Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

October 6, 2019

Getting Started in Bug Bounty

Filed under: Bugs,Cybersecurity,Hacking — Patrick Durusau @ 8:11 pm

The key lesson here is that hours and hours of practice are required. There’s no shortcut to avoid putting in the time to learning your tools and the weaknesses they are best at detecting.

Reminder, as of October 7, 2019, there are 270 working days left until the 2020 elections in the United States. Use your time wisely!

October 4, 2019

Follow the Link: Exploiting Symbolic Links with Ease

Filed under: Hacking,Microsoft — Patrick Durusau @ 3:17 pm

Follow the Link: Exploiting Symbolic Links with Ease by Eran Shimony.

In the first part, we will explore the attack vector for abusing privileged file operations bugs along with how to fix those bugs. To start, we will walk through CVE-2019-1161, a vulnerability in Windows Defender that can be exploited to achieve Escalation of Privileges (EoP), which Microsoft released a patch for it in August patch Tuesday.

Hundreds of millions of Windows machines –- any machine running Windows 7 and above – are vulnerable to the arbitrary delete vulnerability. A malicious user can abuse Windows Defender to delete any file he wants with NT AUTHORITY\SYSTEM privileges. The vulnerability lies in a process named MpSigStub.exe, which is executed by Windows Defender with high privileges. This process suffers from an impersonation issue that could lead to EoP using Object Manager symlinks.

Prepare for the 2020 election season by refreshing your memory on Windows hacks. If MS marketing is to be believed, 1.5 billion people use Windows every day. Odds are an office or organization of interest to you uses Windows.

Shimony’s walk through on symbolic links leaves us at:

Nevertheless, we can either create a file in an arbitrary location or delete any desired file that might lead to full privilege escalation in certain cases.

It’s a starting place and I’m looking forward to the next installment!

September 28, 2019

2020 General Election: How Are Your Hacking Skills?

Filed under: Hacking,Politics — Patrick Durusau @ 3:53 pm

5 Websites That Teach You How to Hack Legally by Simon Batt.

Despite news stories of hacks ranging from health providers to porn sites, you don’t hear of hacks of members of Congress. There is an off chance that security for congressional IT is that good. That’s possible but I suspect the real answer is most hackers are looking to make money, not political noise.

But the only way to know if congressional IT security is that good, is to develop hacker skills yourself and get hired to test their security.

The websites Batt has collected will give you a jump start on developing the sort of hacking skills you will need to test, with permission, congressional IT. Who knows? You may be able to add congressional websites to the IT hacking news.

Circulate this and encourage others to develop hacking skills so every member of Congress will have the opportunity for their IT security to be tested.

May 17, 2019

Declining Hacktivism

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:24 pm

A 95% drop in Hactivist attacks since 2015 is explained by Cimpanu as mostly due to the decline of the Anonymous hacker collective, described as:

But nothing has led to the group’s demise more than the inefficiency of most of its attacks. Defacing websites and launching DDoS attacks rarely gets anything done.

Neither does stealing data from websites that are completely unrelated to a specific topic. In many cases, Anonymous hackers ended up dumping personal user information into the public domain and hurting innocent people for ridiculous causes, attracting both scorn and ridicule.

Most hacking attacks don’t have the impact of an AGM-114 Hellfire missile at a BP Oil shareholders meeting. Granted but that’s hardly a criteria for hacking success.

Cimpanu’s “hurting innocent people for ridiculous causes” captures his allegiance to oppressive status quo systems better than any invective from me. Would dumping the personal information of DoD employees qualify? Or DoD employees with their deployments overseas, matching them up with locations for anyone looking for likely suspects in war crimes? There are parts of the world where that would be a very popular database.

Cybersecurity degrades with every hire and new 0days appear on a regular basis. Now should be a golden age of hacktivism, save for next year, which will be even better.

Don’t be discouraged by law enforcement puffery about stopping hackers. If they are that good, why are children being sold for sex through the Atlanta airport? Or drugs pouring across the border in large cargo trucks? Or banks being robbed for that matter. Don’t they know where all the banks are located?

I’m hopeful the headlines next year will declare hacktivism is on the rise, don’t you?

May 16, 2019

RIDL and Fallout: MDS attacks (Intel Chips)

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 2:50 pm

RIDL and Fallout: MDS attacks

From the webpage:

The RIDL and Fallout speculative execution attacks allow attackers to leak private data across arbitrary security boundaries on a victim system, for instance compromising data held in the cloud or leaking your data to malicious websites. Our attacks leak data by exploiting the 4 newly disclosed Microarchitectural Data Sampling (or MDS) side-channel vulnerabilities in Intel CPUs. Unlike existing attacks, our attacks can leak arbitrary in-flight data from CPU-internal buffers (Line Fill Buffers, Load Ports, Store Buffers), including data never stored in CPU caches. We show that existing defenses against speculative execution attacks are inadequate, and in some cases actually make things worse. Attackers can use our attacks to leak sensitive data despite mitigations, due to vulnerabilities deep inside Intel CPUs.

