation at the Kennewick Branch of the Mid-Columbia Library on February 16th at 6:00 PM. Adam Baldwin will discuss wireless security options for home and business networks and methods to secure those wireless networks. The DC509 group will also show just how easily criminals (or your neighbor) can access wireless networks with live demonstrations.

Please bring your wireless network questions, and the group will try to answer them.

The Kennewick Branch of the Mid-Columbia Library is located at 1620 S. Union, in Kennewick. The library closes at 5PM, so you must enter at the side door. This is the first in a continuing series of community outreach programs to help educate and inform our community.

While it is not mentioned in the description, information that is relevant from a recent nGenuity Information Services wireless research project will be included in the presentation, so attend to get a sneak peek before the paper is published.

This is 2007 right?

2007-08-28T19:09:00.000-07:00

No comment necessary for this one. (Crowne Plaza, Houston, TX)

PCI DSS

2007-08-21T22:36:00.000-07:00

Compliance standards like Payment Card Industry Data Security Standard (PCI DSS) help define a minimum set of controls that need to be in place to protect some form of information. In the case of PCI you have card holder data. I have been subjected to working with PCI a lot lately. What I have noticed is that companies are not using PCI (and other standards) to augment their security program, but are building their security program to these minimums.

The approach one should take with compliance programs is to apply them as constraint requirements against their security program. Implement a real security program and along the way make sure you hit the checkmarks for the standard you will be audited against. I believe one actually ends up with a stronger security posture by taking this hybrid approach.

This all may seem like common sense, but you would be surprised at the companies that get this 100% backward.

Tip: Want to know what level of compliance your organization has to be? Compliance levels are owned and decided upon by the card companies themselves. For instance if you accept Visa and do less than 20,000 transactions per year you are level 4.

For more information on PCI DSS:
https://www.pcisecuritystandards.org/

Santizied input vs sanitized output

2007-08-20T22:14:00.000-07:00

In a recent visit to a website I found a xss and sql injection vulnerabilities in which the search capability of the site didn't properly sanitize user input. I reported this to the website owner and they promised to fix it and did the very next day. The problem with the fix. Their coders sanitized the output of the keywords, not the input, so all of the other places on that same page they used those keywords was another injection point using a slightly modified input string.

So if the developer had listened to the original suggestions of input validation they wouldn't have had this secondary issue. I still think that sanitizing output is probably a good idea to avoid any race conditions between time of check and time of use(TOCTOU) in case the value can be manipulated in some other way that might avoid your magical input validation / sanitization.

Example:
http://www.________.com/search/?search=&query=%22%3E%3Cscript%3Ealert%28%22ESRL%22%29%3B%3C%2Fscript%3E%3C

Resources:
Reviewing code for XSS issues at OWASP
GNUCitizen XSS DB
XSS Cheat Sheet (rsnake)

Team Tapeworm

2007-08-20T10:50:00.000-07:00

Even though we got a lowly 5th place in the LosT@Con mysterybox challenge, our team (tapeworm) got listed on the front page of defcon.org.

Other stats of interest from the posting

"Total teams to complete the challenge: 13
Percentage of teams to complete the challenge: 52%
Total Boxen weight (combined): 821.128 lbs ;)"

Reading the signs

2007-08-10T13:26:00.000-07:00

I have been away from home for 2 weeks and in a foul mood because of it. This actually made me laugh when I got to my gate in Houston (IAH).

This made me think. What was the root cause of this crap on the gate board? Was it bad hardware, software bug, l337 h@x0r or just a stupid user at the terminal? How does one efficiently differentiate what is a security incident and what is something else. There is no situation that I can presently think of where a piece of code, hardware or user not performing as expected that does not impact the security of an organization. What is the order of operation an admin should proceed with troubleshooting? Should they consider whatever problem that is encountered to be a security incident and work backwards from there or should they consider it just a problem and until it is proven to be a vulnerability or threat against the company proceed as if it were security related?

Any thoughts?

Mystery Challenge Complete

2007-08-05T18:46:00.000-07:00

Our team finished the LosT@Con mystery challenge at Defcon 15 in 5th place. We completed it in 25 hours and 6 minutes.

The challenge required completing many different tasks.

1. Riddle solving
2. Crypto
3. Lockpicking
4. Social engineering. From what we understand we were the only team that got the maintenance of the hotel to assist with our quest. We were unable to pick the bottom lock soooo we used a drill press. I heard some teams were able to pick it, but I can not confirm that.
5. Constructing a circuit to read a message sent via a led..mmm soldering
6. MORE riddle solving.
..oh and dialing a phone with 1337 skills.

We were told the team has a guaranteed place in next years mystery challenge so we can bypass any pre-qualification round that might be setup, or at least I hope we can.

Defcon Mystery Box - Phase 1 Complete

2007-08-04T02:47:00.000-07:00

At 1:30 AM (not sure what day this is...no really I don't know) it was only Tim, myself and one stranger that decided to wander in and help. This was 12.5 hours after we received the first box. A small purple box containing clues.

1. A pad of paper with 1x21 written in it
2. An alphabet missing the letter e. Letters were printed on little books and were circular cut outs
3. A clue sheet with 185 (or 184 I don't remember) characters of cyphertext.

Lessons learned. Trust your instinct. The reason it took us so long was that we were using the wrong program (algorithm) to decode the text. If we had used the proper one it would have saved ohhhh about 6-8 hours of number crunching madness!

We can't get our hardware box or phase 2 box until morning because LosT has gone to bed.... will post screenshots, etc after the contest is done so I don't leak any info, but then again who the fuck reads this thing anyway?

Viva Las Vegas

2007-07-30T09:37:00.000-07:00

Today is a good day. I'm home for once on a Monday.

Today my BASIC stamp from Parallax arrives. Software is so boring anymore that I'm starting to dive back into hardware. I never did know enough about analog electronics so mixing up the stamp with some other assorted parts should be fun.

I would love to someday put together a hardware WEP cracking device. All of those ap scanners out there that tell you when you have signal should also have a button that cracks the wep key for those wep protected ap's.

Tomorrow I head to Vegas for BlackHat / Defcon. From what I can gather from the speakers and topics this year should be pretty mindblowing. I'm especially interested in take 2 of Intranet hacking via the web browser. Naughty javascript, spank(). I'm interested to see if they bring up the HTML 5 spec and the global storage and sql support...

Defcon 15 - Mystery Challenge

2007-07-24T19:25:00.000-07:00

I have never participated in a contest at Defcon. This year at Defcon 15 I will join four other individuals on a team to participate in the LosT@Con Mystery Challenge. Should be an interesting time considering all the forum banter and pictures I have seen from last years. I will post after the contest is over to tell how we did.