I don’t remember the exact conversation, but Jason Ross inspired me to buy DRWND.com, as in Drone + PWND = DRWND. I’ve owned it for a bit waiting for some specific data so that I could use it as an informational site about DRWN attacks. As IANA web developer, this has been interesting and terrible but simple enough to share.

www.drwnd.com

I won’t assume the site makes any sense right now so I can summarize it like this:

• It takes a data feed of all known locations of drone strikes and plots them
• Circle size reflects the number of people killed
• Circle color reflect the percentage of the deaths that were civilians and/or children in an RGB manner
  • Red – civilians
  • Green – expected targets or unknowns
  • Blue – children
• For example the done strike in Pakistan that is purple reflects that people were mostly civilians and children

All this being said, the data comes from Dronestre.am which attempts to be honest but there’s no way that it can be complete nor totally accurate.

Partial rant, partial useful blog post — I’m noticing that a lot of the “new” APIs for sites are starting to restrict access to content either by putting limits on content either by controlling how much of the data you’re allowed to access, or by not including the ability to access a certain amount of data over the API at all. This is different from a few years ago where sites like Twitter, would let you collect all the tweets from a user without issue. Maybe they’re being more privacy conscious (lulz) or maybe they want to charge a premium for this type of access, I don’t know.

One for example is Google Latitude. When I’m friends with someone, I can access their location. They have shared their location with me and have me as a trusted person. But going through the official Latitude API, you’re specifically blocked from collecting any kind of user’s private information. This sucks. I’ll be honest, I don’t have any good uses for stalking someone on Latitude but I think it’s funny to be able to track someone and run a report on where they’ve been over the past couple of days.

The newest “privacy aware” API is twitter. Their 1.1 API has been out for a while, but they recently blocked access to 1.0 (breaking all my scripts) which means that you no longer are able to easily collect tweets and other user information. That also means that those RSS/ATOM feeds you used to keep track of a person are gone. You now must have a Twitter client to access Twitter in some usable fashion.

OAuth Hates Scripters

To add to this situation, OAuth2 (compared to it’s predecessor)requires users to make a website interaction in order to collect the token and secret values meaning that scripts are annoying. We can get around this in a couple of ways, my favorite of which is using FoAuth.org. All this service does is facilitate the web requests necessary to  collect the OAuth values, and store them. Then using your python script and the new popular Requests library we can call FoAuth to get the info that we need and proxy the requests to the API we’re using. As designed, this has an expiration but it’s much easier to go back to FoAuth and re-authenticate a token rather than doing it for all of your scripts. Here’s an example from their main page:

 

Twitter 1.1 API Example

Anyways, here’s something potentially useful amid my rant. The Twitter 1.1 API uses Oauth to make requests and then gets rid of the whole pagination idea that was in the previous version, and relies on this “max_id” value. Basically, max_id is where you want to start collecting tweets from. So if I want collect all of a user’s tweets, I can collect the first 200, find the last one that I pulled, and make a request starting at that last one, looping until there are no more (or no more are given out).

Here’s how that looks:

https://gist.github.com/antitree/5835529

The problem with the above is that the Twitter API doesn’t give you _all_ of the tweets. Just whatever they feel like. Usually that’s a large amount (over 1000) but for users with lots-o-tweets, you’ll just hit an (AFAIK) arbitrary brick wall.

In Conclusion, screw you apis

IANADev, so to me, APIs are a polite way of accessing data but if we keep getting blocked, we can go back in time and collect the data in other ways. From an OSINT perspective, we would like to gather this content for whatever legitimate and illegitimate purposes that we want. I’ll be spending my time before Defcon updating whatever tools I have to make sure they’re not going to suddenly stop working.

Also to note, Recon-ng, a great tool for recon/OSINT/whatever, has had support for the 1.1 API for a while now which leads me to continue to believe it’s worth porting my tools into rather than trying to roll my own.

 

This Friday, I’ll be presenting a weird presentation at BSides Detroit. It’s titled “Corporate Intelligence: Lisbeth Salandar vs James Bond” and it’s on a subject that has been stuck in my head for a while. It’s a talk about corporate spying, competitive intelligence, industrial espionage — the type of thing where people are stealing information from one group, and selling it to another. As is the case with most of my presentations, it has little to do with what I do for work, and more to do with play.