In addition to being a great post, there is an interactive image of the Intel chip with known vulnerabilities in color.

The uncolored areas may have unknown vulnerabilties.

Good hunting!

0day “In the Wild” (05-15-2019)

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 1:56 pm

0day “In the Wild”

Catalin Cimpanu tweeted that Google has updated its 0day “In the Wild” spreadsheet.

For an introduction to the spreadsheet, see Zero Day.

Given update rates, the earliest zero days from 2014 probably have another five (5) years of useful life left. Perhaps more with government installations.

Enjoy!

April 24, 2019

Metasploit Demo Meeting 2019-04-23

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 1:05 pm

Metaspoilt Demo Meeting 2019-04-23

Entertaining and informative update for metasploit. Billed as:

The world’s most used penetration testing framework.

Knowledge is power, especially when it’s shared. A collaboration between the open source community and Rapid7, Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game.

Enjoy!

Deobfuscating APT32 Flow Graphs with Cutter and Radare2 [Defining “foreign” government]

Filed under: Cybersecurity,Government,Hacking,Radare2 — Patrick Durusau @ 12:30 pm

Deobfuscating APT32 Flow Graphs with Cutter and Radare2 by Itay Cohen.

The Ocean Lotus group, also known as APT32, is a threat actor which has been known to target East Asian countries such as Vietnam, Laos and the Philippines. The group strongly focuses on Vietnam, especially private sector companies that are investing in a wide variety of industrial sectors in the country. While private sector companies are the group’s main targets, APT32 has also been known to target foreign governments, dissidents, activists, and journalists.

APT32’s toolset is wide and varied. It contains both advanced and simple components; it is a mixture of handcrafted tools and commercial or open-source ones, such as Mimikatz and Cobalt Strike. It runs the gamut from droppers, shellcode snippets, through decoy documents and backdoors. Many of these tools are highly obfuscated and seasoned, augmented with different techniques to make them harder to reverse-engineer.

In this article, we get up and close with one of these obfuscation techniques. This specific technique was used in a backdoor of Ocean Lotus’ tool collection. We’ll describe the technique and the difficulty it presents to analysts — and then show how bypassing this kind of technique is a matter of writing a simple script, as long as you know what you are doing.

The deobfuscation plugin requires Cutter, the official GUI of the open-source reverse engineering framework – radare2. Cutter is a cross-platform GUI that aims to expose radare2’s functionality as a user-friendly and modern interface.  Last month, Cutter introduced a new Python plugin system, which figures into the tool we’ll be constructing below. The plugin itself isn’t complicated, and neither is the solution we demonstrate below. If simple works, then simple is best.

Way beyond my present skills but I can read and return to it in the future.

I don’t know how Cohen defines foreign government but for my purposes, a foreign government is one that isn’t paying me. Simple, direct and to the point. That may be a U.S.-centric definition. The U.S. government spends $billions on oppressing people around the world but cybersecurity sees it with a begging cup out for volunteer assistance. On a scale of volunteer opportunities, the U.S. government and its fellow travelers should come out dead last.


Government Countermeasures, Traffic Cams

Filed under: Government,Hacking,Protests — Patrick Durusau @ 10:52 am

If you use public feeds from traffic cams to guide or monitor disruptions, Public Spy (Traffic) Cams, or “leak” that you are using public feeds in that manner, government authorities are likely to interrupt public access to those feeds.

The presence of numerous wi-fi hotspots and inexpensive wi-fi video cameras suggests the most natural counter to such interruptions.

Unlike government actors, you know which locations are important, which disruptions are false flags (including random events that attract attention), and you benefit from public uncertainly caused by any interruption of public services, such as traffic cams.

As an illustration and not a suggestion, if cars caught in gridlock come under attack, say a pattern of attacks over several days, motorists caught in ordinary gridlock become more nervous and authorities view accidents or other causes with hightened suspicion. Whether you are the cause of the gridlock or not.

Authorities suffer from apophenia, that is “seeing apparently meaningful connections between unrelated patterns, data or phenomena.” What is pareidolia? (a sub-class of apophenia) Perhaps more than apophenia, because actively searching for patterns, makes them more likely to discover false ones. With an eye for patterns, you can foster their recognition of false ones. [FYI, false patterns are “subjects” in the topic maps. May include data on their creation.]

April 23, 2019

Weaponized USB Drives and Beyond

Filed under: Cybersecurity,Government,Hacking — Patrick Durusau @ 8:19 pm

Weaponized USB devices as an attack vector by Alex Perekalin.

