Blog
Brad the Nurse
Organising our yearly training event at Blackhat in Las Vegas is no mean feat. With well over two hundred students to prepare for, the size of Caesars Palace to contend with (last year, we, on average, walked 35 kilometers in distance just inside the hotel) and the manic environment, it’s a stressful environment.
There are many Blackhat helpers running about, but none like Mr Brad ‘the Nurse’ Smith. Brad would always be there popping his head into our rooms, making sure us plakkers had what we needed, when we needed it and always with that trademark smile. Armed with his two-way radios (almost like a western gun-slinger in the way he was able to whip them off and put them into action in seconds), he knew who to call and where to get it. This video from Toolswatch, shot at his last Blackhat, summed up his enthusiasm:
Skype Passive IP Disclosure Vulnerability
When performing spear phishing attacks, the more information you have at your disposal, the better. One tactic we thought useful was this Skype security flaw disclosed in the early days of 2012 (discovered by one of the Skype engineers much earlier).
For those who haven’t heard of it – this vulnerability allows an attacker to passively disclose victims external, as well as internal, IP addresses in a matter of seconds, by viewing the victims VCard through an ‘Add Contact’ form.
T-Shirt Shell Competition
For our internal hackathon, we wanted to produce some shirts. We ran a competition to see who could produce a reverse shell invocation most worthy of inclusion on a shirt. Here are the submissions, which may be instructive or useful. But first; the winning t-shirt design goes to Vlad (-islav, baby don’t hurt me, don’t hurt me, no more):
Funny story; the printer left out the decimal points between the IP, so we had to use a permanent marker to put them back. Oh, also, many of these were originally taken from somewhere else then modified, we don’t claim the full idea as our own. Anyway, onto the shells!
HTTPS via WinAPI
Hijacking SSL sessions initiated by the browser is a trivial task. The challenge comes when trying to intercept SSL traffic in applications such as Dropbox or Easynote. These apps create additional measures to verify certificates and their integrity, hence not very friendly to perform with Burp.
One quick solution to the above problem is hiding one level above (or below :) the OSI layer. Live API monitoring // hooking can be used to capture and manipulate HTTP/S “traffic” before it being placed on the wire, more or less the same way are used to doing it in Burp.
CSIR Cyber Games
The Council for Scientific and Industrial Research (CSIR) recently hosted the nation Cyber Games Challenge as part of Cyber Security Awareness month. The challenge pit teams of 4-5 members from different institutes against each other in a Capture the Flag style contest. In total there were seven teams, with two teams from Rhodes university, two from the University of Pretoria and three teams from the CSIR.
The games were designed around an attack/defence scenario, where teams would be given identical infrastructure which they could then patch against vulnerabilities and at the same time identify possible attack vectors to use against rival teams. After the initial reconnaissance phase teams were expected to conduct a basic forensic investigation to find ‘flags’ hidden throughout their systems. These ‘flags’ were hidden in images, pcap files, alternative data streams and in plain sight.
Charity Drive – Antarctica Expedition
\
Like many businesses we at SensePost are aware of how fortunate we are and and of the many around us who struggle to make ends meet day to day. We have a heart for our community and regularly supported charities and causes that touch us.
In South Africa its not hard to find causes to support, but one that’s particularly close to my heart is the Little Lambs Christian Daycare in a township in Cape Town called ‘Imizamo Yethu‘ (The People Have Gathered).
SensePost People News
We’re extremely proud to announce today the promotion of a number of key people here at SensePost.
Shane Kemp, Daniel Cuthbert and Dominic White will be promoted to Global Sales Manager, Chief Operations Officer and Chief Technology Officer respectivley and will join SensePost’s senior leadership structures, effective 01 October 2012.
The three new c-levels, along with a number of other emergent leaders, will be commencing a training and development program spanning a number of months as they gradually assume their new responsibilities.
Snoopy: A distributed tracking and profiling framework
At this year’s 44Con conference (held in London) Daniel and I introduced a project we had been working on for the past few months. Snoopy, a distributed tracking and profiling framework, allowed us to perform some pretty interesting tracking and profiling of mobile users through the use of WiFi. The talk was well received (going on what people said afterwards) by those attending the conference and it was great to see so many others as excited about this as we have been.
44Con: Vulnerability analysis of the .NET smart Card Operating System
Today’s smart cards such as banking cards and smart corporate badges are capable of running multiple tiny applications which are often written in high level programming languages like Java or Microsoft .NET and compiled into small card resident binaries. It is a critical security requirement to isolate the execution context and data storage of these applications in order to protect them from unauthorized access by other malicious card applications. To satisfy this requirement, multi-application smart cards implement an “Application Firewall” concept in their operating system which creates an execution sandbox for card applications.
Solution for the 44Con Challenge
Last week, we published our 44Con “SillySIP” Challenge for free entry to our BlackOps training course at the 44Con conference this year. We’d like to thank all those who attempted this challenge.
$queue->add($beatbox_drumroll);
The winner, who responded with the first correct answer, is Ben Campbell. As a result, he gets to hang out with our trainers on a free BlackOps training course.
Congratulations Ben! We look forward to meeting you (in person) at the BlackOps training.