In short, it’s going to be an anti-anti-corporate espionage training course where instead of learning of ways to protect yourself from being spied upon, you’ll learn all the tactics that spies are using and how to become one yourself. I’ll cover something called the Intelligence Lifecycle (that oddly enough a few other people have picked up on) and the Principal Motivators of Betrayal that shows how you can often convince people to become a spy for you. I’ve also created a little Android application that I wrote when I started playing these spy games.

Usually, when someone says “intel” they mean OSINT because there’s no way someone is going to spend the time trying to establish a human source of intel and no one wants to actually do something illegal like the tactics employed in technical intel gathering. OSINT, although referenced in the talk, is becoming somewhat of a tired subject. Not because I am an expert but because there’s nothing really new or novel about the way we use open sources of information. There is a lot of research about collection and very little about analysis so usually the output of most of the tools out there now is just downloading information online which results in a gigantic, unusable, pile of bloody data. I submitted a talk to Defcon Skytalks that goes into this subject even more (fingers crossed), but this talk, is more me laying the baseline to expand upon the idea of what we think of as “intel” to other sources of intelligence and see what kind of discussion it generates. 

The presentation is something I started while in Mexico reading The Grey Line. I moved on to other good books like Ira Winkler’s “Corporate Espionage” and “The Quiet Threat” by Ronald L. Mendell.  The full reading list is below if you’re interested.

The Grey Line: Modern Corporate Espionage and Counterintelligence, Andrew Brown

Corporate Espionage: What It Is, Why It’s Happening in Your Company, What You Must Do About It, Ira Winkler

The Quiet Threat, Ronald L. Mendell

Countering Industrial Espionage, Peter Heiims

Competitive Technical Intelligence: A Guide To Design, Analysis, And Action, Mathias M Coburn

Industrial Espionage: Intelligence Techniques and Countermeasures, Norman R Bottom, Jr., Robert R. J. Gallati

UPDATE: 6/8/2013 a version of my slide deck

Can we agree that NFC is here to stay? Just about every mobile platform supports it, (I’m looking at you Apple) including simple feature phones from way back when . Let me just get to the good part: NFC input vectors for pen-testing. The scenario here is a mobile application that supports some kind of NFC exchange. Maybe it’s a Windows Phone 8 tag reader or something using Android Beam — whatever. The point is that the mobile app is receiving input from an outside source (the NFC tag), and we want to make sure it’s properly validating that input. Specifically, when an application reads in the NDEF (or proprietary) content from the NFC tag, how is it used by the application? What happens when we change this value to something unexpected? In an ideal world, it will catch the exception and stop trying to read the tag, but what about in the case of “less than ideal” programming.

Tools

To get started we need something that can read and write NFC tags. Sorry, iPhone users, but the easiest way to do this as I see it is to use an Android device and a few choice apps:

NXP NFC TagInfo

Does exactly what its name implies. It gives you info on an NFC tag. This includes any kind of ASCII characters inside of the NDEF storage container or a hex representation of the values if that’s your thing. This is step 1 when it comes to learning about the content that’s on an NFC tag. Play store link.

NXP NFC Tag Writer

NXP’s tag writer will read, write, and copy tags. When I say copy, I mean it will copy the NDEF format. That’s the content that’s normally on an NFC tag. Hard coded values like the UID can’t be changed (unless you know where to get sketchy NFC tags and even then you need a libNFC-based tool to interface with it). Play store link.

NFC Developer

This is where the fun happens. This app allows you to design just about any NDEF formatted NFC tag you want. The nice part of this is if there is an application implementing a weird custom format, you can create it. It’s made by Thomas Skjolberg who apparently has a whole workshop on the subject that gets you started with NFC on Android.

Used in partnership with the ndefeditor.com site, the app lets you generate just about any NFC tag you can think of and then record it to a tag. Or you can use the Eclipse Plugin  that does the same thing inside of Eclipse. Very useful.

Create a new tag in Eclipse by going to New>Other>NDEF File

Fill the file with whatever contents you want or whatever the application can handle. This may be a specific MIME type like below or a Android Application Resource (AAR)… or many other things for that matter.

 

Once you’re done, it’ll create a QR code for you that you can scan with the NFC Developer application installed on your device.

You’ll now be able to load your custom NDEF message onto an NFC tag of your choice.

