It has been absolutely ages since I have written a blog post – genuinely I really havent simply been slacking off, i’ve just been busy! Anyway, figured it was time to do a writeup on some stuff I have been working on. (Please note this is almost the exact same post from the Paterva blog).
Predominately I want to show you some of the work we had to do for Blackhat 2013 – my first BH talk ever! My section of the work was what we ended up calling ‘KingPhisher’ as well as the multi-threaded Python script to crawl websites for some parts of ‘Teeth’ (Roelof’s offensive Maltego transforms).
A common Paterva office treat is that if you make a mistake or if the other person can catch you out at anything you have to make tea (the amount of times I make tea is inversely proportional to how long I have been at Paterva!). This included phishing. Many years ago we would try trick each other into clicking on links. Most security people will agree with us when we say that if you have enough context on a person you can craft an email and include a link on which they *will* click. Additionally we have used Maltego to gain context on people for a while, specifically using social networks (including transforms provided commercially via the SocialNet package). We also accept that there are certain types of mail we seldomly check (in terms of headers/other), we have been semi-programmed by automatic spam filtering and anti-virus to notify us if something is bad. Bottom line — we don’t inspect every link on every mail and we doubt if you do too.
So with this in mind we decided to integrate the two sides – 1) targeted phishing attacks and 2) information gathering in Maltego.
I see I haven’t update this blog in ages, I’d love to say I didn’t have enough time, but it was mostly just me being.. well lazy.
Zacon IV was on the 27th of October ( http://www.zacon.org.za/about.html ) and was really great, had a super time and met some great people. My talk covered a bunch of the stuff I did on the blog and essentially these sections:
* Lockpicking (briefly)
* Magstripes (reading + spoofing)
* RTLSDR (listening to guards)
* RFID (proxmark – bypassing LF EM4x door locks)
* RFCat (spoofing remotes)
It went relatively well apart from a few small demo problems (such as not being able to spoof a magnetic stripe – turned the volume down by mistake when I tried to show it! *doh*). The video of the talk can be seen here:
This is just an update on the Arduino watering system, everything seems to be going well whilst I am away (I am away for ~a month, till the end of Blackhat / Defcon). In winter the plants don’t require nearly as much water and it seems that after 8 days the water level has dropped only 11.5cm in a reservoir ( read orange bucket ) that is about 60cm across. The orange container is smaller at the bottom, probably around 45cm so an guestimated average of say 50cm for the diameter.
At this stage I was going to do the math to work out how much water had be consumed minus that of evaporation, but I’m too lazy right now.
At this rate that container should keep the 4 plants near it (tomato, chilli, orange, peppers) as well as the palm and the 2 trays as well as the random flower going for about 6 weeks!
zacon – http://www.zacon.org.za/ – is just around the corner now, so badge submission went out. Wasn’t particularly inspired but i hacked together 3 diff ones, now we just wait and see.
Decided to go with the Spy badges, what do you think?
So its been ages since i last blogged, and i am determined to try do this more regularly since it will probably get me onto doing more stuff!
This is pretty much the first thing i built with the Arduino – the idea was to make a budget IPCam with a web interface that i could connect to from anywhere and have the ability to pan and tilt my camera. Since i was in the budget price range i did also look at what was available off the shelf — and it sucks, bad quality, slow response time, no lose wires to show, all things i’m not really interested in.
I’ve split this into 3 sections just to make sure that this doesnt become a massively long blogpost:
This is that cool part where you watch the video, unfortunately i haven’t got round to making one yet.. but when i do, its going here! For now, its in pictures (the webinterface and the actual device):
Not the quickest of cats
on the best of days.