Click to play

Hey, Yes, you’re going to bed so much more way. Yeah, we haven’t heard from you recently exhibit. Zachery if you can. Hey thousand reasons. Okay, you can. Hi this is how my stuff. I guess is what might be thing order. I just wanna be on Dot Com hey, hi bye hey bye this is Jane, but I think it was just online and I’m just leaving message, Good Morning. Okay if we have a great day. Bye. Do let me know bye hey hey thanks. Okay, so I don’t know who. Who else. Bye. Okay, bye bye going to talk to you about. Ellen delivery of what it was 2 days of Operations about those, 2000 11000. But it is definitely i own you know that Val, yeah. Cos and while he never heard of the characters on 30. Now I’m just getting back to you by update on the cleaning up at this morning. This morning, but I think that’s in the phone wrong. Love you baby. Okay bye. Hello Cory, My name is Lisa and Hello thought to say that because it’s going along because I put in for the first i texted yes become a order record pointing out that balls bye hey done with member station. W W dot. We’re going to the camp. This is the ability Division of valid results that he’s comfortable with you. Bye bunch of places are Spock’s fun. Cos kisses. Thanks, please bye. Cos hey.

This post is password protected. To view it please enter your password below:

Password:

This morning I awake to find an envelope taped to my front door. It was blank, and I briefly peek around and see that the rest of the neighborhood has the same thing waiting.

I go ahead and open it, expecting to find a local resident selling mowing, painting or any other service but find something slightly different. Close, but different. In part below:

“Neighbors:

Since we don’t have a homeowners association everyone has done their own thing in regards to trash removal. I thought it would be nice to have one garbage truck come through each week instead of three so I contacted [REDACTED] who I was inquiring about a special.  I have attached their letter….

… If everyone thinks this is a good idea we can all have matching barrels put out at one time per week…

…Again, we dont have an association, but we can all act together if we choose. Their number is on the attached paper if you would like to use them.”

Ok, so whats the problem you ask? Well nothing really, I think it was a nice gesture, and think he was just trying to help his fellow neighbor.

HERE is the problem.

On the “Attached paper” was a browser printout of an email that was sent to his gmail account.  He made an effort to hide his gmail address and thats about it.  The nice little feature gmail provides to show the last account activity was in plain view.  The IP address was in tact.

Being the curious minded person I am, I couldn’t help myself and put in the IP into my browser. Bingo. “Welcome to Windows Small Business Server 2003″

I’d better close it right away… nah, Of COURSE I clicked on “Remote Web Workplace” and of COURSE I got:

“The site’s security certificate is not trusted!”

and of COURSE I was in a VM and so on and so for and moved forward. I was presented with a company name, and a logon prompt.  So a quick tally of what we have so far.

I have his full name, IP address of a machine I know he used, probably was logged into the SBS web desktop. I have his address (duh), place of employment and the phone number and address of his work place.  Oh well.

What I DON’T have

I dont have HIS email address, remember he redacted it.  I NEED that email address now, so when I call him I can send him an email as well.

This was an easy one, the “Attached paper” had the persons name, phone number and email that he contacted about a special. I had all the info I needed to just socially engineer my neighbors email address out of them.  I called the number and received the front desk.  I was informed the person I needed was out, but she could help me. She could take my name and number and get back to me. Stop.  That wasn’t really going to work for this little experiment.  I simply gave her some more details, like the my neighbors name and guess what. She has access to the mailbox that contained the email address.  After helping her troubleshoot a bit, she gave it to me without hesitation, and I even asked her to spell it again and asked if I couldn’t reach him by email If I could call her back because she has been “so helpful and really got me out of a pickle”. Another win for me . FAIL for them. They mindlessly handed out information about another customer.

Additionally, all of his gmail labels were in view on the print out. Pretty organized too, I know his church, hobbies and the fact he uses his gmail for work, Well, I’m assuming thats what the “Work” label meant. Wow. This is awesome.

What was the point of even bothering with this?

To help educate my neighbor that something seemingly harmless could have been bad.

I have contacted him, but haven’t heard back.  I will update this post as soon as I do.  Remember, own your information folks.

