A New HOPE
It’s about the process behind the methodology…
- Wokko, “Hack the Planet… Step 1, Step 2, Step…”
Getting daily updates enumerating discovered vulnerabilities is pretty standard practice for pen tests. So are pre-kick-off calls intended to add specifics to the initial process developed from the rules of engagement.
Good example here of penetrating a system through a 500 error.
Obviously, there’s a couple of problems here (the initial 500, the full stack trace, the over-permissions JWT, credential replay…). But overall this gives a sense of what this process can look like.
During a physical penetration test, actions should be fast and compatible with social engineering (if you’re caught, can you justify your actions/tools?).
Path analysis is important here. See the corresponding HOPE 2020 talk.
Two-part “dead latches” are designed to frustrate latch bypass tools (the smaller latch blocks the larger when when pressed in). If the dead latch isn’t present or isn’t properly set up (not uncommon), then you can generally just force the latch with a card.
Latch cards are the best way to get through a door, if you can use them.
Use a special wire tool.
You’d be surprised how often this works on external doors.
Wheelchair buttons and exit sensors will often unlock the doors they open. Fire alarms will also often unlock the external doors they’re nearby… Though obviously that, well, triggers the fire alarm.
Sometimes people leave doors propped open. Sometimes doors don’t close properly. Sometimes the pen tester stops by earlier in the day and props a door open.
Ladders (look at both sides), vents, trees, false ceilings (depending on how walls are structured and what maintenance affordances are available).
Many security measures have initial stickers that describe how to install the device without tripping it. These stickers are, surprisingly/unsurprisingly, not always removed.
Door alarm sensors are also often magnetic, and slipping a magnet over the sensor will trick it into thinking that the door is still closed.
Lock boxes sometimes contains RFID cards that can be cloned.
Simplex combination locks have a default code of 2 + 4 held down simultaneously and then pressing 3.
Be very careful when physically pen testing a facility to not allow an actual attacker come in behind you!
If you can access the facility when it’s open, you can sometimes put things in latches or door frames (pieces of paper, small rocks, etc.) that will give you access later.
Sometimes the response time to an alarm is abysmal (45+ minutes). Sometimes a door alarm has so many false alarms that people just ignore them.
You’d be surprised how how often you can trick the arriving security team by just closing the door behind you.
OSINT of Facilities by Physical Reconnaissance (Archive.org)
And the answer is… The PinePhone?
There’s a representative from the Calyx Institute here who (rightly!) points out that Calyx has been working on a de-Googled version of Android intended to address privacy concerns.
It turns out the locations of controlled folders like “Pictures” and “Documents” are hard coded into HKPU. This means that if user folder locations are changed, they will no longer be protected with Windows’ default settings!
There is no warning about this when the user changes a folder location. Moreover, no access/block history will be recorded for these folders.
Changing user folder location is scriptable, which means that this can be chained with RCEs in other products to allow for remote encryption of sensitive files.
Interesting precedent for the telephone (short-wave radio?) - the “induction telegraph”, invented by Granville Woods, which enabled short-distance communication via telegraph wires. This was initially used by the train system.
Flocabulary is an interesting program that creates educational curricula set to hip-hop music.
Cal out to an online community radio station out of NYC called “Bondfire Radio”.
The speaker makes an interesting parallel between hip-hop and (ideal) hacker culture as a place where there’s more of a drive to judge people by their abilities rather than more superficial characteristics.
Apparently, it’s not just NoSQL databases like MongoDB and ElasticSearch that are getting popped by ransomware gangs - traditional databases like MySQL are being increasingly targeted as well.
Both of these tools begin by first doing a high-level check; if any potential artifacts or problems are encountered, the tool then switches to a deeper “intensive” scan. These can be used for both mass-scans on the Internet and targeted scans within a single organization’s environment.
Interesting classification of the 1968 version of “The Italian Job” as an early hacker movie (it apparently has a scene reminiscent of the much later “Hackers” where the thieves sabotage traffic lights as part of their getaway).
For the demoscene, we’re talking about computer programs whose size is measures in hundreds-to-thousands of bytes.
The Demoscene: How Software Piracy Birthed an Underground Art Scene (youTube)
BBS: The Documentary (Archive.org)