I’m speaking at Hackers 2 Hackers Conference 9th edition – 2012 @ São Paulo, Brazil!

Hi folks! I’m glad to inform that my paper “Advanced DDoS techniques: Layer 7, load-balancing and mobile tools” was accepted by the 9th Hackers 2 Hackers Conference (H2HC). The event will take place on October 20-21 and it seems to be another success just like previous editions. Don’t forget to check the event’s website for full line-up. If you can, enroll and enjoy!

Read More

Quick and dirty tcpdump credential (username/password) sniffer

I’ve been playing the last months with mobile pentesting within the Android platform. As I’ve been able to setup tcpdump-arm on my android phone, I began fooling around with it. I was trying to cross-compile Dug Song’s dsniff into armle architechture but it was only giving me headaches within the libnet/libnids dependencies and stuff. So I wrote a quick one-liner to dump potential credentials (username/password) flowing in plaintext over the line:

Read More

São Paulo State’s Military Police website (almost) hacked by RFI

Today a friend shared me this link which pointed to São Paulo State’s Military Police website and showed a deface-like page with a hacktivist text and a youtube video. The first thing that came to my eyes was the URL: http://www.polmil.sp.gov.br/abrirframes.asp?PAGINA=http%3A%2F%2Fwww.nova89fm.com.br%2Fwebsite%2F ‘abrirframes.asp’ is ‘openframes.asp’ and ‘PAGINA=’ is ‘PAGE=’ in Brazilian Portuguese. Say no more. That’s why I’ve said “almost hacked”. The site that was actually hacked was www.nova89fm.com.br (a Brazilian FM Radio) and not São Paulo State’s Military Police’s.

Read More

Terminal auto-lock with zsh and vlock

I’m always concerned about leaving terminal sessions open. I’ve used for many and many years the $TMOUT environment variable to close my sessions if idle for N seconds. Just by exporting the TMOUT variable to the number of desired timeout seconds will close your shell (Bash, Ksh, Zsh and some others). The following example will timeout in 300 seconds (5 minutes) export TMOUT=300 I am currently reading the book Secure Coding: Principles & Practices and the authors cited this timeout technique as pretty ineffective since it annoys more than it helps.

Read More

Iran hijacked US Drone by hacking GPS

These past weeks I’ve been following the US drone hijacking by the Iranian Revolutionary Guards. Recently the details of the hacking were posted. The IRG says the communication signals were jammed forcing the UAV to go into autopilot (RTL – Return To Land, to be more precise). Then the GPS signals were spoofed to make the drone think that Iran Base was his Base. US experts are still questioning these claims.

Read More

Shared-hosting accounts victims of lame directory permissions

From a few months some clients started to complain about their shared-hosting accounts being amazingly owned even if their PHP applications (WordPress mostly) were totally up to date. The malware got into most of the PHP files including a PHP snippet that would eval and decode a base64-encoded string containing a script declaration loading Javascript from outside. This Javascript usually initiates download of .exe’s and stuff. A friend’s account got hacked a few days back by this very same technique.

Read More

Endpoint DLP: Is hardware access control enough?

I’ve stumbled on this article about using a custom-built hardware to bypass hardware enforcement on most DLP solutions available on market. The solution uses an Atmel’s AVR microcontroller (the same on the Arduino‘s I’ve been playing around lately) and the V-USB library to create a virtual USB device and is crafted to announce itself as HID (Human-interface device). What common hardware fits this description: the keyboard. As you are not likely to forbid keyboard access to your users (or else they wouldn’t be able to type and thus work), this will gracefully pass through many enforcements.

Read More

Playing around with Samy’s Quickjack clickjacker

In the past few days I’ve started following the work of Samy Kankar, which has some great work. Among all of them, I’ve almost-randomly picked one to play, Quickjack. From Samy’s project page: Quickjack is a tool developed to easily create pages with the capability to clickjack users no matter where they click on the page. The tool has an extremely intuitive interface and is literally a point-and-click tool.

Read More

Anatomy of the W32.Stuxnet SCADA threat

Symantec released an in-depth analysis of W32.Stuxnet, reviewed through IDA-PRO. The analysis shows off the staged infection process, the unusual injection of legitimate services instead of issuing LoadLibrary calls, core encryption and exported functions. Tofino Security (specialized on SCADA security) has released an excellent white paper on the case (requires [free] registration). If you are a Malware Researcher / Reverse Engineer or just curious, I totally recommend it. There’s code, great explanation, images, graphs and such explaining it all the process from infection, rooting and the propper malware code.

Read More

WPA faces new threat ‘Hole 196’ and new key bruteforcing service

WPA was hit hard these days by a rumor of a new threat called ‘Hole 196’. The hole would allow GTK (Group Temporal Key) spoofing forcing users to send the rogue AP their private key information leading to a awesome no-footprinted (medium is over air!) man-in-the-middle attacks. To understand transient keys over WPA, Md Sohail Ahmad from AirTight said: WPA2 uses two types of keys: 1) Pairwise Transient Key (PTK), which is unique to each client, for protecting unicast traffic; and 2) Group Temporal Key (GTK) to protect broadcast data sent to multiple clients in a network.

Read More