Update:  I spoke to my neighbor and he was very thankful that I wasn’t malicious. I think he understood why it was a bad idea, and mentioned “you got all of this from a note on your door about trash…different world we live in”  Protecting people, one neighbor at a time.

Beginning Less than a year ago,

In an attempt to  a productive member of a technology community, I shifted all my focus from being a complacent Sys Admin to an area I have always been an outsider looking in on. Information Security.  I am no stranger to technology, and have had a strong passion for anything related to it for as long as I can remember. I just lacked focus…

Jump

When I finally made the decision shift focus to InfoSec it was scary to say the least.  The more I learn, the less I know. Not only that, but I realized this was a close community with a solid history and more talented people that I could ever imagine.  I felt like it was my first day in prison (disclaimer: I’ve never been to prison) and I felt like I needed to make a name for myself.  Each passing day I was trying to draw comparisons between an existing community with years and years of experience to what I was doing.   I hope I caught that mistake in time, that could have been bad.

Slow Down

Frickin’ Newb, Its only been 8 months…ish.  In that time, I obtained a  C|EH, completed Offensive Security PWB 101 training (No OSCP, on attempt 2), visited my local hackerspace a handful of times ( I recommend doing the same) . I joined Infragard, ISSA and OWASP.  No, I’m not trying to be a braggart, and no, I don’t think this is the path to 1337ness. It served me two purposes really.  First it was an attempt to learn and surround myself with people that built the very community I am trying to get into.  Secondly, It was a good way to test the waters.

Welcome to the Thunderdome

Have you guys seen what you have built? HOLY SHIT! This community is amazing.  I wont get into a naming of names, but the twitter users alone are not only impressive but if you follow the right people you could socially engineer yourself into an InfoSec job just by regurgitating tweets.  Podcasts? Yeah, you got em.  Need Videos?  There are too many security video sites to count. Cons. Nuff said. I am going to make an effort to hit as many of these cons as possible this year.  Finally,  Blogs? 0_O

Going Forward

I always hear, “give back to the infosec community”, and that is something I plan on doing.  I don’t have much to offer at this point. Writing isn’t my strong suit (<<Captain Obvious) and podcasts from a noobs perspective (hmm catchy) would be a waste of everyone’s time.  I decided the best thing I can do, for myself and the community is to STFU and learn.  The last thing “we” (ducks) need is a wreckless wannabe. I have no idea where I fit in, and its better that way.   I have a long way to go, but the journey so far has been worth the jump.  I only wished I made it 10 years ago.

twitter

A couple of test gadgets; iPod touch (Gen2), G1, iPod Shuffle seemed to work just fine.  The tin does get hot, and there is a buzzing and hissing noise that emits from the tin.  Perfectly Normal.
From the F.A.Q

“How many charges/hours of use can I get out of a MintyBoost?”

I would suggest this for anyone needing a quick burst of juice on the go.   This is also a nice beginners soldiering project.

As always, comment with questions or contact me via twitter.

@mattjay (Web: http://mattjaysecurity.com)Took a peek when it was in it’s earliest form and gave me some great pointers.  I suppose what I am looking for is feedback, or criticism to make the talk better.

The audience will be non “power” users.  I pictured giving this talk in a nursing home to try to make the content as “friendly” as possible.

What types of things do you want users to know? I feel that education is the best medicine for information security, and by working with them and making it accessible will at least (hopefully) get them to stop and consider any actions that may have become habit.

This link is to the shared version of the talk, EVERYONE can edit and make changes.  My hope is, the “open” format will lead to some great feed back.  Unless someone deletes the whole thing, then I’ll get the hint.

Update: With a lot of amazing feedback from @fsamurai (web: http://www.freelancesamurai.com)  I have updated the talk  Here is the latest version (2.0). Also feel free to make changes or edits.

Feel free to use this talk, or modify it for your own purposes.  Getting the info out is what is important.

Thanks Everyone.

Our son wanted to be an Imagination Mover for Halloween.  He actually wanted to be all of them, but we chose “Mover Scott“.  To re-create mover Scott, we need his famous “Wobble Goggles”.  They are $20 from Disney, AND they don’t have lights and music.   Crazy talk.  I decided to make my own. Additionally, we needed a costume.  Finding a “decent” one was tough.  So my wife decided to make her own.