USB devices are the main source of malware for industrial control systems, said Luca Bongiorni of Bentley Systems during his talk at #TheSAS2019. Most people who are in any way involved with security have heard classic tales about flash drives “accidentally” dropped in parking lots — it’s a common security story that is just too illustrative not to be retold again and again.

Perekalin takes us beyond flash drives with a reminder that any USB device can be an attack vector.

An incomplete list of USB devices includes:

  • Speaker
  • Microphone
  • Sound card
  • MIDI
  • Modem
  • Ethernet adapter
  • Wi-Fi adapter
  • RS-232 serial adapter
  • Keyboard
  • Mouse
  • Joystick
  • Webcam
  • Scanner
  • Laser printer
  • Inject printer
  • USB flash drive
  • Memory card reader
  • Digital audio player
  • Digital camera

Just to name some of the more common ones. 

So it’s a little more expensive to do: “Congratulations! You were selected at random for a free digital camera!” (make sure it is a nice one) If it gets you inside the ******* agency, it’s worth every penny. Weaponized USB devices should be standard part of your kit.

April 3, 2019

Reversing WannaCry Part 1 – [w/] #Ghidra

Filed under: Cybersecurity,Ghidra,Hacking — Patrick Durusau @ 7:43 pm
From Gnidra Ninja

From the description:

In this first video of the “Reversing WannaCry” series we will look at the infamous killswitch and the installation and unpacking procedure of WannaCry.

The sample can be found here: https://www.ghidra.ninja/posts/03-wannacry-1/

Twitter: https://twitter.com/ghidraninja

Links:

Interview with MalwareTech: https://soundcloud.com/arrow-bandwidth/s3-episode-11-wannacry-interview-with-malware-tech-at-infosec-europe-2017

MalwareTech’s blogpost about the killswitch: https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Further reading

Wikipedia: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

LogRhythm Analysis: https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/

Secureworks Analysis: https://www.secureworks.com/research/wcry-ransomware-analysis

Unless you are a very proficient Windows reverse engineer, be prepared to pause the video repeatedly! A level of comfort to aspire to.


April 1, 2019

radare2 r2-3.4.0

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 6:59 pm
https://www.radare.org/r/

Now there’s a bold claim! Is that true? Only one way for you to know for sure! Well, what are you waiting for? Download r2-3.4.0 today!

March 31, 2019

Ghidra quickstart & tutorial: Solving a simple crackme

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 6:52 pm

Ghidra quickstart & tutorial: Solving a simple crackme

In this introduction to Ghidra we will solve a simple crackme – without reading any assembly!

The first of several Ghidra tutorials by Ghidra Ninja. Be sure to follow on Twitter!

March 30, 2019

ARM Assembly Basics

Filed under: ARM,Assembly,Cybersecurity,Hacking,Security — Patrick Durusau @ 8:51 pm

ARM Assembly Basics by Azeria.

Why ARM?:

This tutorial is generally for people who want to learn the basics of ARM assembly. Especially for those of you who are interested in exploit writing on the ARM platform. You might have already noticed that ARM processors are everywhere around you. When I look around me, I can count far more devices that feature an ARM processor in my house than Intel processors. This includes phones, routers, and not to forget the IoT devices that seem to explode in sales these days. That said, the ARM processor has become one of the most widespread CPU cores in the world. Which brings us to the fact that like PCs, IoT devices are susceptible to improper input validation abuse such as buffer overflows. Given the widespread usage of ARM based devices and the potential for misuse, attacks on these devices have become much more common.
Yet, we have more experts specialized in x86 security research than we have for ARM, although ARM assembly language is perhaps the easiest assembly language in widespread use. So, why aren’t more people focusing on ARM? Perhaps because there are more learning resources out there covering exploitation on Intel than there are for ARM. Just think about the great tutorials on Intel x86 Exploit writing by Fuzzy Security or the Corelan Team – Guidelines like these help people interested in this specific area to get practical knowledge and the inspiration to learn beyond what is covered in those tutorials. If you are interested in x86 exploit writing, the Corelan and Fuzzysec tutorials are your perfect starting point. In this tutorial series here, we will focus on assembly basics and exploit writing on ARM.

Written in the best tradition of sharing technical knowledge and skill, this is your ticket to over 100 billion ARM powered devices. Not all of them of interest and/or vulnerable, but out of 100 billion (higher now) you will be kept busy.

Enjoy!

March 29, 2019

Pentagon Adopts Hostile Adoption Strategy

Filed under: Cybersecurity,FBI,Government,Hacking,Security — Patrick Durusau @ 10:44 am

Pentagon’s Multibillion-Dollar DEOS Contract is Guaranteed for Microsoft

High-five traffic saturated networks between groups of North Korean, Chinese and Russian hackers when they read:

In the coming weeks, the Pentagon—through its partner, the General Services Administration—will bid out a cloud-based contract for enterprisewide email, calendar and other collaboration tools potentially worth as much as $8 billion over the next decade.


