Going to keep this one short... nothing too exciting in this issue.
Phrack Issue Two --
Released 01/01/1986
Universal Informational Services via ISDN by Taran King
This phile is a basic overview of
ISDN.
The central idea of ISDN, as AT&T Network Systems sees it, is to
provide an individual user a link to the local central office of
generous band-width - a digital subscriber line that can carry
144,000 bits per second (sure beats 2400 baud!).
144,000 bits = 17.5KB. There are two types of ISDN implementations,
Basic Rate Interface
(BRI) and Primary
Rate Interface
(PRI). Today PRI
circuits are used for voice, however BRI circuits have been widely
replaced by alternatives such as DSL. To have an ISDN Internet
connection back in 1986 would have been pimp. 17.5kB/s should have been
more than enough for anyone!
Hacking RSTS by Data Line
Anyone have a PDP-11?
Posted by Marcin on Tuesday, August 14, 2007 in
Phrack a day.
For those living in Phoenix, Desert Code
Camp is upon us. All morning
and afternoon on Saturday, September 15 will be full of sessions
that are all about code. My friend Adam Muntner (founder of
QuietMove and contributor to Security
Catalyst) will be presenting three
sessions on information security. They are:
Achieving PCI Compliance Payment Card Industry Data Security
Standards, also knowns as PCI DSS, are a set of regulations governing
how payment card data can be stored, processed, and transmitted. The
presenter will share his experiences in helping organizations ranging
from small ecommerce development shops to the Fortune 1000 to achieve
and maintain PCI compliance.
Security in the Software Development Lifecycle Adam Muntner will
share his experiences about how organizations can integrate application
security into all phases of the Software Development Life Cycle, from
the creation of functional specifications all the way through
development, deployment, maintenance, and updates. He will explain how
to "bake security in" rather than "ice it on."
Web Application Hacking - Attack and Defense Recognizing the
competitive advantage of speed to market, organizations are under
pressure to develop and deploy applications as rapidly as possible.
According to Gartner Group, 75% of attacks are now focused against the
application layer. The combination of rapid development deadlines with
the most targeted attack vector often leads to insufficient security
analysis, testing, and validation through the entire software
development lifecycle. The results are predictable - regulatory
compliance headaches, erosion of customer confidence, and ultimately
financial loss.
By learning about the tools and techniques used by crackers to
penetrate applications, participants will learn how to defend against
application-layer attacks.
There will also be a track presented by Lisa Kachold on Securing
E-Commerce Information (no abstract at this time).
Posted by Marcin on Monday, August 13, 2007 in
Conferences and
Security.
I've started (finally) filling out the
projects section on my
site. Check it out, I've got a couple neat scripts I wrote for
performing various tasks. The section will continue to grow as I get
better with various scripting languages and write cooler/better/longer
scripts. Feel free to comment on any of them, how to improve them, add
more functionality, etc. Programming's probably my weakest area, so any
input would be appreciated. :)
Posted by Marcin on Monday, August 13, 2007 in
Other.
Sorry for being late to the game on this one, you've probably already
read several personal accounts and all the stories and headlines that
originated from Las Vegas last weekend. For those interested, below is
my experience at my first DefCon ever, and my first time to Las Vegas.
I've been to ShmooCon earlier this year in March, and had an absolute
blast. DefCon however, is huge. It's insane. It's wild. No time for
sleep.
On Thursday morning, I made sure my proxies that I planned on using that
weekend worked, so I can check my email securely. Went to the airport
around 1:30, my flight departed from Hartford, CT at 3:31pm to
Pittsburgh, PA. Ugh! We boarded the 5pm connecting flight some 45
minutes late. The flight itself was four hours, babies crying, I'm
getting restless, and I can't concentrate enough to read a book or fall
asleep. It sucked, I thought I was going insane. I arrived in Las Vegas
at around 10:45pm, and waited until 11:30 at the baggage claim for the
bags to come out. Ridiculous... I should really invest in one of those
carry-on luggage every one else uses.
I get to the Riviera at about 11:45, checked in and got a room at the
North Tower. This tower is nice and close to everything (registration
desk, taxi, *the bar*, pool, convention?). I would recommend staying
in that tower if you're going to be at the Riv. After dropping off my
bags in my room, I went to go walk around and had no idea what to do. I
called up a couple friends, who just went out to eat not long before. I
had no clue how to get to the restaurant they went to, it's been a real
long day, and so I just went back to my room and ordered room service.
Whatever you do, don't get the pizza. It sucks.
