Shmoocon 2012: Attacking Proximity Card Systems

Brad Antoniewicz of Foundstone presented at Shmoocon on attacking proximity card systems.   HID is the most well known brand of cards.   We’ll see if I can summarize accurately. Like the virtual pickpocketing of credit cards, and bad guy can also clone proximity cards.   As some buildings, outside work hours you need a badge and PIN to enter the premises.   But …

Continue reading ‘Shmoocon 2012: Attacking Proximity Card Systems’ »

Autorun Attacks on Ubuntu

Just last week I was talking with a co-worker about the possibility of USB attacks on his Ubuntu laptop.   Using USB drives on Linux used to involve knowing mount commands.  Now it’s plug and play.   In the Infosec world, everything old is new again, so wondered whether some old Windows vulnerabilities would resurface now that …

Continue reading ‘Autorun Attacks on Ubuntu’ »

Pwned by Copier

 At Shmoocon 2011,   Deral Heiland “PercX” and Pete Arzamendi “Bokojan” gave a presentation titled, Printer to PWND: Leveraging Multifunction Printers During Penetration Testing.  I was watching via the live streaming.   There were some audio issues on the live stream for the first couple of slides. Basically, they’ve found two key things.   Most enterprises aren’t updating their multifunction …

Continue reading ‘Pwned by Copier’ »

OpenDLP – Shmoocon 2011

Andrew Gavin presented on OpenDLP at Shmoocon 2011 today in Washington DC.  From an attackers or pentester’s perspective, you’ve gained access, now how do you gather information.   From a defender’s perspective, how can you find out where people have files that they shouldn’t.     OpenDLP has two components; an agent and a website.   The website is used to configure, …

Continue reading ‘OpenDLP – Shmoocon 2011’ »

Social Skills and the Security Professional

Just how important is it for the Security Professional to have social skills? It seems like a broken record. In addition to having degrees, certifications and experience. We are now supposed to glide seamlessly into the board room and converse equally well about business units and legal briefs. Its not enough to be technically competent, …

Continue reading ‘Social Skills and the Security Professional’ »

Shmoocon 2009 Day 3

Enough with the Insanity: Dictionary Base Rainbow Tables by Matt Weir http://reusablesec.googlepages.com/ Defense against offline password cracking 1. salt 2. Make it computationally expensive, 100 X SHA1. Unless of course you salt it wrong. WPA and WPA2 keys are salted with the SSID. NTLM uses the username as a salt. The Problems with Rainbow Tables …

Continue reading ‘Shmoocon 2009 Day 3’ »