Yet former defense officials, contracting analysts and industry experts tell Nextgov the Defense Enterprise Office Solutions contract is one that tech giant Microsoft—with its Office 365 Suite—simply cannot lose.

Yes, the Pentagon, through a variety of bidders, all of who offer Microsoft based solutions, is adopting a hostile adoption strategy, described as:

According to Defense Department spokeswoman Elissa Smith, the intent is for DEOS to replace all the disparate, duplicative collaboration tools Defense Department agencies use around the world. Components, including the Army, Navy and Air Force, “will be required” to use the same cloud-based business tools.

“It is expected that DEOS will be designated as an enterprise solution for DOD-wide adoption and organizations,” Smith told Nextgov. “Components that have already implemented different solutions with similar functionality will be required to migrate to DEOS.”

You may remember how successful the FBI Virtual Case File project was, $170 million in the toilet, where local FBI offices were to be “forced” to migrate to a new system. Complete and utter failure.

Undeterred by previous government IT failures, the Pentagon is upping the stakes 47 X the losses in the FBI Virtual Case File project and, even more importantly, risking national security on hostile adoption of an unwanted product.

If that weren’t bad enough, the Office 365 Suite offers a security single point of failure (SPOF). Once the system is breached for one instance, it has been breached for all. Hackers can now abandon their work on other systems and concentrate on Microsoft alone. (A thanks on their behalf to the Pentagon.)

Hackers are unlikely to take up my suggestion because an eight year slog to complete failure leaves non-Microsoft systems in operation during and past the project’s failure date. Not to mention that a hostile transition to an unwanted system is likely to leave openings for exploitation. Happy hunting!

February 23, 2019

USA Confirms Hacking Only Viable Path To Transparency

Filed under: Government,Hacking,Transparency — Patrick Durusau @ 5:12 pm

After years of delays and democratic regression, USA releases weak open government plan from: E Pluribus Unum

From the post:

If the American public wants to see meaningful progress on transparency, accountability or ethics in U.S. government, it should call on Congress to act, not the Trump White House.
With little fanfare or notice, the United States of America has published a fourth National Action Plan for Open Government for the Open Government Partnership (OGP). The USA was automatically placed under review in January, but not because of two years of regression on transparency, accountability, and brazen corruption. The plan was was simply late, after failing to deliver a new plan for the multi-stakeholder initiative for years.
The new “national action plan” is notable for its lack of ambition, specificity or relevance to backsliding on democracy in the USA under the Trump administration.

Calling on the U.S. Congress for “…meaningful progress on transparency, accountability or ethics in U.S. government…” is a jest too cruel for laughter.

The current U.S. president has labored mightly to reduce government transparency but Congress is responsible for the crazy quilt laws enabling agencies to practice secrecy as their default position. Any sane system of transparency starts with transparency as the default setting, putting the burden of secrecy on those who desire it.

You can waste supporter dollars on yearly tilts at the transparency windmill in Congress, or bi-annual elections of members of Congress who promise (but don’t deliver) transparency, or presidential elections every four years. The resulting government structures will not be meaningfully more transparent at any future point in time.

If you see a viable (as in effective) alternative to hacking as a means of making government transparent, please leave it in a comment below.

February 18, 2019

Kali Linux 2019.1 Release (With MetaSpoilt 5.0)

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 2:29 pm

Kali Linux 2019.1 Release

From the post:

Welcome to our first release of 2019, Kali Linux 2019.1, which is available for immediate download. This release brings our kernel up to version 4.19.13, fixes numerous bugs, and includes many updated packages.

The big marquee update of this release is the update of Metasploit to version 5.0, which is their first major release since version 4.0 came out in 2011.

To the extent any mainstream media outlet can be credited, information security in general continues to decline. Even so, it’s better to be at the top of your game with the best tools than not.

Enjoy!

r2con 2019 – A Sensible Call for Papers

Filed under: Conferences,Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 2:20 pm

r2con 2019 – Call for Papers

The call for papers in its entirety:

Want to give a talk in r2con? Please send your submission to r2con@radare.org with the following information in plain-text format:

  • Your nick/name(s)
  • Contact information (e-mail, twitter, telegram)
  • Talk title and description with optional speaker bio
  • Length: (20 or 50 minutes)

Such a contrast from conferences with long and tiresome lists of areas included, implying those not listed are excluded. You know the type so I won’t embarrass anyone by offering examples.

For more details, check out r2con 2018, 22 videos, r2con 2017, 16 videos, or r2con 2016, 25 videos.

If after sixty-three (63) videos you are uncertain if your talk is appropriate for r2con 2019, perhaps it is not. Try elsewhere.

February 11, 2019

A Quick Guide to Spear Fishing

Filed under: Cybersecurity,Hacking,Phishing for Leaks — Patrick Durusau @ 4:28 pm

How cybercriminals harvest information for spear phishing by Anastasiya Gridasova.

