A New HOPE

author: Nathan Acks
date: 2022-07-23

Day 2 of A New HOPE.

Hack the Planet… Step 1, Step 2, Step…

It’s about the process behind the methodology…

  • Wokko, “Hack the Planet… Step 1, Step 2, Step…”

Getting daily updates enumerating discovered vulnerabilities is pretty standard practice for pen tests. So are pre-kick-off calls intended to add specifics to the initial process developed from the rules of engagement.

Good example here of penetrating a system through a 500 error.

Obviously, there’s a couple of problems here (the initial 500, the full stack trace, the over-permissions JWT, credential replay…). But overall this gives a sense of what this process can look like.

Unpickable But Still Unlockable: Lock Bypass Tricks in the Field

During a physical penetration test, actions should be fast and compatible with social engineering (if you’re caught, can you justify your actions/tools?).

Path analysis is important here. See the corresponding HOPE 2020 talk.

Latch Bypass

Two-part “dead latches” are designed to frustrate latch bypass tools (the smaller latch blocks the larger when when pressed in). If the dead latch isn’t present or isn’t properly set up (not uncommon), then you can generally just force the latch with a card.

Latch cards are the best way to get through a door, if you can use them.

Door Handles & Crash Bars

Use a special wire tool.

Just Pull Really Hard

You’d be surprised how often this works on external doors.

Accessibility Buttons, Exit Sensors, and Fire Alarms

Wheelchair buttons and exit sensors will often unlock the doors they open. Fire alarms will also often unlock the external doors they’re nearby… Though obviously that, well, triggers the fire alarm.

Reasons Doors Aren’t Locked

Sometimes people leave doors propped open. Sometimes doors don’t close properly. Sometimes the pen tester stops by earlier in the day and props a door open.

Bypasses

Ladders (look at both sides), vents, trees, false ceilings (depending on how walls are structured and what maintenance affordances are available).

Many security measures have initial stickers that describe how to install the device without tripping it. These stickers are, surprisingly/unsurprisingly, not always removed.

Door alarm sensors are also often magnetic, and slipping a magnet over the sensor will trick it into thinking that the door is still closed.

Lock boxes sometimes contains RFID cards that can be cloned.

Simplex combination locks have a default code of 2 + 4 held down simultaneously and then pressing 3.

Less Useful Bypasses

Be very careful when physically pen testing a facility to not allow an actual attacker come in behind you!

Pretexting

If you can access the facility when it’s open, you can sometimes put things in latches or door frames (pieces of paper, small rocks, etc.) that will give you access later.

Real-World Bypasses

Sometimes the response time to an alarm is abysmal (45+ minutes). Sometimes a door alarm has so many false alarms that people just ignore them.

You’d be surprised how how often you can trick the arriving security team by just closing the door behind you.

Previous Talk

OSINT of Facilities by Physical Reconnaissance (Archive.org)

Secure Cell Phone Communication: Mission Accomplished or Popular Delusion?

And the answer is… The PinePhone?

There’s a representative from the Calyx Institute here who (rightly!) points out that Calyx has been working on a de-Googled version of Android intended to address privacy concerns.

The Ransomware Protection: Full of Holes

It turns out the locations of controlled folders like “Pictures” and “Documents” are hard coded into HKPU. This means that if user folder locations are changed, they will no longer be protected with Windows’ default settings!

There is no warning about this when the user changes a folder location. Moreover, no access/block history will be recorded for these folders.

Changing user folder location is scriptable, which means that this can be chained with RCEs in other products to allow for remote encryption of sensitive files.

How Hip-Hop Can Inspire the Next Generation of Tech Innovation

Interesting precedent for the telephone (short-wave radio?) - the “induction telegraph”, invented by Granville Woods, which enabled short-distance communication via telegraph wires. This was initially used by the train system.

Flocabulary is an interesting program that creates educational curricula set to hip-hop music.

Cal out to an online community radio station out of NYC called “Bondfire Radio”.

The speaker makes an interesting parallel between hip-hop and (ideal) hacker culture as a place where there’s more of a drive to judge people by their abilities rather than more superficial characteristics.

Combating “Ransom War”: Evolving Landscape of Ransomware Infections in Cloud Databases

Apparently, it’s not just NoSQL databases like MongoDB and ElasticSearch that are getting popped by ransomware gangs - traditional databases like MySQL are being increasingly targeted as well.

New tools:

Both of these tools begin by first doing a high-level check; if any potential artifacts or problems are encountered, the tool then switches to a deeper “intensive” scan. These can be used for both mass-scans on the Internet and targeted scans within a single organization’s environment.

Hacker Representation Through the Years: A Guided Tour of Hacker Appearances in TV and Cinema

Interesting classification of the 1968 version of “The Italian Job” as an early hacker movie (it apparently has a scene reminiscent of the much later “Hackers” where the thieves sabotage traffic lights as part of their getaway).

Demoscene 2022: Electric Boogaloo

For the demoscene, we’re talking about computer programs whose size is measures in hundreds-to-thousands of bytes.

Previous Talks

The Demoscene: How Software Piracy Birthed an Underground Art Scene (youTube)

Demoscenes (Archive.org)

BBS: The Documentary (Archive.org)