***
Friday morning I am up bright and early to get a good spot in the
registration line. I was hanging around at 7am and the line really
started forming around 7:30. I hop in, and was about the fifth person..
woohoo! Met Joe Barr from Linux.com, some dude
from eBay, and a couple other people. It was fun talking with you guys,
about all kinds of shit. It was way too early in the morning to think
about though. I get my badge before 8am, and look down the hall and see
a huge line.. good move getting up early. First talk is at 10:30, so I
had some time to kill. I walk around, bump into Martin
McKeay,
Cutaway, Perry
Carpenter, James
Costello and a couple others
from the Security Catalyst
Community (I'm sorry I don't
remember everyone's name). I also found out the night before one of my
past co-workers was in town for DefCon, so I went to go meet her and her
husband and see what talks they'd be going to. We pretty much chatted
the rest of the morning and then split up to attend the first talks of
the day.
I headed for Joe Grand's "Making the DefCon Badge." The DefCon badge
this year is amazing, and I wanted to hear more about it. Before Joe
presented, Dark Tangent made everyone aware of the possibility an
undercover reporter from Dateline NBC would be around trying to get
hackers to reveal crimes they committed on hidden camera. Unbelievable!
Before the talks even started, she's been outted. Haha, I wonder who
tipped them off. o_O Anyways, the badge this year is programmable and
can display scrolling text at various speeds and even has persistence
of vision
capability. Joe
left out some [planned] components like an
accelerometer
and wireless
transceiver
due to time and big brother paranoia... :P He's holding a contest until
DC16 to see who can come up with the best badge hacks. I've already got
some ideas floating around involving the wireless transceiver.... >;
After Joe Grand's talk, I ended up just walking around and running into
more people. If you didn't realize by now, these conferences are huge
social-networking events. I caught up with
Mubix, Scott
Roberts, Mouse,
LoST, and some of my classmates from UAT. Adam
Muntner who organizes Phoenix
OWASP was also in town who I
grabbed lunch with in the afternoon. I went to the Mexican place over in
the food court, which had pretty good burritos and quesadillas. Nothing
like the Chipotle at ShmooCon, but it was very good. Walking back to
drop off Adam's bags, we ran into Martin McKeay again and with him
Larry Pesce of PaulDotCom Security Weekly.
Larry, you forgot to plug my site!! :P If you ever run into any of the
guys from PaulDotCom, make sure you get a "Hack Naked" sticker. :P
I wanted to see Bruce
Potter talk about the
"Dirty Secrets of the Security Industry," but I was still confused as to
where each track was located and by the time I got to the right room,
the goons were sending the overflow crowd out. Shitty. Oh well, when do
the videos get uploaded?
I went with Scott and saw H.D. Moore and
Valsmith do their DefCon presentation on Tactical
Exploitation.
This was the talk where Ms. Madigan was
identified among the
crowd by DT. People above were screaming "Burn the witch, burn the
witch," which was hilarious. She just got up and ran out of the room...
It all happened pretty quickly. HD gave a great talk and presented some
cool tools. I kinda wondered why both of them had to present? It made
the talk slower as they switched spots in front of the mic every couple
slides. When all was over and everyone made their way towards the door,
it felt like a huge slow moving crowd of molasses flowing out of the
room. I tried to get to DT's talk on CiscoGate asap.
CiscoGate... sigh. What did we have there. I still don't like how it all
went down. I think Blackhat has become too "corporatey," and ISS really
did not do much to protect their employee. The whole thing was a mess,
FBI, Cisco, ISS, lawyers, Dark Tangent, Mike Lynn all involved. Had Mike
not quit ISS, he probably would have been better off, but I could see
why he did. They didn't really have his back from the beginning.
That was the last talk of the day for me, and I just hung out with some
of my friends from school who were competing in the LoST @ Con Mystery
Challenge. Props to anyone who competed, LoST totally pwned everyone
with that challenge. I tried to offer up some ideas and input, but I
probably just slowed everyone down. LOL. I wasn't in the right state of
mind for it, or maybe just too dumb? I remember seeing an IQ of 200+ as
a requirement for the challenge. Some advice to future competitors,
don't think too hard... the answer will usually be right in front of
you. :P
I met up with Adam again and we ran into
Sysmin from Hacker
Pimps. Ended up talking with him for awhile
on everything from work to web app security to Ruby vs Python vs Perl.
lol. Got an invite to the Hacker Pimps party that evening but first, we
had to get some dinner. By this time I was getting hungry again. Adam
got a hold of Mike and Pete from our Phoenix OWASP group and we
proceeded to make our way to a great Vietnamese restaurant up in
Chinatown. I don't remember the name, but it was good stuff. It was my
first time having Vietnamese, which in my opinion is much less greasier
and more flavorful than Chinese food.