From the post:

In analyzing targeted attacks over the past decade, we continually find a recurring theme: “It all started when the victim opened a phishing e-mail.” Why are spear-phishing e-mails so effective? It’s because they are contextualized and tailored to the specific victim.

Victims’ social networks are often used as a source of information. Naturally, that leads to the question: How? How do cybercriminals find these accounts? To a large extent, it depends on how public the victim is. If someone’s data is published on a corporate website, perhaps with a detailed biography and a link to a LinkedIn profile, it’s quite simple. But if the only thing the cybercriminal has is an e-mail address, the task is far more complicated. And if they just took a picture of you entering the office of the target company, their chances of finding your profile in social networks are even lower.

A quick but useful introduction to gathering social data for spear fishing. The more experience you gain at spear fishing the more sources you will add to those mentioned here.

Just as an observation: Detailed biographies of management terms for large institutional investors (think oil pipelines and the like) are published online and in a number of other sources.

BTW, to avoid being taken in by a phishing email, don’t use links sent in email. Ever. From any source. The act of copying them for use will direct your attention to the link. Or it should.

January 30, 2019

Cyber Threats, The Modern Maginot Line … Worldwide Threat Assessment

Filed under: Cybersecurity,Hacking,Intelligence — Patrick Durusau @ 8:30 pm

Worldwide Threat Assessment of the US Intelligence Community

From the report:


China has the ability to launch cyber attacks that cause localized, temporary disruptive effects on critical infrastructure — such as disruption of a natural gas pipeline for days to weeks — in the United States.

I won’t shame the alleged author of this report by naming them.

This is a making a case for a bigger budget document and not a report to be taken seriously.

For example, I would re-write this item to read:


Any country with a budget large enough to rent earth moving equipment has the ability to cause disruptive effects on critical infrastructure — such as disruption of a natural gas pipeline for months — in the United States.

Think about the last time you heard of a contractor disrupting a gas or water main. Now improve upon that memory with the pipe being one that transports oil, natural gas or other petroleum products across state lines.

If you were planning on disrupting critical infrastructure in the US, would you fund years of iffy research and development for a cyber attack, or spend several thousand dollars on travel and equipment rental?

Cyber defense utility infrastructure is a modern Maginot Line. It’s true someone, a very stupid someone, could attack that way, but why would they in light of easier and surer methods of disruption?

No one associated with the report asked that question because it’s a collaborative budget increase document.

PS: The techniques overlooked in the Worldwide Threat Assessment are applicable to other countries as well. (Inquire for details.)

January 25, 2019

Setting Up A Hardware Hacking Lab (How Do You Hide An Oscilloscope?)

Filed under: Cybersecurity,Hacking,IoT - Internet of Things — Patrick Durusau @ 9:24 pm

Setting Up A Hardware Hacking Lab

From the post:

One of the questions I receive more than any other is “What tools do you use for hardware hacking?” or “What tools should I buy to get started with hardware hacking?”. Rather than wasting a bunch of time answering this every time someone asks, I’ve decided to write a blog post on the subject! It’s worth noting that YOU DON’T NEED EVERYTHING on this list in order to get started. The general idea of this post is that you would pick one tool from each category and by the time you’re done you’ll have a planned out and versatile setup. Also, I’m going to try my best to add tools that fit all different budget levels.

Before you get to the oscilloscope section, you are outfitted for less than $100. Enough tooling to start developing your skill set. So you can take full advantage of an oscilloscope in your hardware hacking future.

Not to mention law enforcement visitors will key on an oscilloscope, having only seen them in very bad sci-fi adventures. You might be a space alien or something. Creative ways to conceal an oscilloscope?

January 19, 2019

Targeting Government Contractors/Subcontractors (U.S.)

Filed under: Cybersecurity,Government,Hacking — Patrick Durusau @ 8:18 pm

You may have seen: China’s been hacking Navy contractors for 18 months, new report reveals, which among other things says:


“It’s extremely hard for the Defense Department to secure its own systems,” Bossert said. “It’s a matter of trust and hope to secure the systems of their contractors and subcontractors.”

Subcontractors of all branches are frequently attacked by hackers due to inadequate cybersecurity measures. Officials say subcontractors are not being held accountable for those inadequacies.

Sadly, that article and the WSJ report it summarizes, Chinese Hackers Breach U.S. Navy Contractors fail to provide any actionable details, like which Navy subcontractors?

If you knew which subcontractors, you could target advertising of your services to strengthen their defenses or not be outdone by alleged Chinese hackers. I say “alleged Chinese hackers” because attribution of hacking seems to follow a “villain of the week” pattern. Last year it was super-human North Koreans, or was that the year before? Then it has been the Russians and Chinese off and on. Now it’s the Chinese again.

