Category: technology

Meeting a legend! Kevin Mitnick.

23 years ago, on Feb 15th, the worlds most famous hacker, Kevin Mitnick, was apprehended in NC after years on the run from the FBI.  Prompting many, many young hackers and computer enthusiasts (including yours truly) to take up the mantra “Free Kevin”.

A little over 28 years ago, I started my own journey into information security (thankfully never pursued by the FBI), and much like Loyd Blankenship (Hackers Manifesto), Kevin had a profound impact on my young security career.

Today, not only did I get see Kevin in action (POC exploits), but I got to say hello and shake his hand. I didn’t even think about taking a picture, I just wanted to shake his hand; but I’m thankful, someone there said “would you like a picture”.

Thank you anonymous picture taker!

Playing with Python

It’s been 15+ years since I have received a coding assignment, so recently, I decided to try moving in the opposite direction from Assembly, C, and Reverse engineering, and decided to take a course on Udemy for learning python.

So far, it is an excellent course.  If you are interested the course is located here.

The assignment:  create a Tic Tac Toe game in Python.  The results are as follows:

https://github.com/idarthjedi/TicTacToe/blob/master/tictactoe.py

Breaking free from the confines of the mind… is this what insanity is like?

For years I trained my brain to engage in lucid dreaming, I’ve played with hypnosis, NLP, paraliminal learning, photo reading, and other crazy reprogram and expand your brain exercises.  Last night I got what I deserved (I guess).

As I awoke, but still asleep, I began to dream that I was programming my body in my brain.  I was pushing and popping instructions off the stack of my mind to create my heartbeat, to expand my diaphragm, to push blood through my veins.  For a brief moment, I thought “this is awesome”, I’ve finally broken free of The Matrix.

However, very quick I realized that if I was controlling my autonomic functions, if I screwed up on the programming, my heart would stop, I would suffocate, my organs would die of asphyxia. Having this realization, I started to panic.

Mind you, I was dreaming, but aware I was dreaming.

So, I finally said to myself, this is silly, why panic, you can just wake up.  But I couldn’t.  I tried to stop thinking about programming my bodily functions.  But I couldn’t.  I tried to stop worrying about injecting the wrong opcodes.  But I couldn’t.  So then I started thinking, “Is this what happens when you go crazy”.  “Will I wake up, insane”.  “What if I can never get control over my mind again”.

I always thought going John Nash crazy wouldn’t be so bad, at least it would be in brilliance; but now, I couldn’t imagine being stuck in a world where I knew I was trapped in my own mind, but couldn’t break free.

Have you ever started thinking so much that your head started to throb?  Burn?  Ache?  I felt like my CPU was overclocked, overheating and was about to core dump.

And then I crashed – I don’t remember how it resolved, or how long it went on, but I woke up this morning… a little ragged, with vivid memory of the whole ordeal.  Happy to report, that I am still part of The Matrix, and I’m not John Nash insane.

Maybe I should stop messing so much with my brain.  Maybe I should take a break from technology.

Nah.  Back to The Matrix.

Bubble sort in x86 ASM

[[NOTE: For a more efficient way to implement the bubble sort, see my later post]]

Why?  I have no idea.  It’s funny how many times I set off my AV scanner trying to compile and run my PE.  That brings back some great memories with the VCL.

I’m sure there are cleaner ways to do it – but right now, I’m just worried about making it work.  😉

NOTE: Written in FASM, and the training.inc can be found over at xorpd on git.

; Author J. Logiodice
; Date: 05/22/2016
; Purpose: Bubble SOrt
; This method will read in a series of TOTAL_NUMS numbers
; And bubble sort them, then print them out in sorted order to the screen
format PE console
entry start

include ‘win32a.inc’

TOTAL_NUMS = 10 ;10

section ‘.bss’ data readable writeable

array_numbers dd TOTAL_NUMS dup (?)
nMinus1Mem dd ?
boolSwapped dd ?

section ‘.text’ code readable executable

start:

; Set up the loop variables
mov ecx, TOTAL_NUMS
mov esi, ecx
; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
; Read in one number at a time, for TOTAL_NUMS numbers, store them in the bytes that
; start with array_numbers
; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
loopRead:

dec esi

; read input into eax but first clear out eax
xor eax, eax
call read_hex

; move value into memory offset (reverse order)
mov dword [array_numbers + esi * 4], eax

loop loopRead

; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
; I am sure there is a more effecient way of doing this
; I will probably try and clean it up later, but for now it works.
; loop iteratively over the array until no more swapping occurs,
; and the highest number ends up in the lowest part of the array (lowest to highest)
; start with array_numbers
; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
; Set back up the loop variables
restartLoop:

mov ecx, TOTAL_NUMS
mov esi, ecx

; set the swapped variable to false
mov [boolSwapped], dword 0

loopSort:

dec esi
mov eax, esi
sub eax,1d

test esi, esi
jbe loopExit
mov edx, dword [array_numbers + eax * 4]
cmp edx, dword [array_numbers + esi * 4]
jbe noSwap
; if we get into this section, then swapping needs to occur
; set the boolSwapped to true
mov [boolSwapped], dword 1