Link

Tags

If you’re using Android, you don’t necessarily need to write your content to physical tags. It’s possible to manually create intents that look like the device is receiving an NFC tag. But since we’re talking about testing any NFC function on *any* platform, you’ll need to pick up some NFC tags. The NFC protocol itself supports a “card emulation” mode where you could theoretically turn your Android phone into a simple NFC tag, but from what I understand, it’s either extremely hard to do or impossible right now because it’s based on the NFC secure element that is manufacturer specific. If someone wants to enlighten me on that, please feel free.

You’ll want a variety of tag types. The main difference you’ll be concerned about here is just the amount of storage. The Mifare 4K have a reasonably large storage capacity and can still deliver the data in the same way that a Mifare Classic (1K). Maybe there’s a situation where you’ll need a special tag type but I haven’t run into that yet. Either way, here’s a random link to some tags. 

Bad Code:

Lets take a look at some example code for Android that we’re trying to exploit. This is a portion of code that is reading an NFC tag, and saving to a file name based on that input. You can see that the value of “strfile1” is whatever the first NDEF record is. What happens if that payload was something like “../databases/superimportantcontent.db”.  Even worse, the app looks at the second value of the NDEF record for the content to write to.

Lets imagine that this app stores a textfile of SSH hosts to connect to. In this case, we could create a custom NFC tag that would have a first record of the path we want to access (“SSH.txt”) and the second record would be the values to put inside of this file (your malicious SSH MiTM proxy). Having a user read your custom tag would redirect their connections to you.

Happy hacking.

 

I gave a presentation at this month’s Rochester 2600 meeting about competitive intelligence. The point was to give some background about competitive intelligence/corporate spying and make some analogizes to people in infosec.

FWIW, you can check it out over here.

BSidesROC is over. There’s no reason to really give you a blow by blow but I think it might be entertaining to see some of the feedback we received from attendees. Both years that we’ve done BSidesROC we’ve sent out a survey email right after the event with a very quick survey that gave us some feedback on what people thought about the event. I really do take it seriously but also some of the responses were very interesting.

The responses we received were overwhelmingly positive which is good. But I’m not going to make a post about “Why BSidesROC 2012 Was a success!” I think it’s more entertaining to you, and more useful for next year, if we talk about what sucked.

Here are a summary of some of, what I regard as, more interesting survey responses.

Chartz!1!

 Closeness to death:

Why are you here?

Badges:

The badges this year were fake handcuffs. Last year they were dog tags. There was a lot of thought put into coming up with something different for badges. We didn’t want to do the uber-techno-arduinobased-microwave-generating-death-ray badge like Defcon and other cons do (mostly because we can’t!). And we didn’t want to spend any money because let’s face it, we dont’ have any. So our constraints were to find a badge that we think is cool, that will be ready to go by the con, and that won’t kill our budget if we buy $150 of them. The backstory on this idea was that sometime when we were driving back from BSidesDE, the van full of hackers decided that handcuffs were a good idea. The thought being you can learn how to shim or pick out of handcuffs so not only were they the badge, but a useful training tool. But we learned, they suck.

For your entertainment, here are some of the responses about how badges weren’t the greatest:

 If you’re going to give out handcuffs, you have to give out handcuffs.  Having a cheap version of something is worse than not having it at all imho.

Maybe get badges like AIDE has or Lascon had?

Drop the cheezy handcuffs

I could say that we’ll improve our badges for next year but I can’t promise that. 🙂 We enjoy wasting time brainstorming weird badge ideas so expect something weird and possibly stupid next year. 

Tracks and Seating: Failures

This was interesting because there were some last minute changes that caused some issues. We had 2 tracks this year that were originally meant to be “Presentation” and “Workshop.” Kizz Myanthia was kind enough to offer to do a workshop that went along with his presentation and it was going to last for 4 hours. It was going to be cool – attend his talk, and then do a hands on workshop into how to use Metasploit and the such. Kizz unfortunately got his workshop pulled because he was transitioning between jobs. His previous employer told him that he was not allowed to do his workshop because he was using the Pro version of their company’s tool. If you can figure out who I’m talking about, let me just say that this was because of the Sales/legal/corporate dictator department and not that of the cool people that are part of the pentesting portion of the company. If I’ve just confused you, don’t worry about it.

So that left us with a big 4 hour block that we needed to fill. Which we didn’t. 🙂 We had some ideas but I admit: FAIL.

