Friday 6 December 2013

Tuesday 11 December 2012

So, you take a USB TV Tuner, an install of Flightgear and suddenly you are flying the skies above an ATC building.

Do not try this at home

Brilliant talk at Defcon 20 

Thursday 6 December 2012

Ars Technica totals up the amount of financial damage caused by the newest variation of the Zeus Trojan .

Eurograbber has netted criminals 47 Million Dollars from European web users.

It is amazing to think that it is so successful considering the lengthy process required to inject the malware into the victim's Android or Blackberry phone.

Friday 30 November 2012

Good work on Smartphones and Pen testing


Wednesday 28 November 2012

Dead Drops meet Hacksaws

Maybe this guy should have thought about this before he started putting USB keys into walls for everyone to access.

What is stopping folks from chucking a little bit of Malware on there like the USB Hacksaw?

Remember the digital landscape has some nasty places.

Wednesday 3 October 2012


NIST Selects Winner of Secure Hash Algorithm

Congrats to Keccak

Small, elegant, multi-platform and decent performance. Looking forward to checking this one out.

Tuesday 2 October 2012

I love it when folks take a good hack and improve it.

One of the pentesters for my current employers decided to do just that.

Great little hack, it reminds me of the USB Hacksaw hack from years ago.

Going to a hotel using Onity locks? Take one of these - a dry-wipe marker that opens hotel doors.

Thursday 13 September 2012

Great Series on encryption

It is great when one of these series come along.

I would recommend to anyone wanting to learn about encryption.

Sunday 19 August 2012

Facebook reveals it's Oregon Data Centres

I love data centres.

The hum of the fans, the whirring of the servers, always have appealed.

This place is stunning. Facebook have a great set up. This is really is a next generation approach to big data and big networks.


Saturday 21 July 2012

This is a beautiful device.

Combine a powerful intrusive piece of hardware and stunningly ingenious form factor.

Social engineering expressed in plastic.

Tuesday 5 June 2012

Four Critical Security Flaws

I love it when companies are this honest about their security breaches.

Usually this stuff is only gained through the large significant breaches through court reports and intense scrutiny by journalists.

It is this transparency that allows smaller organisations to lock down their systems.

I find it interesting how it was through third party individual authentication security weaknesses that the breach occurred.

Wednesday 22 June 2011

Problems with Passphrases

I saw great talk at RANT a week ago and it reassured me that folks are starting to adopt passphrases to defeat rainbow tables and other hash pre-computational attacks.

Basic idea behind passphrases is the use of a combination of words to form your password. Take two to six words and just type them into form a long password. Much longer than your standard 8 character standard password. The power of passphrases is that as the password grows longer the tables must grow bigger at a greater than exponential rate.

They are also much easier to remember than a numeric, upper and lower case alphabetic combination.

Example of this - "foreigner mudslide apple" is a 24 character password that would require well above the current limited rainbow tables sets of 14 character password hash table to crack. The 14 character rainbow table is roughly 186Gb in size. To add another 10 characters to that table puts in the terabyte range. Therefore, passphrases are a good thing.

But the title of this is the Problems with Passphrases, which all rests on the folks managing passwords on web and corporate sites. These folks are putting policies in place that limit password size, do not allow non-alphabetic characters, no spaces and basically only allow weaker passwords to be used.

If we are to continue to use passwords - these limitations need to change. Start to accept longer passwords and passphrases. Again it is the tech side that seems to the ones slowest to pick up the necessary changes.

Thursday 11 November 2010

Great Post by Merlin Mann

I love this post by Merlin. How people can (mis)treat the people that they want work from.

Reminds me of this YouTube video.

Wednesday 6 October 2010

.ly domain space to be considered unsafe

Unfortunate, when there is no central control over Domain Name registration this stuff can happen.

Article here

The Libyan Domain Name Registry is grabbing back .ly domain names and stating that less than 4 character domain names in the .ly namespace must be held by Libyan residents. In addition, websites in this domain space must comply with Libyan Sharia Law.

