Security articles I flagged (for fun or .. whatnot):

Are You Practicing Safe Coding? – Personally I have a love/hate relationship with these style of infographics, this one in particular is almost like a flattened marketing/slidedeck. Eh. Anyway, this image does hold a lot of stats in a single place, and does have a fairly open call to action to check out the rest of Veracode’s stuff. (Oh, and don’t forget that infographics are ruining the web).

HowTo: Extract ‘hidden’ API-hooking BHO DLLs – Ever had a chance to play with Volatility? If you haven’t definitely check it out. Great way to analyse volatile memory. This tute walks through trying to find a malicious browser helper object hooked into IE performing some nasty mitb stuff.

Turn a Bra Underwire into a Lock Pick – Need I say more? This is a security article AND an awesome party trick!

10 Evil User Tricks for Bypassing AV – Thanks to @mubix‘s #sharedlinks.

Cross Device Attacks using Cloud Sync (iCloud example) – Nitesh writes up another Apple-esque security article. This time looking at how whilst iOS is generally considered a secure platform, when you introduce syncing applications you introduce a weaker link in the chain, namely, a desktop computer. This is compounded when you’re using syncing applications for business processes, which are also then synced to your crappy out of date home PC. All this and more! (read the article ya slackers).

Hacker Blackmailed 350 Women into Stripping on their Webcams – .. Social engineering .. what can’t it do?

Security flaws in UPnP – millions at risk – When the R7 guys aren’t making MSF kick ass, they do security research. This is unlikely the first time you’ve heard about this issue as it’s done the rounds lately. I’m aware they offer some self-test tools now too if you want to check if you’re vulnerable.

.. The rest of these are not so security focused (but .. sort of..).

Awesome secret drawer – Watch the embedded Vimeo – this wooden chest with the hidden drawer is fantastic.

Poor Sleep Prevents Brain from Storing Memories – I have a pretty shocking memory. Sometimes I don’t sleep too well. I’m not really convinced in my case these issues are related.. but, interesting research regardless.

Eddie Adams’ Pulitzer Winning Image – This well known (and super powerful) photo from Feb 1st 1968, Vietnam. There’s not many art forms where the power of your creation is something which even you as the creator can’t bear to face. Interesting insight into the image and the impact it had on society and the photographer.

MS embracing (Open Source) Git – I found the MS article provided a much clearer picture of their intents, and their approach to open source software, especially compared to the original article.

Written to the sweet relaxing sounds of the new Villagers album, Awayland (for those indie fans). I know I’m a bit late on my ‘attempt to post every Friday’ post thing, but, Friday turned into a bit of a clusterfudge, so excuse the delay (plus, Australia day over the weekend <insert dranks>).

Security articles that caught my attention:

Actually, I really was a criminal.. – I found Rich’s post really insightful and refreshing. I also think it’s a fairly common occurrence for those involved in the info sec space to have done similar things themselves, just, not as common for those people to publicly post about it. Kudos.

Android Botnet Infects 1 Million Plus Phones – I didn’t read too much into the ‘extremist’ title of this post, but, I don’t think that this sort of thing should be too surprising to security peeps. Phones are just computers right? And as they continue to grow in popularity and drop in price, well, of course malicious actors are going to focus their attention on them. I know a personal interest of mine is in using BeEF to target mobile devices, in this way, you could effectively coerce untold number of devices to perform actions on your behalf just through their browser.

Pen tester launches infosec bootcamp – I’m glad to have worked with, and hung out with, Snyff on a few occasions, and I’ve really gotten a lot out of his PentesterLab for quite some time, and now that he’s making more of a move to make this material available this is only a good thing. Another one of Snyff’s ‘free’ services is the PNTSTR Bot. His bot sends me a ‘pen tester’ question once a week via a DM. It’s a great little ‘test yourself’ activity that takes less than 30 seconds, and, I look forward to the challenge every week.

Movie filmed entirely in Disney Theme park – Not strictly a digital security post, but, I certainly found the concept really interesting. The crew and actors pretty much had to ‘stealth’ film the movie, referring to mobile phones for notes and scripts, and using as discrete camera setups as possible. I hope this inspires more of these sorts of things.

Application Framework Security – Jerry Hoff over at OWASP has started a new Project to document the security controls available in common development frameworks. It’s a good reference (if just at the beginning), and hopefully it can be extended to integrate and interlink with other OWASP projects like the T10, ASVS, etc.

Some tech/dev stuff:

Visual Event – for when you need to dig into JS events. Hat tips to Vitaly for the link.

LICEcap – for when you need to capture a portion of your screen and immediately convert it into an animated GIF. .. obviously for .. you know .. legitimate reasons.

