Articles & Presentations

Wednesday, March 30, 2011

(F) Qualys Browser Check will keep your browser plug-ins up to date





We all use web browsers these days and many of us know, but many don't know that browsers use and have plug-in software that is added to the browser to perform additional tasks and add features. NoScript for FireFox blocks scripting on websites, a must for every FireFox user, PDF plug-In for FoxIt, if you are like myself and do NOT use Adobe Reader, the plug-in adds PDF viewing and so forth.

These plug-ins need to be updated like any other software and it can be daunting to some, not obvious to others and hard for many more since things just should work.

Well Qualys has taken a step of automating this for you by providing a plug-in that will look at your plug-ins for various browsers (no iDevices yet) and keep the plug-ins updated. Below is a list of supported browsers and OS versions.


Qualys Browser check website

#InfoSec #Qualys #BrowserCheck

Tuesday, March 29, 2011

Join us on the PaulDotCom Podcast to discuss our Key Card exploit - Thurs




Join Ian and myself discussing our Card Key or Electronic Access Control (EAC) system exploit with the crew of The RSA Conference Social Security Award for 'Best Security Podcast' PaulDotCom and the crew, grab a beer.. A good one! And join us in our discussion with Paul, Larry, John and the rest of the PaulDotCom Beer drinking, security chatting, thought provoking crew. It should be fun!

Thursday 3/31/2011 - 7:30pm EDT

Watch the LIVE VideoCast

PaulDotCom Episode 237 Show Notes

#InfoSec #Caribou #CardKey #PaulDotCom

Monday, March 28, 2011

(W) Kaba locks hit with lawsuit - Claims secure locks can be opened with magnets




Well it is good to know that our Card Key exploit is not the only one making the news... Kaba, a maker of those locks you see everywhere that you punch in a 4 digit code to unlock the door has been hit with a class action lawsuit from its' users due to the fact the so called 'Super Secure' lock can be opened with a magnet..

If a vendor knows of an issue, they really should create a remediation plan and notify it's users and do a little PR to get the word out. Charge cost for the fix and keep the attorneys off your back...

Forbes article on the Kaba lock issue and fix

Slides on the exploit

Website on Kaba flaw

Kana Simplex locks webpage
#InfoSec #Kaba #Lock

Friday, March 25, 2011

PaulDotCom.com Podcast discuses Our Card Key Hack




Larry Pesce from the PaulDotCom Podcast episode 235 (around the 27min left mark of Part 2) discussed our Caribou App and Card Key system Hack and Larry referred to it as a little 'shenanigans' since he cannot see the Android application code to verify it is really real... You gotta love InfoSec when we doubt ourselves... I guess the YouTube and Vimeo videos are not enough.

I sent them an email clarifying and expanding on some information. We shall see if they respond with an interview or more questions...

PaulDotCom Episode 235 notes
#InfoSec #Caribou #PaulDotCom #HackerHurricane

Thursday, March 24, 2011

(U) FireFox 4 adds speed and more security




FireFox has release version 4 of the popular browser and it includes more user security, some you won't even notice.

I have been playing wi it for a few days now and it is significantly fast on some websites that were dogs before.

SANS has a good overview of the new security features.

SANS Article

#InfoSec #FireFox

Wednesday, March 23, 2011

WiFi Hacking legal in Holland




You have to love the Dutch! In the US you can no longer use open WiFi if it was not intended to be open.. The problem is, how does the average shmoo know that a WiFi network is open to the public or closed?

Like a business, you would be arrested if you broke into that business, but if it was open, the door unlocked, you are good to walk right in. Why is WiFi not treated like a business? If the door is open, or the WiFi open, you are 100% legal IMHO. Laws are screwy in this space and need to put the focus on the store owner to lock their door AND their WiFi, then if you hack or break-in, you are doing illegal activity. The Dutch Rock !

One of the things in our line of work that just irks me... Stoopid laws that have no idea the real application. Free WiFi and make it illegal NOT to secure your WiFi network, or it is considered open and FREE!!!


Darknet article

#InfoSec #WiFi #Hacking

Tuesday, March 22, 2011

(W) OK Amazon, really.. Unknown Source App Store? WTF




Well talk about 'Failure' with a capital 'F'. Amazon thrilled many I am sure with the launch of a new Android App Store... BUT... In their in ultimate wisdom of how to enable it, poses a risk to ALL Android users who install the App due to their implementation and WONDERFULLY POOR instructions.



So let me get this straight.. You want us all to enable 'Unknown Sources' Market applications so that the Amazon App can be installed? Is Amazon aware of where Malware on Android phones come from? Uhhh UNTRUSTED / UNKNOWN SOURCES!!! Really Amazon, this is the best you can do ? Tell people to turn this on and NOT turn it off?

Here is the email they actually sent to users.


How about a step to RE-SECURE the device - seriously? Oh yeah, you can't...It has to stay this way.

#InfoSec #Amazon #AndroidStore #UntrustedSource


Saturday, March 19, 2011

My take on the RSA breach...




