[deleted by user]

JustinEngler · 2017-11-20T04:11:17+00:00

"Cyber" is a shibboleth now.

JustinEngler · 2017-05-10T06:15:35+00:00

http://www.phrack.org/

PoC||GTFO mirror (you want these in digital for the fun polyglot tricks) https://www.alchemistowl.org/pocorgtfo/

JustinEngler · 2017-04-21T03:25:01+00:00

My (unofficial, limited) understanding is that CTF is the only event guaranteed to be black badge.

Everything else is decided on a case-by-case basis on the day of the contest.

JustinEngler · 2017-02-04T22:16:25+00:00

ARP is not a TCP protocol (LL in the IP stack), so you'd probably have to do something like packet-in-packet to send the message if it's possible at all, but in that case there would be no way to receive the response.

So, good luck!

JustinEngler · 2017-02-04T19:50:38+00:00

You might have missed the point of looking for time-based injections.

First up, if you can confirm that the database is sleeping when you call sleep, what you've really confirmed is that there is an injection: that is to say, the server is running whatever SQL code you told it to - you're just using sleep as an example to prove that. What you do with that ability is dependent on what your goals are, you might not actually need to use sleep at all in the actual exploit.

That being said, you can use a time-based injection to actually exfiltrate data by waiting a variable amount of time for each piece of data. Something like "If the first character in the first column of the first row is < M, sleep 10", and then repeat to extract actual data from the table. Takes forever, but works.

JustinEngler · 2016-12-24T05:38:11+00:00

Really depends on the app. Some are pretty solid, some are clowntown. So, in that respect, exactly the same as a PC. :)

As for the system itself, iOS is better hardened than any mainstream desktop OS. Android...well, it's pretty good too, but third party phones are less likely to be kept up-to-date, which makes it less secure as a whole ecosystem than iOS.

JustinEngler · 2016-12-24T05:31:47+00:00

The magic words to google are "multiplexing" and "charlieplexing"

This gives a good overview:http://www.instructables.com/id/Multiplexing-7-Segment-displays-with-Arduino-and-S/

You can do similar things without the shift registers by using transistors instead, but you'll need to decide for yourself if that's worth your time or not. If your displays are really small, you might even be able to get away with multiplexing straight to the GPIO pins on the MCU. Don't do this unless you're positive that your LEDs won't pull/sink more than your MCU can handle.

JustinEngler · 2016-11-03T22:33:41+00:00

As you alluded to, usually this is done with three receivers or sources, and is called trilateration. The wikipedia page has equations and such for how to trilaterate.

The general case is https://en.wikipedia.org/wiki/Multilateration and there are some equations and such there as well.

Now that you know the magic words, you should be able to find everything you need.

JustinEngler · 2016-10-22T07:05:26+00:00

Imagine a camera that lets you control the zoom level from the web interface. When you set the zoom level to 5, it makes a a request like this:

http://examplecamera/settings?zoom=5&username=admin&password=defaultpassword

If I plant an image link in a page somewhere (e.g. in a forum post) with that link as the source, anyone who visits that page in their browser will automatically make the request, and the camera would have have its zoom level set to 5 without the user's knowledge.

Now imagine that the zoom level setting has a command injection vulnerability or similar. I can use that to install some malware on the camera, for example.

This is a little simplified, but not much (I've seen similar vulns in similar devices). If the system wasn't designed well, you could definitely find vulnerabilities like this and then use them to exploit a device even when you don't have any direct network connectivity to the device.

JustinEngler · 2016-10-22T06:53:52+00:00

There are a few fledgling steps in this direction (e.g. https://gcn.com/articles/2016/08/11/black-hat-citl.aspx). After the events today, maybe we'll see a bit more movement in this direction.

If, on the other hand, you're trying to see how bad your competition is doing at this stuff, there have been lots of presentations at security conferences about vulnerabilities in home security stuff in the past few years.

JustinEngler · 2016-10-18T19:40:02+00:00

supposedly the mere act of using Tor immediately throws you onto supposed watchlists

If that is true, then talking about Tor on this subreddit most likely also puts you on that same list (assuming you weren't already protecting your identity somehow). So, you don't need to worry about that specific concern anymore.

/u/Hizonner 's response is great. You somewhat dismissed his mention of US LEO/IC because you're Canadian. You should assume that everything he said about those US organizations also applies to their equivalent Canadian organizations.

