Posts byxyberpix

Security professional, hacker, biogenetic organism, social engineer.

World’s first “Decode the Race car” Challenge!!

So I haven’t written for a while, and that’s mainly because setting up your own security consultancy takes a lot more time that I would have imagined, but hey, it’s been a fun ride so far.

So while everyone else is off writing about Sony, I figured that I’d lighten the mood here with something that I think is such a great idea. The guys at Secure Racing have a challenge coming up, which sounds like it’s going to be great fun, and it’s such a novel idea as well.

So taken directly from the Secure Racing website, here is all the information about the challenge coming up on the 19th June at Brands Hatch.

“Secure Racing, the Information Security industry’s motorsport team, has laid down a challenge to anyone with a flair for code-breaking or a passion for cryptography.

At the team’s first race on 19th June at the Brands Hatch circuit in Kent, the Secure Racing Aston Martin will feature a hidden coded message somewhere within its livery and decals. The question is – can you find it and decipher it?
This is the first time a motorsport team anywhere in the world has offered a competition like this on their car. Developed by the Threats and Vulnerabilities Team at PWC, it forms the basis of a competition for anyone who wants to test their mettle and win fantastic prizes. Anyone can enter.

One week after the race, one winner and nine runners up will be drawn at random from the first 100 correct answers that we receive. Later this year, the lucky winner will get to jump in the Secure Racing Aston Martin Vantage GT4 to experience the exhilarating speed of getting around a circuit alongside a professional race driver. The winner will also get tickets to join the team at the Silverstone British GT Championship round and, along with the nine runners up, they will also receive complimentary membership to the Secure Racing members club – the details of which will be announced on race day.
Anyone who attends the Brands Hatch race on 19th June will have a chance to get up close and personal with our Aston and therefore have the best chance of spotting and cracking the code. For those that can’t make it, we will be posting pictures of the car on our website a couple of days after the race so you can take part.
Those who find and crack our code should email their answer to richard.moss@secureracing.co.uk
Ladies and gentlemen – the fun begins here. Start your engines, the Secure Racing story is about to begin.
Discounted admission tickets available exclusively for Secure Racing fans at: www.motorsportvision.co.uk/secracing

Microsoft Security Bulletin MS10-070, Important, Really??

So, SANS has set it’s InfoCon level to yellow to increase the visibility of this update, and hopefully to encourage people to patch it sooner rather than later. All I can say is that I hope that it does actually get people to apply this patch quickly.

Apparently MSFT are aware of “active attacks”, which begs the question as to why is this only rated as an “Important” patch? I’m sure they have their reasons though, but if you are running any web applications, you are really advised to patch sooner rather than later on this one.

The details of the patch, taken from Microsoft’s website are the following:

—————————–

Executive Summary

This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.

This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

———————-
As always people, be safe and patch asap, the Internet is a dangerous place….

Funniest E-mail sent to the LKML (Linux Kernel Mailing List)

This is just so very very wrong! Original e-mail can be found here.
“Hi, all

I have two machines that show very different performance numbers.

After digging a little I found out that the first machine has, in
/proc/cpuinfo:

model name      : Intel(R) Celeron(R) M processor         1.00GHz

while the other has:

model name      : Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz

and that seems to be the main difference.

Now the problem is that /proc/cpuinfo is read only. Would it be possible
to make /proc/cpuinfo writable so that I could do:

echo -n “model name      : Intel(R) Core(TM)2 Quad CPU    Q6600  @
2.40GHz” > /proc/cpuinfo
in the first machine and get a performance similar to the second machine?”

Social Engineering and Facebook For Starters

The post that I wrote the other day about Foursquare and Facebook Places really got me thinking, and well, then it got me into doing mode very quickly.

So, putting on my reconnaissance hat, I logged into Facebook to see what I could find out about a complete stranger, and well, to say that it was interesting is to put it mildly. Bear in mind that I had no idea who this person was, or where in the world they were located before I started digging around.

The details that I managed to dig up about this person were the following:

– D.O.B

– In a relationship

– Hometown

– Religion

– Last 3 employers, as well as current

– Current Job Title

– Universities attended and relevant dates

– Schools attended and relevant dates

– Work e-mail address

– Private e-mail address

– Work phone number

– Home phone number

– Cell phone number

– Home address

– Work address

– Car make and model

– Car registration number

– Roughly how long it takes him to get from home to the office (average of 33 minutes)

– Roughly how long it takes him to get from home to his son’s school.

– Musical tastes

– Photo’s of his house, his dogs and his children

– He spends a lot of time (and I mean a lot) playing World of Warcraft

– He used to run Windows XP, but has recently upgraded to Windows 7

– I managed to map out the first two layers of his family tree

I then decided to do a bit more digging outside of Facebook now that I had all the above knowledge, and managed to find out a bit more about him.

– He goes running each day, and also uploads his routes and stats via Runkeeper

– He’s been in the newspapers a couple of times for good deeds and charity work

– He coaches a kids soccer team at his sons school every other weekend

– He spends a fair amount of time on forums relating to legal highs

– There’s some video’s of him and his family on YouTube

– He has a personal web site, with a photo gallery of his travels with his family

– He runs a server from home, it’s running Windows 2003, IIS, and Exchange

– He’s currently an MCP studying towards his MSCE for Windows 2003, and I have his MCP ID, so far he’s done 3 exams

– He’s been married once before, and looking at photo’s of his ex-wife and his children, and their respective ages, one of the children is from his previous marriage.

– His citizenship

I managed to find all this information in about 10 minutes, now if I really wanted to go all out on this one, I’m pretty sure I could find a lot more information about him and his lifestyle.

Already with the information that I’ve managed to obtain I could quite easily use this for social engineering purposes, and not just against this person, but against most the people in his family. It really does make me wonder why people are so open with all the details that they share online, with just a little bit of effort I feel like I know this person. I also know that if I wanted to attack his company it would be a pretty trivial thing to do.

People, it’s a scary world out there, and you really don’t need to publish all this sort of information, the people that know you and will already know this information, do you really need to advertise it to the world.

I’d like to thank George for taking part in my little experiment 😉