To correct the lack of actionable data in those reports, I have a somewhat dated (2014) RAND report, Findings from Existing Data on the Department of Defense Industrial Base by Nancy Young Moore, Clifford A. Grammich, Judith D. Mele, that gives you several starting places for finding government subcontractors.

I need to extract the specific resources they list and update/supplement them with others but for weekend reading you could do far worse.

Think of this as one example of weaponizing public data. There are others. If gathered in book form, would you be interested?

January 17, 2019

Pirate Radio Historic Texts – Where To Go From Here

Filed under: Cybersecurity,Hacking,Radio — Patrick Durusau @ 9:07 pm

Pirate Radio: two downloadable manuals

From the webpage:

Two terrific manuals on Pirate Radio available for free download: The Complete Manual of Pirate Radio, by Zeke Teflon, has technical information on building a radio – including wiring diagrams, mobile operations, parts, testing and getting away with it. Seizing the Airwaves from AK Press, edited by Ron Sakolsky and Stephen Dunifer, provides some great context for Pirate Radio, including historic pirate radio stations, the fable of free speech, community radio, what to do when the FCC come knocking, and a lot more (209 pages of it!).

“Seizing the Airwaves” (219 pages) was published in 1998 and I suspect “The Complete Manual of Pirate Radio” is the older of the two because it mentions tubes in transmitters, cassette tapes and the ARRL Handbook costing $20. (It’s now $49.95.)

These two works are intersting historical artifacts in the Internet Age but a new copy of the ARRL Handbook (2019), is an entirely different story.

It was just a day or two ago that I wrote about wirelessly seizing of control of construction equipment in Who Needs a Hellfire™ Missile When You Have a Crane?.

The airways are full of unseen but hackable data streams. How do emergency and government services communicate? What do monitors emit? WiFi is just one channel waiting for your arrival. Not to mention that the ability to access those streams means you can also interfere with or mimic messages on them.

Check out the AARL’s What’s New page for products to expand or support of your hacking skills beyond cable.

January 15, 2019

Who Needs a Hellfire™ Missile When You Have a Crane?

Filed under: Cybersecurity,Hacking,IoT - Internet of Things — Patrick Durusau @ 11:06 pm

The Forbes exclusive story, Hackers Take Control Of Giant Construction Cranes by Thomas Brewster, made me follow @Forbes, @ForbesTech, and @iblametom.

Their politics really suck but stories like this one amplify the impact of IoT hacks by several orders of magnitude. Even if there was no hack. You can readily imagine the next big crane accident will be blamed on “IoT hackers.” You can even create a hacking handle to discuss industrial IoT hacking and take credit for accidents with no readily apparent cause.

Hackers will benefit more from the 82-page paper: A Security Analysis of Radio Remote Controllers for Industrial Applications by Jonathan Andersson, et al. that forms the basis for the Forbes story. (I have a copy of the pdf, just in case it disappears.) For a quick overview, see: Attacks Against Industrial Machines via Vulnerable Radio Remote Controllers: Security Analysis and Recommendations.

Just so you know, Hellfire missiles run $65K to $111K, each. Plus the delivery platform, support services, etc. A weapon limited to formal military forces.

Contrast that with IoT enabled construction equipment that is and no doubt is likely to remain vulnerable to hackers. Location is opportunistic but your cost pales when compared to the investment required for a Hellfire missile.

Beyond the cost advantage, hacking construction equipment makes the familiar suddenly unfamiliar, unfriendly, and perhaps even dangerous.

Construction hacking in your area? Tip Thomas Brewster Signal: +447837496820.

January 14, 2019

Metasploit Unleashed

Filed under: Cybersecurity,Hacking,Metasploit — Patrick Durusau @ 8:22 pm

Metasploit Unleashed – Free Ethical Hacking Course

From the webpage:

The Metasploit Unleashed (MSFU) course is provided free of charge by Offensive Security in order to raise awareness for underprivileged children in East Africa. If you enjoy this free ethical hacking course, we ask that you make a donation to the Hackers For Charity non-profit 501(c)(3) organization. A sum of $9.00 will feed a child for a month, so any contribution makes a difference.

We are proud to present the most complete and in-depth Metasploit guide available, with contributions from the authors of the No Starch Press Metasploit Book. This course is a perfect starting point for Information Security Professionals who want to learn penetration testing and ethical hacking, but are not yet ready to commit to a paid course. We will teach you how to use Metasploit, in a structured and intuitive manner. Additionally, this free online ethical hacking course makes a wonderful quick reference for penetration testers, red teams, and other security professionals.

We hope you enjoy the Metasploit Unleashed course as much as we did making it!

You should start with the Requirements for the course. Seriously, read the directions first!