Wondering what impact this will have on bit.ly, owl.ly and ad.ly?

Hacking the D.C. Internet Voting Pilot

Very good article on the pilot test of the system which will allow overseas military personal to vote online.

A shell-injection vulnerability which allows the remote commands to be executed.

Evil happens when you allow the temp file to retain commands in the file extension.

Saturday 28 August 2010

Heads up on the following fallacious information floating around Facebook

Facebook launched Facebook Places yesterday. Anyone canfind out where you are when you are logged in. It gives the actual address & map location of where you are as you use Facebook. Make sure your kids know. TO UNDO: go to"Account", "Account Settings", ..."Notifications", then scroll down to "Places" ...and uncheck the 2 boxes. Make ...sure to SAVE changes and re-post this!!

This does not turn off Facebook Places - it simply stops you recieving Facebook Places notifications from friends.

Facebook Places only works from GPS enabled devices (eg iPhone and Android). You need to be running the Facebook app ...and check-in through that app for it to send out notifications of your location

If you want Facebook Places to not post your location from your mobile phone - don't use it. Don't check in from your mobile phone. No need to change any settings in Facebook for this.

However, it is important to understand when you agree to an iPhone or Android app sending location information from a GPS mobile phone, what is sent and who it is sent to. It is too easy to click through those dialogues.

Finally, tell your kids to not post anything that they do not want handed to them during a job interview. It is the best way to approach this form of self-exposure rather than try to alter ever-changing privacy settings.

Friday 9 July 2010

Classic Craiglist Money Order Scam in the wild

Story of a girl who got a job and then a simple request by her new "boss".

-----------

My friend accepted a job as a 'personal assistant' she found on CL. So far her boss, who says he is out of the country in Ireland, has sent her two Western Union money orders for $950 each, and her job was to put the money orders in the bank, take out a $300 for her trouble and then send the rest to some other person. (The last one was in Dubai)

This seems incredibly fishy. Is there a reason she shouldn't be doing this? She knows literally nothing about the guy other than his email address, phone number and first name.

UPDATE: She didn't seem to think it was as big of a deal as I do. I think she's embarrassed and doesn't want to admit it. She has a savings account with money in it from modeling or something when she was a kid, so she said if it turns out it was a scam (and not money laundering like she thought at first), she'll just have to pay the money back and be out $1700.

----

This is why CraigsList has this statement at the bottom of the page

* DEAL LOCALLY WITH FOLKS YOU CAN MEET IN PERSON - follow this one simple rule and you will avoid 99% of the scam attempts on craigslist.
* NEVER WIRE FUNDS VIA WESTERN UNION, MONEYGRAM or any other wire service - anyone who asks you to do so is a scammer.
* FAKE CASHIER CHECKS & MONEY ORDERS ARE COMMON, and BANKS WILL CASH THEM AND THEN HOLD YOU RESPONSIBLE when the fake is discovered weeks later.
* CRAIGSLIST IS NOT INVOLVED IN ANY TRANSACTION, and does not handle payments, guarantee transactions, provide escrow services, or offer "buyer protection" or "seller certification"
* NEVER GIVE OUT FINANCIAL INFORMATION (bank account number, social security number, eBay/PayPal info, etc.)
* AVOID DEALS INVOLVING SHIPPING OR ESCROW SERVICES and know that ONLY A SCAMMER WILL "GUARANTEE" YOUR TRANSACTION.

Wednesday 7 July 2010

The Secret Stash Project


yiting cheng does a decent job of showing you how to hide stuff in plain sight.

Wednesday 26 May 2010

Facebook - The Privacy Reality

After seeing a lot of articles appearing on the new facebook privacy changes, I think that the only reasonable response to these and future changes is the following:

Do not post anything on Facebook that you want to keep private

You have to be aware that your posted content and personal information can be sold to a third party without your consent.

Currently, your information can be secured within Facebook using the new privacy settings, however, as has been seen in the recent past, Facebook is highly likely to change their privacy policy in the future.

So, the only control that you as a Facebook user have is to limit the information you provide through this social website.