; need to swap the two numbers
mov [nMinus1Mem], dword edx
mov edx, dword [array_numbers + esi * 4]
mov [array_numbers + eax * 4], dword edx
mov edx, dword [nMinus1Mem]
mov [array_numbers + esi * 4], dword edx
noSwap:
; jump here if no swapping needs to occur, but we’re still in the loop
loop loopSort

loopExit:

; if boolSwapped isn’t false, then we’ve swapped at least one
; during the iteration, let’s go through it one more time to make sure
; that we don’t have any more to swap
cmp [boolSwapped], 1b
jae restartLoop
; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
; Print each number back out to the screen for unmodified numbers
; we will loop from the lowest to highest part of the array – which is the largest to smallest number
; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

;mov edi, array_numbers
mov ecx, TOTAL_NUMS
mov esi, ecx

loopPrint:

dec esi
mov eax, [array_numbers + esi * 4]
call print_eax

loop loopPrint

exit_prog:
push 0
call [ExitProcess]
include ‘training.inc’

Ehrlich’s Binary Shirt

In case you are wondering:

01000010 = 42h = B (A)
01101001 = 69h = i (A)
01110100 = 74h = t (A)
01100011 = 63h = c (A)
01101111 = 6Fh = o (A)
01101001 = 69h = i (A)
01101110 = 6Eh = n (A)

You know what they say, there are only 10 types of people in the world: those who understand binary, and those who don’t.

Manipulating bits for fun [..and profit..?]

For years I’ve understood assembly enough to get by with debugging and disassembling when needed; I finally decided it was time to learn to write.

The world of the computer language is intriguing, easy and frustrating all at the same time. Here are two equivalent pieces of code, they do the two very simple things in slightly different ways.

The first I wrote interpreting from a higher-level language that I can read & write (C); the second was the code rewritten to be more compact.

Why?  I don’t know… just because….  at what point would I ever use this newly acquired(ing) skill for something valuable…  I guess we’ll see…

assembly code

 

The end of the world as we know it – or the dawning of a new age?

Artificial Intelligence might bring immortality or it might as easily bring imminent destruction of the human race.

For an accessible quick read regarding this topic, you can check out the U.S. News article We all may be dead in 2050.

If you are interested in going a bit deeper regarding the precarious position the human race is in and the challenges to be overcome as we move into this new age of enlightenment – check out the book Super Intelligence by Nick Bostrom.

 

Layer 8 security: hacked by email.

Last week I received a letter in the mail claiming to be from the city of Suffolk.  They want me to pay a tax on my cars.  The tax is less than $100, but you know what; I already paid a fee to register my cars.  Perhaps the request is legit, but it seems just a little bit suspicious.  What if that letter came through email with a link to click for me to make a PayPal payment?  Is email any more secure than the US Postal service?  How do you know the letter, or the email, that claims to have come from a certain person actually came from that person.  The postal system, like the internet is kind of the wild, wild west.

There are plenty of technologies that can help solve this issue – if someone expresses interest, I would be happy to dig into those technologies in the near future.  However, as a quick way to raise your awareness of the dangers of trusting email (or snail mail) without a discerning eye, pop over to the New York Times and read the post about the Magazine Publisher that just lost 1.5 Million dollars due to an email scam.

The short story:

Someone hacked into the email of the CEO and sent an email to the Accounts Payable department to wire 1.5 million dollars to an offshore Chinese bank account.

The dutiful employee complied.

The problem here is not that someone hacked the CEOs email, this type of stuff happens every single day in the real world.  The problem is that the receiver on the other end didn’t apply any type of analysis or intelligence to the request (e.g. is this risky, is this unusual?).  It is interesting to note that the “CEO” sent a second email to Accounts Payable.  This second employee thought “Hey, this seems odd, maybe I should double check with the CEO”.

Result: 1.5 Million dollars saved.

Who knows, perhaps a 1.5 million dollar transfer request through email was a normal day in the Accounts Payable office of Bonnier Publications.  If so, shame on them (see the opening paragraph).

Summary:  Enterprise organizations need to eliminate email from their business processes, both from an efficiency and a security perspective.  As an individual, you need to approach email with a certain amount of discernment, even if they appear to come from a trusted individual (see the opening paragraph).