For example, I was anticipating using VirtualBox VMs, only to discover that the Metaploitable VM is for VMware only. So I have to install VMware, convert Metasploitable to OVF and then import into VirtualBox. That sounds like a job for tomorrow! Along with a post about my experience.

January 13, 2019

Buffer Overflow Explained in Detail

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 3:13 pm

Binary Exploitation – Buffer Overflow Explained in Detail by Ahmed Hesham.

From the post:

So first of all I know that there are many tutorials published about buffer overflow and binary exploitation but I decided to write this article because most of these tutorials and articles don’t really talk about the basic fund[a]mentals needed to understand what a buffer overflow really is. They just go explaining what’s a buffer overflow without explaining what is a buffer, what is a stack or what are memory addresses etc. And I just wanted to make it easier for someone who wants to learn about it to find an article that covers the basics. So what I’m going to talk about in this article is what is a buffer , what is a stack and what are the memory addresses and we will take a look at the application memory structure , what is a buffer overflow and why does it happen then I’ll show a really basic and simple example for exploiting a buffer overflow (protostar stack0)

Too basic for most readers but not all. If you are looking for more advanced materials, try the blog at: https://0xrick.github.io/, which has five “Hack the Box” walk-throughs.

Later this week I will be posting about a subject identity approach to malware identification. Any suggestions on use of a subject identity approach to identify vulnerabilities?

January 11, 2019

Metasploit Framework 5.0 Released!

Filed under: Cybersecurity,Hacking,Metasploit — Patrick Durusau @ 4:52 pm

Metasploit Framework 5.0 Released!

From the post:

We are happy to announce the release of Metasploit 5.0, the culmination of work by the Metasploit team over the past year. As the first major Metasploit release since 2011, Metasploit 5.0 brings many new features, as well as a fresh release cadence. Metasploit’s new database and automation APIs, evasion modules and libraries, expanded language support, improved performance, and ease-of-use lay the groundwork for better teamwork capabilities, tool integration, and exploitation at scale.

Get it (and improve it)

As of today, you can get MSF 5 by checking out the 5.0.0 tag in the Metasploit Github project. We’re in the process of reaching out to third-party software developers to let them know that Metasploit 5 is stable and ready to ship; for information on when MSF 5 will be packaged and integrated into your favorite distribution, keep an eye on threads like this one. As always, if you find a bug, you can report it to us on Github. Friendly reminder: Your issue is a lot more likely to get attention from us and the rest of the community if you include all the information we ask for in the issue form.

Contributions from the open source community are the soul of Metasploit. Want to join the many hackers, researchers, bug hunters, and docs writers who have helped make Metasploit awesome over the years? Start here. Not into Ruby development? Help us add to our Python or Go module counts.

A beginning set of release notes for Metasploit 5.0 is here. We’ll be adding to these over the next few months. As always, community PRs are welcome! Need a primer on Framework architecture and usage? Take a look at our wiki here, and feel free to reach out to the broader community on Slack. There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can’t find something you want in our wiki, ask Google or the community what they recommend.

See all the ways to stay informed and get involved at https://metasploit.com.

Before rushing off to put Metasploit Framework 5.0 to use, take a moment to consider contributing back to the Metasploit community.

The near panic for new cybersecurity hires and code to protect against attacks can only result in new security fails and vulnerabilities. Metasploit needs your help to keep up with self-inflicted security issues across government and business entities.

With your help, the CIA, and NSA will be defaulting to Metaspoilt Framework 5.0 as their default desktop hacking app! Of course, neither the CIA nor the NSA can endorse or acknowledge their use of Metaspoilt but one can dream!

January 8, 2019

Zerodium Bounties 2019

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 8:13 pm

The power of competition for exploits?

Jan. 7, 2019 – Payouts for the majority of Desktops/Servers and Mobile exploits have been increased. Major changes are highlighted below:

Modification Details
Increased Payouts
(Mobiles)
$2,000,000 – Apple iOS remote jailbreak (Zero Click) with persistence (previously: $1,500,000)
$1,500,000 – Apple iOS remote jailbreak (One Click) with persistence (previously: $1,000,000)
$1,000,000 – WhatsApp, iMessage, or SMS/MMS remote code execution (previously: $500,000)
   $500,000 – Chrome RCE + LPE (Android) including a sandbox escape (previously: $200,000)
   $500,000 – Safari + LPE (iOS) including a sandbox escape (previously: $200,000)
   $200,000 – Local privilege escalation to either kernel or root for Android or iOS (previously: $100,000)
   $100,000 – Local pin/passcode or Touch ID bypass for Android or iOS (previously: $15,000)

NOTE: Payouts were also increased for other products including: RCE via documents/medias, RCE via MitM, ASLR or kASLR bypass, information disclosure, etc.