First off, run “wobble goggles” through your favorite search engine.  Pretty much zero information.

With no one to copy off of, I needed 3 things.

1. Goggles.

I bought 2 pair. This set from eBay and this pair from Amazon. I needed to get have a test set, and a good set.  Plus, I wanted to find the style that was the closest match.  The Amazon pair are the “production” pair.  Props to Tammy for picking them out.

2. Something small that would play Music.

I Decided a recordable greeting card would work. I picked up a Superman Card, but the module was just too big.  A quick google search revealed that there were many options to choose from.  Then I found it!  A recordable device from a picture frame.  It was already enclosed and made a nice “click” when the button was pushed.  Not only that, but I could just Velcro it into the band of the goggles.

3. Lights.

I picked up a set of  blue mini led Christmas lights ( I wanted the module to create the flashing effect), and wired 8 into the conveniently pre-drilled holes. I test fit the lights, to see if i could get away with surface mounting, but it looked terrible. Therefore,  I had to expand the holes to accommodate the lights, but not by much.

I created two of these setups, mashed the lights back into the holes, hot glued everything in place and added tape and other protection measures.

You may be asking yourself at this point, what kind of juice is this going to take.

A single 2032 “Coin” battery.

Time to sew Velcro into the headband to conceal the wires,  hold the battery and cradle the recording device.

Thats it, now to activate, you can re-create the movement just like Mover Scott.

Now on to the costume.

As always, contact me with any questions.

I recently re-established my Facebook page to reconnect with friends and stay in contact with family.  I didn’t have the account open for 2 weeks when I constantly saw posts about “Hackers will break into your account” or ” A hacker named Christopher Rosenqueist ate my Monitor”, and other nonsensical items that seemed to be scaring people into commenting or sharing it.

I quickly posted SocialMediaSecurity‘s “Facebook Privacy and Security Guide” to attempt to help my some of my non technical friends and family.  I also tried to stop the spread by commenting with factual information.

These “Hackerz stole my life” posts seem to be a version of  Fear Uncertainty and Doubt. (FUD).  By posting or sharing unverified “hacker” claims, FUD is being caused and propagates itself through the system.   Scaring people into spreading false information.  Crying Wolf, that’s what these posts are.   Stop and think, do you even care or notice when a car alarm goes off? Nope. Why? Its screaming for help. “I’m being broken into!!!!”  Enough false alarms and no one listens.

Update: “crying wolf” may be a bad analogy.  I understand most people are posting with sincere intentions and trying to help others.

Why are you boring me with this?

I wont any further, instead I will offer some of my tips to make your Facebook experience free from “Hackers”

1. Follow this guide.

2. Take ownership of the information, don’t just spread it.  If you see something that seems scary, use google, or ask your friendly Security professional/ IT Guy.  Learning how to spot these will allow you to help yourself and others.

3.  Take ownership of your account.  Follow good password guidelines.  AND DO NOT REUSE PASSWORDS, if your FB password is the same as your banking password, and your etrade account, and your email account, and…  then guess what? If a criminal gets one, you gave him keys to the castle.  Have “fifty Million” passwords, and can’t manage them? So does everyone else, stop fighting it and  let a password management program do it for you.

I tried to keep this short and to the point.  If you have any questions or need help with any of the programs listed. Please contact me.

Update 2.  Here is the FBI’s take on this.

TECHNIQUES USED BY FRAUDSTERS ON SOCIAL NETWORKING SITES

Fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques. One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. Other spam entices users to download an application or view a video. Some spam appears to be sent from users’ “friends”, giving the perception of being legitimate. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected.

Another technique used by fraudsters involves applications advertised on social networking sites, which appear legitimate; however, some of these applications install malicious code or rogue anti-virus software. Other malicious software gives the fraudsters access to your profile and personal information. These programs will automatically send messages to your “friends” list, instructing them to download the new application too.

Infected users are often unknowingly spreading additional malware by having infected websites posted on their webpage without their knowledge. Friends are then more apt to click on these sites since they appear to be endorsed by their contacts.

Tips on avoiding these tactics:

Those interested in becoming a user of a social networking site and/or current users are recommended to familiarize themselves with the site’s policies and procedures before encountering such a problem.