I am catching up on the info around the breach of the RSA Token information and I think RSA has an opportunity here... The Tokens that we all at some point used over our IT careers are, well dead as we know it... Not just because their secret sauce formula fancy algorithm is now not so secret, or must assume it is not, but because technology has changed and RSA should directly compete with what Verisign, now Symantec has done with the Versign Identity Protection (VIP) device in making it an App available on most smart phones. Not to mention integration into my favorite Security DoDad the YubiKey.

It is time for RSA to dump the Token and go to the software App. Now if a breach were to occur, they would only need to update the application instead of re-issuing costly hardware tokens that we don't really want to carry around on our keychains.

But first, RSA must admit what has occured, be honest and admit the impact to their client base and then how they plan to remediate or fix the issue.

They have lost the trust of two-factor authentication users, but Sh*+ happens, it is how RSA reacts that matters now.

Time is a tickin RSA....

#InfoSec #RSA #Breach

Thursday, March 17, 2011

Engadget posts our Card Key Exploit


Engadget today posted an article on our security research efforts around Card Key exploitation... read it here:
Engadget article on Card Key Exploit

Card Key Exploit verified by Pen Test expert

Here is an update...  A Pen Test expert verified that our Card Key exploit is indeed real... Watch his video...

Card system hacked. from David Bryan on Vimeo.

BSides Austin 2011 captured on film... errr... Digitally

Here are some pictures capturing the GREAT time we had at BSides Austin 2011.

BSides Pics

BSides Handcuff Lock Pick Village competition

Did we have fun at BSides Austin 2011 ?  You bet we did!!!  I woudl go as far as saying... It was a LOCK that you would have a good time.

Handcuff pick contest

BSides Austin Slideshow

Here you go...  A slideshow summary of the fun we had at BSides Austin!

BSides Austin 2011 Animoto

Tuesday, March 15, 2011

Card Key exploit getting some press




Our announcement of a vulnerability in a key card system is making news around the Android news sites...

PC Magazine Security Watch Blog

Android Developer Forum Article

Android Central article

Talk Droid article

The Android article

Twitter Tweets on the subject

Before you ask again, 'No we will not release the APK'. We believe in responsible disclosure and that does not include giving away an exploit that would put a vendor and their systems at risk.

Once the information has been fully shared with the vendors, all vulnerabilities remediated or identify actions a user can take to protect themselves would we discuss the details, but hey.. Thanks for asking.

If you want to be on our list to be notified of new documentation, feel free to send us an email from your organizations Chief Security Officer (CSO), CEO or equivalent that can be verified. Once verified, we will add you to the list once we publish so you can check your environment for any vulnerable systems.

Until then, watch our Blogs.

#InfoSec

Some comments from attendees at BSides Austin 2011




Here is a Vid that Dominique @SecurityScore posted on our comments about #BSidesAustin. I think they liked it!

BSides Austin interviews

#BSidesChicago is coming up !

#InfoSec

Sunday, March 13, 2011

(W) My security research discovers major provider of card key systems can be exploited




At my Saturday morning presentation at #BSidesAustin I disclosed that a major provider of Card Key systems can be exploited knowing little more than the systems IP address and possibly guessing a few other settings.

In the course of finding the vulnerability and doing additional research we decided to see if the vulnerability could be exploited using a script... One thing led to another and my friend and fellow security researcher Ian Robertson successfully exploited the same Card Key system using a Java based application he created for an Android based phone dubbed 'Caribou'.

Caribou is a 'proof-of-concept' and is not available to the public. You can view the video here:

Video on card Key exploit

Caribou


Caribou is an Android-based application written by security researcher Ian Robertson as a proof-of-concept demonstration of the incredibly poor security controls in use on widely popular cardkey door control systems.

By providing Caribou only with the IP address of the target cardkey device, a single-button "Unlock" will access the cardkey system, unlock all available doors in sequence, allow 30 seconds for entry, and then re-lock all those same doors. Caribou has the capability of performing a brute-force of any customized security PIN used with the system.

You can read More on Ian's website:

Cyber Security Guy website

If you have a cardkey access system, or any other security system which is accessible on the Internet, check out the important tips on the 'Safeguarding your Homeowners Association and Common Areas' on Ian's website.

Both security researchers are actively engaged with US-CERT and the manufacturers in order to improve the security of the products and provide better documentation and instructions to system installers.

#InfoSec #BSidesAustin

Monday, March 7, 2011

(C) Ready for BSides Austin this Fri & Sat?





Are you ready for some full disclosure? Come see my preso on multiple vulnerabilities of a large vendor Card Key system that allows total P0wnage, not one, but two ways?

#InfoSec #BSidesAustin

Wednesday, March 2, 2011

(C) BSides Austin next week !!!




OK everyone, BSides Austin is shaping up nicely.. Come learn something Geeky and Weird about Information Security!!!

I will be presenting a Card Key system Exploit that provides complete Command and Control.

#InfoSec