2007
Ok.. Now this is pretty cool…
For all those guys who usually scoff at CSI / Police Movies where the detective shouts “enhance image” or remove that person, you have to admit that life dos indeed imitate art..
(Click image or here)
Pretty neat…
2 Un-related thoughts.. on Echelon and the recent Skype Outage..
I suspect somewhere there exist cardinal rules of blogging which would state that using a single post to make 2 completely un-related posts is a no-no.. I will now promptly ignore it 2 push out 2 random thoughts that came up..
Echelon and Echelon spam..
While watching the Bourne Ultimatum the other night the usual “echelon“esque scene played out.. Guy on phone says keyword.. pan to NSA/CIA type building.. computer drone type person screams something like “we have a hot one”..
Core Release Pass the Hash Toolkit..
Hernan Ochoa from Core has released the Pass the Hash Toolkit which is very cool.. It basically means that you dont have to bother cracking a password on a taken machine anymore, you can simply use his iam.exe to associate the captured hash with your current session.. Its accompanying whoisthere.exe means you can grab hashes easily and the fact that its all released with source means you should be able to use it on a customer network without a sinking feeling in your stomach :>
We’re hiring
SensePost is an exciting & dynamic young company with strong values &
a world vision. We specialize in high-end technical security services
& we’re looking for exceptional people to help grow our world-class
team. If you’d like to be part of a relaxed, inspired team where your
work is valued & appreciation for your work is visibly demonstrated,
where opportunities to learn abound & innovation is encouraged, then
why not join us at SensePost?
On hamsters, Escaping, Escaping of Hamsters and the Lack of escaping in Hamster…
OK.. So as i mentioned before, I saw Robert Graham from Erratasec demo hamster live on stage and wondered if hamster was doing useful input/output sanitization.. If it wasn’t, he was setting himself up for a pop-up that read “owned on stage” or worse a re-direct to tubgirl.. He didnt get owned on stage, which suggested that either the crowd was really well behaved or the tool was doing some tidying up so i decided to wait till i got home to check..
mh.blackhatFeedback(Side-jacking, Hamster)
Ok.. so its a lot later than i promised, but i did mention that i would post some feedback on some of the talks i ended up catching at this years BlackHat. By far the talk that grabbed the most press was the Erratasec talk on Side-Jacking.
Essentially the researchers demonstrated a tool (hamster) that allows an attacker on a shared network (wifi was used as an example, but i guess any shared medium would suffice) to hi-jack users accounts by sniffing their session-ids.
On hacking and politics
I meant to blog this whilst I was still in Vegas, but only got around
to it now. Its arb, but worth a bit of thinking… Kenneth Geers’
talk titled ‘Greetz from Room 101’ was on which countries have the
Top Ten most Orwellian computer networks. In his precis he asks
“Could a cyber attack lead to a real-life government overthrow?”
I find these kinds of discussions really interesting, because of the
significant role that information technology plays in today’s wars on
crime and ‘terror’. In such “wars” the lines between right and wrong
are very loosely defined. As we saw clearly in South Africa today’s
terrorist is tomorrow’s freedom fighter. Thus, a technology that
could be used fight terror today, could just as easily be used to
oppress freedom tomorrow. Technology will serve any master.
F(inally)ull Release of BlackHat-Defcon Timing Stuff..
The slides | tool | paper from BlackHat07/DefCon07 have been posted online for your wget’ing pleasure.
More details on squeeza (the tool) can be found on the squeeza page, but in a nutshell is a sql injection tool that uses Metasploits concept of splitting exploit/payloads/etc with SQL Injection attacks. Current modules are written for MS-SQL server but include functionality for (user defined sql queries, some db schema enumeration, command execution, file-transfer, db_info) and the information is returned (channel selection) via one of (application error messages, DNS, Timing). The modularity’ness means that these all mix and match – I.e. if you write a module to “extract data from all tables that look like username*”, the results would be available on any of the available channels.. (Its a pretty neat tool.. and saved our bacon more than once) So check it out, and send feedback to research@sensepost.com
Another blow for privacy? A small price for your 15 minutes of fame..
Spock have just opened up beyond their private beta and promise to be the most comprehensive people search tool on the interwebs.. Their model is interesting because they aim to combine wikipedia style editing with a single focus.. people..
Roelof and i had long discussions in the past, around someway to get people to update information on people while growing the db and still having people contribute.. Interestingly, spocks simple sounding approach might be perfect.. in a day when everybody vanity googles themselves, and when the facebook/myspace/twitter generation have 0 qualms about informing the world what they are doing 24/7, the simplest way to populate a db with information about people, might just be to let them fill the info in themselves..
BlackHat Roundup – Ajax and h.323 and iax
The bulk of security research pertaining to VoIP call control, setup and signaling protocols has focused on the Session Initiation Protocol (SIP), due to the ubiquity and widespread adoption of this protocol. However, a number of other protocols and protocol suites are in use in many organizations and have been adopted by many of the VoIP vendors. Some examples of these protocols are Cisco’s Skinny Client Control Protocol (SCCP or Skinny), the H.323 suite of protocols, and Asterisk’s Inter-Asterisk eXchange (IAX).