We came back to the Riviera, and went upstairs to room 207, Hacker Pimps
skybox party. Man was that room poppin'. If you missed out, I'm sorry
guys... you missed a great party. Maybe next year, thanks Hacker Pimps
:)
***
Saturday morning, I started off my day by attending "Market for Malware"
by University of North Carolina Charlotte professor, Thomas Holt. Maybe
I was expecting more from this presentation, but I felt that nothing new
was presented. If you want, check out The Underground Economy:
Priceless
in the the December 2006 issue of
;login:.
Agent X had a thought provoking talk on 22 things that kept him up at
night. One of those was the Security Industrial Complex, which he warns
we should watch out for. President Eisenhower warned of the advent of
the military-industrial
complex in
his farewell address. Definitely check out his slides when they go up
online.
At around 11:30, the first teams competing in the LoST @ Con Mystery
challenge finished the competition. Keep an eye out on the LoST @ Con
Mystery Challenge Defcon
Sub-Forum over the
next few days for more details, stats, results, etc. Team UAT got second
place, and I'll be talking with a couple of my fellow classmates on the
details and how they went about doing the challenge. Look for that in an
upcoming blog post.
Later, I saw Dan Kaminsky's "Black Ops 2007: Design Reviewing The Web"
and totally forgot about "Fighting Malware on Your Own" by Vitaliy
Kamlyuk. Dan's talk was great as usual, I think this one being more
practical/useful/informational to the everyday security guy. eWeek
ChannelInsider has a good
write-up
on Kaminsky's talk and DNS Rebinding. I also had the chance to meet up
with Dan and talk about his last ShmooCon
presentation.
Cool stuff, I learned a lot about linguistics in those 15 minutes.
Back at ShmooCon, I met Paul who actually went to my high school. I knew
his sister, but since he was older I never talked with him. Kinda funny
to think back now about it. He's been doing security as well for several
years; it's a small world and you just might not know who you'll run
into next. We went out to eat with his co-worker Joe at Nero's that
night, in Caesar's Palace. Funny guy... I probably laughed more in those
couple hours than I did all year. New York strip, cooked medium is
perfect -- best steak I ever had. Thanks guys.
We walked on over to the Bellagio to watch the fountains go off, a
magnificent sight. We stayed for two songs, arguing about what they play
and hoping they'd play Metallica next. LOL. On our way to New York, NY,
I probably had collected a 2" stack of hooker "baseball cards."
Hilarious... they had men, women and children passing them out. WTF?
Got back to the Riviera around 11 or so and went up to one of the
skybox's for another party. Hung out for a couple minutes and then took
off. It was alright, but I was so tired from the night before. I was
ready to crash for the night. On the way back to my room, I saw LoST,
Acidica, Mouse, Deviant, and a bunch of others gathered around Michael
J. Anderson, from Twin Peaks and who also plays Samson on the HBO
series, Carnivàle. Didn't catch everything they were talking about, but
he was pretty cool and it was unbelievable to actually see how short he
was.
After that, I decided it was time to go to sleep; I had to be at the
airport by 11am the next morning. I woke up Sunday and walked around
until 10:30 meeting up with people for one more time before I left.
DefCon was a lot of fun, I will be there again next year and will try to
make it to Blackhat as well. I hope to see you all again next year,
thanks for reading! :)
Posted by Marcin on Friday, August 10, 2007 in
Conferences and
People.
This past weekend at DefCon, I had the opportunity to hang out with a
couple people at the Lockpicking Village. I first met Deviant Ollam and
Mouse and the crew back at ShmooCon. It was a lot of fun; I learned to
break out of a pair of handcuffs in just a few seconds. Since then, I
have been compiling a list of resources and guides on the fine art of
lockpicking.
First paper that I read and would recommend to anyone else is the
original, MIT Guide to
Lockpicking
[pdf]. You can also read it in HTML
format. This paper
goes over all the basics of the locksmith trade, and you'll understand
how locks work, how a key opens a lock, and the methods for picking a
lock.
TOOOL (The Open Organization Of Lockpickers) is a
great resource for all things lockpicking, and they actually run the
Lockpicking Village at DefCon/ShmooCon. Deviant Ollam also has his own
page up with links to
an overwhelming amount of information. Each page has animated GIF's,
pictures, and write-ups on everything from lock & pick theory to bump
keys to lubricants to gun locks. Definitely a page you'll want to add to
your bookmarks.
A popular forum with frequent activity related to the trade is Lock
Picking 101. There are a ton of
threads, posts, and members that have all asked and answered most every
question you might have starting out and as you become more advanced.
Don't forget to read the
law,
twice.
That's it for now... Buy some locks, a pick set (or make your own; we
made some out of street sweeper bristles before), sit down and read and
practice. I'll post about this subject intermittently -- I'm still
getting the hang of it. It's been a fun little hobby :)
Posted by Marcin on Friday, August 10, 2007 in
Lockpicking.