I promise not to send you email from your boss asking you to buy lunch for the office: but I can’t speak for everyone.

Asking a few additional questions might just save your company 1.5 million dollars.

Remember: Security is everyone’s responsibility.

Is security your responsibility? The case of the insecure security system.

I have recently contracted with a local security company to install a fairly extensive security system into my home. The system cost thousands upon thousands of dollars, and is made by one of the top brands in home security systems. This system provides full automation, including video monitoring and recording with coverage both outside and inside my home. I have large screen TVs that display every angle at the touch of a button, I have programming interfaces which allow me to extend the capabilities of the system limited only by what I am able to cook up in today’s Z-wave enabled IoT platforms. I can monitor my home from my bedroom or 2,500 miles away – it makes no difference. This is the ultimate enabler for the security conscious home owner.

There is however, one big problem about my home security system… the system is not secure.

Wait, what? I am saying that one of the top brands of home security companies is putting security systems onto the market that are not secure? Yes, that is what I am saying: my home security system has not been designed by the manufacturer nor configured by the installer in a secure fashion. In essence, the moat around my castle has multiple unprotected drawbridges by which a minimally savvy technical person could enter and plunder booty. My booty.

Interestingly, the installer has taken a fairly disinterested stance stating that technology changes so fast and they can’t be expected to understand how to secure computerized and network devices. I feel their pain. The manufacturer will (once I contact them) undoubtedly take the position that there are WAYS to secure the system, so the problem is due to the lack of knowledge and understanding of the installer. The homeowner is a consumer and expects that the security system they have contracted out for, will allow them to secure their homes. Everyone has been fooled.

Unfortunately, they are all right and all wrong at the same time. There are technologies and architectures that could be layered on the home security system that would ALLOW the installer to install and configure the security system in a secure fashion, and the homeowner should be savvy enough about their own personal security that they should spend some time asking questions and understanding the technology they are using. And yet, there is a significant lack of knowledge that intersects between understanding how information security and physical security need to coexist.

This has got to change.

This past week, I spent the week at Gartner’s 2015 Risk Management Summit. Gartner has decided it is now time to stress the fact that Physical Security and Information Security need to work together for the health and safety of the world. This is exacerbated by computerized healthcare devices, and computerized cars; and it is only going to get more and more challenging and risky as the physical and digital worlds amalgamate.

So, here is the question: when someone exploits the weaknesses of my home security system and breaks into my home and destroys or plunders whatever it is that I hold dear… who is responsible? Is it the manufacturer that has created a system that can easily be poorly installed and configured, is it the installer who trusts the manufacturer and knows only how to crimp the wires and program the interface, or perhaps it is the homeowner who has put their trust in the installer and only knows how to click a few buttons?

The answer is “yes”: the security of the home system is the responsibility of the installer, the manufacturer and the home owner.  It comes down to this:  trust, but verify.

Security is everyone’s responsibility.

Check back in a few weeks; once I have an opportunity to secure the vulnerabilities introduced by the manufacturer and the installer; I plan on documenting what the issues were, and if you have this security system, what you can do to protect your home, and more specifically, the types of questions you should continue to ask yourself as your digital lines continue to blur.

It is all about education.

 

 

No it is not ok to email me my Credit Card Number…

This is a copy of an actual email I had to send today…  I guess there are still a lot of people out there that do not understand the perils of the internet.

[Name removed] –

Good evening.  Thank you for emailing the rental confirmation:  however, I am surprised and disappointed that the image attached to the confirmation email contained the credit card number we used to book the rental property.  By trade, I am an information security technologist – I protect computer systems and data assets from digital theft.

Your email to my wife provided everything necessary for a digital thief to not only commit fraud against my credit card company, in my name, but it also encourages identity theft, as you included personally identifiable information and financial information within the attached image.

Unless very specific precautions are taken, email is an insecure medium and it should be assumed that the contents of email are made publicly available on the internet.

As a secondary example to underline the importance of discouraging the emailing of sensitive information, you accidentally misaddressed the email (sent to *******@******.com rather than ******@*****.com).  While the email was still redirected to a domain I have ownership in, because of my specific configuration, the email could have just as easily, sans my configuration, resulted in a scenario where my credit card was sent to some random person somewhere out on the internet.

As a necessary precaution, I now have to cancel my credit card, get a new card reissued, and go through the long and time consuming process of updating all my billing relationships – a set of tasks I had not planned on spending my evening completing.

I would recommend, in the future, that the practice of emailing sensitive information (such as credit card numbers) be eliminated from HOA procedures.

Thank you.

[Signed]