Each social networking site may have different procedures on how to handle a hijacked or infected account; therefore, you may want to reference their help or FAQ page for instructions.
Individuals who experienced such incidents are encouraged to file a complaint at www.IC3.gov reporting the incident.

A neighbor gave us a Harley Cruiser power wheels.  The only thing wrong with it? Battery fail.  Well, technically that was the only thing wrong with it.   In my opinion it was missing a few things.  Time to mod this hog.

What are you going to do?

I decided to keep it very simple at first and just add a working headlight and tail lights. That’s right, all show and no go. This is for my Son and he DOES want to actually ride it.   Since he is the boss, I’d better get him on the road as quickly as possible. We’ll give him some power a little later on.  I headed to Walmart (urp) to look for the following.

Taillights    x2    @ 1.75″
Headlight    x1    @ 4.75″

I decided the best thing to use would be flashlights. For the headlight,  I picked up a Brinkmann 6 Volt Krypton Lantern.  It had the size and the power source I needed.  Plus it was $5.00. Score.

For the tails, I chose a 2 pack of Rayovac Brilliant Solutions LED Flashlights.  The top cover was a pretty close match to the style of the bike.

I added a small row of LED’s on the rear fender for some sweet “blue flame” action.

I wired it up,  and was able to cram both the 12V battery and the 6V battery under the seat by flipping the 12V battery so the connection was on the other side.

Is that it?

Next up? Working sounds, a paint job and maybe some sweet handlebars.  Stay tuned.

@hevnsnt from I-Hacked.com told me about http://www.modifiedpowerwheels.com… the possibilities for this are endless.(and scary). Just check out the videos.

Questions?

Please comment, or email me here.

ax0n

This document will reference his article A.LOT. I suggest you stop reading this (for now), and head directly to his article to familiarize yourself with it.

I am simply going to focus on OSX (Snow Leopard – 10.6). I wanted this to be available on my MacBook at the drop of a hat.

“So, uh…other than that, what’s the point of this ‘article’ ?” . Hmmm… great question. I better get started before you leave.

Note: I’m assuming you have met all of the hardware requirements in the h-i-r.net article.

Step 1: Flashing the Fon

Enable redboot! I used this guide. The problem however, is that once I had established the ssh connection to the Fon, I was unable to wget the files. Additionally, I was unable to ping anything external. I’m sure I was doing something wrong, and there is a simple fix (comment if there is). So what should I do now? I mean, stuck at the second step in the instructions? Fail. To correct the issue, Grab the files referenced in the instructions from here and here and while your at it grab this (you’ll need all of these files), launch a tftp server, unpack the files and place them in the tftp server directory. Then start server. (be sure to make note of the IP address ). I placed the files in a root dir called “tftp” this makes it a little easier when typing the path.

Enabling Redboot

Now that we have the files living in the tftp server dir, Launch a terminal, connect to the Fon via ssh and issue the following commands using the following syntax to grab the files (wget http://[ip.add.re.ss]/[dir]/[filename]):

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://201.37.100.106/tftp/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma 
root@OpenWrt:~# mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
root@OpenWrt:~# reboot

After the Fon comes back online, ssh back in and follow the remaining steps in the instructions to enable redboot.

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://201.37.100.106/tftp/out.hex
root@OpenWrt:~# mtd -e "RedBoot config" write out.hex "RedBoot config"
root@OpenWrt:~# reboot

Once you get to the section “now your ready to flash”, you can stop. Those instructions follow a path we aren’t going to.

Installing the Jasager Firmware

Head over to digininja’s site and follow the instructions here “for firmware users”. I skipped the redboot.pl installation, as we already have redboot enabled and working. Download jasegar, unpack it and place it in your tftp dir. (if you didn’t do it earlier) The ONLY tricky part during the flash process is to be SURE you copy and paste the commands or triple check your typing. I mistakenly forgot to load vmlinux.bin.17.  It didn’t brick the Fon, but I was scared to reboot it.

RedBoot> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
Raw file loaded 0x80040400-0x801003ff, assumed entry at 0x80040400
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7
 
< Wait for a while > note: This took about 2 minutes
 
... Erase from 0xa8030000-0xa80f0000: ............
... Program from 0x80040400-0x80100400 at 0xa8030000: ............
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
Raw file loaded 0x80040400-0x801e03ff, assumed entry at 0x80040400
RedBoot> fis create -l 0x6F0000 rootfs
 
< Wait for a long while > note: This took almost 15 minutes. Don’t panic. It’s working.
 