Increased Payouts
(Servers/Desktops)
$1,000,000 – Windows RCE (Zero Click) e.g. via SMB or RDP packets (previously: $500,000)
   $500,000 – Chrome RCE + SBX (Windows) including a sandbox escape (previously: $250,000)
   $500,000 – Apache or MS IIS RCE i.e. remote exploits via HTTP(S) requests (previously: $250,000)
   $250,000 – Outlook RCE i.e. remote exploits via a malicious email (previously: $150,000)
   $250,000 – PHP or OpenSSL RCE (previously: $150,000)
   $250,000 – MS Exchange Server RCE (previously: $150,000)
   $200,000 – VMWare ESXi VM Escape i.e. guest-to-host escape (previously: $100,000)
     $80,000 – Windows local privilege escalation or sandbox escape (previously: $50,000)

NOTE: Payouts were also increased for other products including: Thunderbird, VMWare Workstation, Plesk, cPanel, Webmin, WordPress, 7-Zip, WinRAR, etc.

Not quite in the star athlete range but getting there.

The higher the bounties, the more people who will be hunting. Not unlike the lottery. Some of them will win based on skill, others will stumble on exploits.

What we really need is a competitive market for data, however it is obtained.

January 4, 2019

Crypto-Cash for Crypto-Cache : The Dark Overlord

Filed under: Government,Government Data,Hacking,Intelligence — Patrick Durusau @ 8:24 pm
Crypto-Cash for Crypto-Cache

This is the thedarkoverlord here to deliver a message.


Our Official Bitcoin Wallet Address: 192ZobzfZxAkacLGmg9oY4M9y8MVTPxh7U


As the world is aware, we released our first decryption key for the ‘Preview_Documents.container’ Veracrypt container that contained a small sample of documents to continue to verify the authenticity of our claims. The decryption key for this container is: *CZ4=I{YZ456zGecgg9/cCz|zNP5bZ,nCvJqDZKrq@v?O5V$FezCNs26CD;e:%N^

There’s five layers to go. Layer 1, 2, 3, 4, and fine finally Layer 5. Each layer contains more secrets, more damaging materials, more SSI, more SCI, more government investigation materials, and generally just more truth. Consider our motivations (money, specifically Bitcoin), we’re not inclined to leak the juiciest items until we’re paid in full. However, in the interest of public awareness and transparency, we’re officially announcing our tiered compensation plan. …

This press release is reviewed at: Hacker group releases ‘9/11 Papers’, says future leaks will ‘burn down’ US deep state.

Nothing explosive in the initial documents but you have to wonder why they were scrubbed from Reddit, Pastebin, and Twitter, “immediately.”

I don’t see any ethical issue with The Dark Overlord charging for these documents. We are held hostage by utility, cable, ISP, mortgage and other hostiles. It’s a proven money-making model so why the tension over it being used here?

For further details, see the press release by The Dark Overlord. Please consider contributing to fund the release of these documents.

P.S. I rather doubt any document or report is going to bring down the “deep state.” Remember that it employs hundreds of thousands of people and numerous contractors and vendors. Shutting it down would cripple local economies in a number of places. It likely exists because it is needed to exist.

January 3, 2019

Getting Started with… Middle Egyptian [Middle Egyptian Code Talker?]

Filed under: Cybersecurity,Hacking,Hieroglyphics — Patrick Durusau @ 9:29 pm

Getting Started with… Middle Egyptian by Patrick J. Burns.

Middle Egyptian, sometimes referred to as Classical Egyptian, refers to the language spoken at Egypt from the beginning of the second millennium BCE to roughly 1300 BCE, or midway through the New Kingdom. It is also the written, hieroglyphic language of this period and so the medium in which the classical Egyptian literature of this period is transmitted. Funerary inscriptions, wisdom texts, heroic narratives like the “Tale of Sinuhe” or the “Shipwrecked Sailor,” and religious hymns have all come down to us in Middle Egyptian hieroglyphic. We also have papyri from this period written in a cursive script known as hieratic. The “middle” separates this phase of the Egyptian language from that of the previous millennium, or Old Egyptian (for example, the “pyramid” texts), and Late Egyptian, which begins in the second half of the New Kingdom and lasts until roughly 700 BCE with the emergence of Demotic. …

It’s been years since I seriously looked at a Middle Egyptian grammar or text but as a hobby, you could do far worse.

For hackers it offers the potential to keep records only you can read.

I don’t mean illegible, we can all do that, but written in a meaningful script but decodeable only by you.

Even better, you can take known religious texts, quotations for your notes. Various law enforcement agencies can hire (hope they charge top dollar) experts to translate your notes. Standard Middle Egyptian religious texts. Maybe that’s your thing. No way to prove otherwise.

The other upside is your support for the publishing of Middle Egyptian grammars, readers, and payments to Middle Egyptian experts by authorities for translation of standard texts. Bes will see the humor in such payments.

Enjoy!

Older Posts »

Powered by WordPress