Also added to the fail was the screens. They weren’t big enough to reasonably read. We figured this out way too late to make a change. Lesson learned.

Things We Won’t Change:

There are a few things that make a BSides different than a normal conference and we’ll continue to follow those tenants. Here are a few examples of responses that we just won’t change and why:

A better venue. More comfortable and better seating would be preferable. Maybe RIT would sponsor the event in the Golisano auditorium.

This is really good feedback but I want to point out why we won’t be doing this. First of all, we love RIT and I’m an RIT grad, but in my opinion it’s important to develop a community not based on colleges and universities. There’s a lot of reasons for this that is not going to fit into this post. Second, we don’t want a conference that looks like a conference. (Read my other post about “con” vs “conference.”) That being said, yeah the chairs did suck. We’ll see what we can do. 🙂

More vendor tables setup

We love our sponsors and we love people that support the hacker community. The problem with this is that other conferences have made vendor tables the focus of the con. We’re sensitive to having vendor tables and probably won’t have any in the future. This is a “Security B-Sides” thing and one of the reasons that we like the BSides framework. If you love sitting through vendor presentations, don’t give a crap about practical technical content, and want to pretend to be a “hacker,” then you should check out Hackerfest. This is the reason that BSidesROC exists.

Random responses:

Here are some random questions and their responses to the survey:

Q. What do you think we could have done better?

A. Mark’s mom

A. this is 2012, where was the IPv6?

A. More restrooms…

 

Q. What did you like the best?

A. Flying fucking sharks

 

Q. Name as many BSidesROC sponsors as you can without looking

A. Baby jesus

A. Oh no…I didn’t know there was a quiz!

 

BSidesROC is this Saturday at 8am. Holy crap. I wanted to give a final post before the con so you can figure out what to expect the day of the event. If you haven’t signed up, you should get a ticket right now. Do so on the website. http://www.bsidesroc.com

Capture All The Flags

We will have a capture the flag style competition. The open competition will involve you and your team being rewarded for cracking security challenges. It’s going to be run by RIT’s student security organization SPARSA. The skill level is from into to 1337 so if you just wanted to take a crack at it, you can.

Present All The Talks

We have to have presentations. It’s just what we do. There will be a bunch of talks in multiple tracks this year. You can check out the schedule for a list of talks HERE.  Also, if you can’t make it to the con, the presentations will be streamed live on UStream. We’ve spent as much money as we can afford on audio and video equipment in an attempt to have quality streaming.

Pick All The Locks

Last year, The Open Organization Of Lockpickers came up to run a lock pick village and it was a smash. There were a lot of people learning how to pick locks for the first time ever. This was really awesome to me and that’s coming back. Since last year, there’s been a local TOOOL chapter that’s popped up so that they’ll be running the booth themselves. They’ll be doing presentations on the basics of lock picking and how locks work throughout the day. They have lock picks and practice locks that you can use to practice. Plus, they have lock picks for sale during the con.

Hacker All The Space

Since this is a hacker community event, we’re going to bring back the guys from the Rochester hackerspace, Interlock Rochester. They’ll be showing off what they do with 3D printers and fun toys. You should pay them a visit to see how the space is doing and maybe they’ll print you a trinket to take home.

Decrypt All The Challenges

We’re adding a new portion to BSidesROC. The Crypto-Challenge Of Doom! Or just the Crypto Challenge. If you’ve attended other hacker cons, this is a way to exercise your brain cracking a crypto puzzle. And if you’ve attended other hacker cons where they do this, you’ve probably met the guys that wins all of them, Darth Null. All of them is a little over zealous but maybe all the ones he’s attempted. He has put together the crypto challenge for us this year and I’m pretty excited to see what everyone thinks.

Eat All The Food

We will even feed you in the morning and afternoon. Bagels and coffee for breakfast and subs for lunch. Hurray.

Sponsor All The Things

Do I need to remind you that this is a free con that feeds your mouth for free and pumps your brain full of information for free and entertains you for free? Freely free freedom. Well this is because of our sponsors. No seriously, love these people and please tell them how much you appreciate them because these are the guys that understand what a hacker con is and are interested in giving money to the community. If you use their products, please remind them that you saw them at our conference so that hopefully they sponsor us next year. Go buy all their products and services and give them hugs.