... Erase from 0xa80f0000-0xa87e0000: ...........
... Program from 0x80040400-0x801e0400 at 0xa80f0000: ..........................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
 
RedBoot> fconfig
Run script at boot: true
Boot script: 
Enter script, terminate with empty line
>> fis load -l vmlinux.bin.l7
>> exec
>> 
Boot script timeout (1000ms resolution): 2 (My default was 10)
Use BOOTP for network configuration: false
Gateway IP address: 
Local IP address: 192.168.1.1
Local IP address mask: 255.255.255.0
Default server IP address: 192.168.1.254
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> reset
 
^]
telnet> Connection closed.
root@desktop ~ # 

Sweet!

The hard part is over. So what happens if you make a mistake in fconfig like
me? Type fconfig -n it will list all of the nicknames of the fields you can
change. The shell doesn’t know what delete is, and there are all sorts of redboot keyboard-fu you can use to control input. I found it easier to type at the reboot> fconfig field_name [input]. So for
example, if you accidentally entered 192.168.1.11 for the IP address. You could fix just that line by typing: fconfig boot_my_ip 192.168.1.1

Let the Fon reboot, make sure you can ping 192.168.1.1 after all the lights
look good, then open your browser and hit http://192.168.1.1:1471 .

The jasager interface *should* open. If it does not after a few minutes… try the following.

1. Make sure you are loading and executing vmlinux.bin.17 in fconfig
2. Reboot the Fon
3. Double and triple check fconfig.

If all else fails, repeat the process. I ended up flashing almost 10 times
due for various reasons, ranging from mistakes I made in the network config, to
the Fon not playing nice with DHCP. If you need to reflash, redboot is only
available for a few seconds while the fon device is booting. I hope your
SMB, 3-1 infinite guy timing is still there. Here is what I had to do to hit
the timing properly.

1. Remove power from Fon
2. Launch a terminal and start pinging 192.168.1.254
3. Launch another terminal and PREP a telnet session to 192.168.1.254 9000
4. The first reply you receive from ping, press enter on your telnet session
5. If it fails. Repeat process until you get it.

Now, head back to

part 1 of the h-i-r instructions and follow along starting with “tinker
time”

Step 2: Install the pWn

This is the easy part. Below are simply notes regarding the process.

Metasploit and Karma

This is the part where I point you back to h-i-r.net’s part 2 for the complete setup of this step. I was able to drop in the framework to my tools directory with no additional steps required. However, you may want to update ruby if you desire. Then Download karma.rc, put it in the root directory with the framework and we are in the home stretch to put this all together.

Head to part 2 of the h-i-r instructions. Follow from “Time to tweak stuff”. You will need to edit karma.rc before you run it.

Hamster and Ferret

Last files we need to grab are hamster and ferret.

I was having some trouble getting hamster and ferret to compile, even after installing xcode. Luckily, the binaries are compiled for us already . Download them and place them in a directory you will remember.

You will need to set your browsers proxy to 127.0.0.1:1234 to view the Hamster interface. Be sure you add an exception for your NIC’s ip address, so you can monitor Jasager as well.

You can now head back to ax0n’s work and button up the rest of the project.

Starting the entire process

Here are the steps I use when booting this rig.

1. Power on the Fon and connect it to your PC with an Ethernet cable.
2. Make sure Jasager is online and Karma is active. I opted to control its state, instead of automatically starting it.
3. Open a terminal and Launch Metasploit and Karma with> sudo ~./msfconsole -r karma.rc
4. Open another terminal and launch hamster with> sudo ~./hamster
5. Enable your proxy. Or use quickproxy for firefox to quickly enable.
6. Open the Jasager (192.168.1.1:1471) and hamster (127.0.0.1:1234) interfaces
7. Gratz ur l33+

Conclusion

While this guide wasn’t meant to be as comprehensive as the article it was based on. I hope you will find a quick reference for installing this on your Mac Box.

All the files referenced, I have zipped up and stashed them here. Comment with questions or hit me up via twitter