InspecTor is a .onion page that kept track of bad exit nodes on the network. And it did a pretty good job. It looked for things like: SSL Stripping: Replacing HTTPS links with HTTP JavaScript injection iFrame injection Exit nodes that have no exit policy (black holes) Those are the easy to quantify bad properties. We can compare the results of connecting to a bad Exit Node and a good one and diff the results. These are some of the grey areas it also tries to look for:

Another year, another ISTS. For those that haven’t heard the Information Security Talent Search (ISTS) is a yearly event run by RIT’s SPARSA group — a student run organization. This isn’t your run-of-the-mill hacking competition. ISTS was one of the first (if not the first) to actually bring an offensive perspective to the competition. Here’s your job: Keep your services running – the longer they are up, the more points you get Stop your opponents from running services. Hack, exploit, social engineer, whatever.. make their boxes go down. Complete the business injects that are given throughout the day Complete the various challenges faster than your opponents Sounds simple right?

This is a presentation I gave about embedded security at the last 2600 meeting. This mostly just referencing other people’s work like Joe Grand and Travis Goodspeed who are embedded security gods. Pentesting embedded from antitree

Let me start by answering the short version of the question: Tor usually performs DNS requests using the exit node’s DNS server. Because Tor is TCP, it will only be able to handle TCP based DNS requests normally. Hidden services though are very different and rely on Hidden Service Directory Servers that do not use DNS at all. Read on if you don’t believe me or want more information. Here’s a reference from an old mailing list entry:

I gave a presentation at this month’s Rochester 2600 meeting about competitive intelligence. The point was to give some background about competitive intelligence/corporate spying and make some analogizes to people in infosec. FWIW, you can check it out over here.

I’ve been putting some time into trying to improve my intelligence gathering capabilities. Normally we would call this recon during a pen test or OSINT gathering. But I’ve been thinking about it from the perspective of the CIA who refer to it as intelligence gathering. The ideas are basically same: collect information that provides you with some kind of insight into a target. For a pen test, I want to know information about the subject I’m testing. Maybe it’s network information, or job openings, or list of employees, all this type of data can be used during later phases of the assessment. For your organization, you may want to know when Anon is going to be launching an attack on your network or an employee who is leaking company secrets on her Facebook account.

Quick blog post — thought it would be funny to make an Instagram script that will download all the locations of a user account. You can find the details on how to use it on Github. Pretty straightforward: ./instagram.py (instagramID) (InstagramAPIToken) You’ll need to sign up for the InstagramAPI which you can do here: http://instagram.com/developer/ And you can find your friend’s InstagramID using this handy tool here: http://jelled.com/instagram/lookup-user-id Download the code from Github here: https://github.com/antitree/instastalk

Browser fingerprint tactics, like the ones demonstrated in Panopticlick have been used by marketing and website analytic types for years. It’s how they track a user’s activities across domains. Just include their piece of JavaScript at the bottom of your page and poof, you’re able to track visitors in a variety of ways. I don’t care much about using this technology for marketing, but I do care about using this type of activity for operational security purposes. Imagine using this technique as a counter-intelligence tactic. You don’t want to prevent someone from accessing information, but you do want to know who is doing it, especially if they have ill intentions in mind. IP addresses are adorable but hardly reliable when it comes to anyone that knows how to use a proxy, so using a fingerprint application, like Panopticlick, we can see who is visiting the site no matter what their locations appears to be.

Panopticlick is a project run by the EFF that highlights the privacy concerns related to being able to fingerprint your browser. It suddenly popped back up in /r/netsec like it was a new project. The site works by showing you the results of a full fledge browser fingerprint tool, letting you compare how similar or dissimilar you are to other visitors. This is done in a variety of ways. By looking at the user agent, screen resolution, fonts installed, plugins installed, versions of those plugins, and much more. You can read the Panopticlick whitepaper if you want to understand more about how it works.

Last year, I wrote a post outlining some of my focus points for the rest of the year. This is a review of those tasks and an updated perspective for the next year. Last Year Hardware Security Projects Last year, I generically noted that I’d like to get into more hardware security projects. I took on the Juke Box project which was a mixture between hardware hacking, radio, and mobile. I’ve also been doing a lot more soldering to work on Travis Goodspeed’s FaceDancer 11 and GoodFet. I think the new pile of hardware hacking tools in my office reflects a consistent interest in this.