MS Going its own way on Audio/Video spec – .. god damnit WHY does this shit happen? Just when you think browsers are starting to all meet at an apex of compatibility *bam* – we’re going to do our own thing. I really dislike IE, mainly because of the experience and bloat of it, but, there’s all this underlying gumpf that, when I think about it, also grinds my gears. (Goes back to rocking backwards and forwards on his angry man chair).

Firefox Phone – I’ve seen a few presentations on the Boot to Gecko (BTG) / Firefox OS over the past 12 months. Primarily at OWASP events. And I’ve been interested in the ‘everything is a web app’ phone (a little bit like Chrome OS), except, in this case, everything is HTML and JS. Obviously from a BeEF point of view I was salivating, but, from a new player in the space, I’m also keen to see how it goes. Plus, obviously, being completely customisable.

Motivational / inspirational (?):

Putting Things Into Perspective: Space – I was enthralled by the entire 19 minute vimeo, and it was one of those moments (that you may not experience that often) when you realise just how small we all are, and how profound it must be to a) see the entire earth under you and b) see the sun surrounded by the darkness of space, as opposed to the blue sky we normally associate with the sun.

I was pretty happy to have put together the first Perth CryptoParty last week. The event was held at the Perth Artifactory, the local Hackerspace. I’d never visited the venue before but was pleasantly surprised at it’s size, the members who were more than willing to help, and all the crazy contraptions that were to be found around the space. I was told a number of times that they also had a few 3D printers, but I didn’t need any urgent requirement to 3D print things, like weapons, or alien figurines.

The presentation that I curated and walked people through was a pretty stock-standard intro to cryptography, and then a few simple demonstrations of common technology, such as gpg, TrueCrypt, Tor etc. My deck (but honestly, there’s SO much better material out there) is here.

We also had @kronicd give a lightning talk on @thegrugq’s PORTAL work.

I had a number of discussions with participants and there certainly appears to be appetite for a follow up meeting. I know a few attendees were even suggesting topics that they’d like to talk on, which I think is a fantastic idea. (One of guys was talking about an encrypted voice chat protocol/app that’s not Skype .. pretty cool).

Anyway, if you have feedback, don’t hesitate to ping me on twitter, or on the CryptoParty wiki!

One of the biggest issues I had with BeEF when I started contributing to the project was the administrative interface. Primarily this was due to being absolutely spoilt by Metasploit’s “msfconsole” interface, it just felt so natural to run everything from the command line, it made it trivial to ssh into EC2 instances running MSF, or even just locally, it didn’t matter, the “show” command making it so easy to iterate through a fairly complex hierarchy of information.

So I took some time out to try and figure out how we could implement another UI for BeEF, and naturally I started to look into how MSF did it, and then I came across their fantastic Rex Library, now packaged as a gem for easy distribution and installation over here: https://github.com/hammackj/rex. (Cheers @hammackj). Now, at this point the console interface for BeEF is still non-trunk material, and it’s more of a remote-control interface, i.e. talking via the admin JSON interface that exists within the “Admin” BeEF extension.

It was through this process that I really came to appreciate the awesome work the Metasploit team had done in the construction of Rex, I mean immediately just by performing a quick “# gem install librex” and then including a “require ‘rex’” into your code you have access to an incredibly powerful console based interface with tab completion, multiple level stacks (think beef > zombie > command), a job management system, and this is just the stuff the BeEF console’s using. Lets not forget logging, encoding, sockets and much much more.

If you’re building any security tools in ruby, nay, any tool in ruby that requires this sort of interface (and lets not forget how extensive msf is, so sure you can use Rex to drive a web-ui, console, cli, whatever) I think you’d have a hard time trying to find anything as effective and full-featured as Rex. In addition you’ll find that new features come out quite consistently too, like their JS obfuscator.

By separating the remote control library from the Rex console driver UI, I was then also able to drop the exact same remote control library into the recently announced MSF BeEF Plugin (early version available here).

You can see the console in action here (the current version in the trunk has been updated though, so it’s a lot neater than this):

And the MSF BeEF Plugin here:

One of my favourite features of the old PHP BeEF was the “Keyboard Logger”. This feature simply passed on all DOM keypress events back to the framework for the security tester to review. This was great for demonstrating the impact of XSS issues or as part of a penetration test tied with a social engineering attack. The potency of this was increased if BeEF happened to be hooked into something like a login page.

Well, this feature is back in the new Ruby BeEF. And it’s back with a vengeance. Instead of just logging keypress events, the new “Event Logger” logs browser focus events, onclick events and keypress events. The current implementation logs all this data into BeEF’s database under the log table associated with the particular hooked browser (aka: Zombie!).

Enough with the words.. onto the video!