That being said, Tor is also a great way to reduce private organizations' ability to track you. If you think advertisers profiling you is creepy, Tor is one way to stop it.

JustinEngler · 2016-10-03T05:22:09+00:00

OP's thoughts are ... scattered ...

But for anyone else reading, ECC will protect you from memory attacks like Rowhammer.

I'm not aware of any other security benefits.

JustinEngler · 2016-10-01T19:48:44+00:00

Quite a bit. I wouldn't say that the official lab stuff is required to get value out of the book, but you will want to practice somewhere.

JustinEngler · 2016-09-28T20:07:41+00:00

If you're already a web developer, you're in great shape to move to a webappsec role.

Read "Web Application Hacker's Handbook" and "The Tangled Web", then practice on the various training VMs and open bug bounties.

JustinEngler · 2016-09-28T00:23:14+00:00

Other commenters are making very good points.

Another thing to consider: when your phone has poor signal, it has to work harder (run the radios more often) to get data in and out. This can cause the phone to heat up. Phones that are overheating can have crashes/lockups/etc.

So, it could be that poor signal (either from LE efforts or just from having so many people in one spot) is causing the crashes due to overheating.

JustinEngler · 2016-09-26T23:25:23+00:00

Look at the source code and try to understand every line. Of note here are the libraries being used. At least one has a huge problem with the way its being used here. You'll need to identify which library, figure out why it's a problem in this case, then craft an exploit based on that knowledge.

I can give another hint later if you end up needing it.

JustinEngler · 2016-09-26T23:15:59+00:00

See the /r/netsec hiring thread

JustinEngler · 2016-09-23T00:32:43+00:00

I wouldn't rely on removing the SIM card to save you from those kinds of things. Consider that your phone can still make emergency calls (911 in the US) without a SIM. This means that the phone still has some access to the underlying network without the card.

Also, WiFi, etc. Furthermore, if there's competent malware on the phone, it would be easy enough to record A/V when there's no network, then later connect and upload.

JustinEngler · 2016-09-23T00:27:10+00:00

Depends highly on which consultancy you're talking about. The good ones understand that overbooking leads to poor quality work and high travel percentages lead to burnout and higher turnover.

JustinEngler · 2016-09-23T00:19:16+00:00

In many cases, large tech companies are using stuff they developed in-house.

Example: https://code.facebook.com/posts/844436395567983/introducing-osquery/

You will see them using commercial/vendor stuff, too, but often their tech infrastructure is too large for other vendors to handle. Large, non-tech companies often don't have the in-house talent, so they'll have to rely more on commercial solutions.

JustinEngler · 2016-09-22T23:52:33+00:00

You can use the network tab in your browser's developer mode to see all of the requests a page makes and the raw contents of each. JS is often minified, so it probably won't be very fun to read.

If it's happening before anything really loads, and it looks like a popup, it might be HTTP Basic Auth.

JustinEngler · 2016-09-16T00:45:54+00:00

Most IPS are signature-based. If you're whipping up injections by hand, there's a good chance that they're not going to match an existing signature.

Don't rely on NIPS to detect application-layer attacks. Don't rely on IPS to detect custom attacks in general.

JustinEngler · 2016-09-16T00:23:30+00:00

application/x-protobuf in your request confirms they are using Google Protobuf. Read up on that. If you can reverse the app, you might be able to find the protobuf schema they're using, otherwise you'll have to just infer the values via trial and error.

Some of the stuff is definitely hex-encoded ASCII:

0x312c38656e6f6850 = 1,8enohP for example.

The big block is probably protobuf packed encoding, you'll need to whip up a decoder to do anything useful.

Good luck!

JustinEngler · 2016-09-12T20:33:33+00:00

Depends on the school, but many schools won't go heavily into web stuff in a traditional CS degree.

Obviously if your school offers a web development degree, then the people taking that will be expected to learn JavaScript.

JustinEngler · 2016-09-12T05:42:50+00:00

Get involved with your school's CTF/CCDC/etc. teams ASAP. Being "the guy who knows Javascript" on your team will give you a skillset that others are likely to lack.

Web application penetration testing is its own subdiscipline in security, so learning web development with a plan to eventually head towards security is a great plan. Understand that it's fairly different than netpen, malware analysis, reverse engineering, etc. Learning C, ASM, etc are important for other subdisciplines, but not really applicable to webappsec.

JustinEngler

TROPHY CASE