Shmoocon 2016: Phishing For The Phishers

January 16, 2016 by Mike Szczys 24 Comments

After years of ignoring the emails it’s finally time to get into a conversation with that Nigerian prince you keep hearing from. Robbie Gallagher — an Application Security Engineer with Atlassian in Austin, TX — wanted to find out where perpetrators of phishing emails actually live. Of course you can’t count on the headers of the emails they send you. A better way to track them down is to actually draw them into a conversations, and this means making yourself a juicy target.

Robbie gave an excellent talk on his project Honey-Phish at this year’s Shmoocon. Part of what made it stand out is his narrative on each step of exploring the social engineering technique. For instance, there is already a vibrant community that specializes in forming relationships with scammers. Those who frequent 419 Eater have literally made it into a sport called Scambaiting. The ultimate goal is to prove you’ve baited a scammer is to get the person to take a picture of themselves balancing something on their head. Now the image a the top of this post makes sense, right?

Writing personal emails to your scammer is a great system if you have a lot of time and only want to track down one scammer at a time. Robbie wants to catalog geographic locations for as many as possible and this means automation. Amusingly, the solution is to Phish for Phishers. By automating responses to phishing emails, and enticing the people originating those phishing scams to click on a link, you can ascertain their physical location.

Continue reading “Shmoocon 2016: Phishing For The Phishers” →

Shmoocon 2016: Z-Wave Protocol Hacked With SDR

January 16, 2016 by Mike Szczys 17 Comments

The first talk at 2016 Shmoocon was a great one. Joseph Hall and Ben Ramsey presented their work hacking Z-Wave, a network that has been gaining a huge market share in both consumer and industrial connected devices. EZ-Wave uses commodity Software Defined Radio to exploit Z-Wave networks. This is not limited to sniffing, but also used for control with the potential for mayhem.

Continue reading “Shmoocon 2016: Z-Wave Protocol Hacked With SDR” →

Wolfenstein In 600 Lines Of Code

January 15, 2016 by Mike Szczys 62 Comments

What’s more impressive, the fact that this Wolfenstein-like game is 600 lines of code, or that it’s written in AWK?

AWK is a language primarily used for text processing. But if you can write code the world bows to your wishes. [Fedor Kalugin] leverages the ability of a Linux terminal’s color options to draw his game. The 3D aspect is produced through ray-casting which generates a 2D image from 3D coordinates.

Trying out the game is extremely simple, install gawk, clone the repo, and play:

Continue reading “Wolfenstein In 600 Lines Of Code” →

Rehabbing An Historic Tool From Champion Blower And Forge Co.

January 15, 2016 by Mike Szczys 23 Comments

Here’s a tale that warms our hearts. [Gord] is helping out the local living-history museum by rehabbing a historic woodworking tool that they want to add to their live demo woodshop. It’s a hundred-year-old manual drill press that has seen a ton of use.

There are three things that [Gord] has going for him. First off, the Champion Blower and Forge Co. built them to last. Second, he’s not really working on a deadline; the museum doesn’t need it back until May. And third, [Gord] has the tools he needs to do this right.

After cleaning and blasting [Gord] gets down to the really interesting repairs. First off, it wouldn’t be a drill press if someone hadn’t tried to drill through the table at some point. TIG welding filled it up and some milling brought it back. This same method was used again to make a beautiful custom replacement ACME rod. Throwing in a custom bushing replacement, turned wooden handle, and a several other fabricated parts, and [Gord] had the press working again. Check out the mechanism in the video below that shows the crank action turns the bit and a cam advances it through the work piece.

Continue reading “Rehabbing An Historic Tool From Champion Blower And Forge Co.” →

Donuts Of ShmooCon

January 12, 2016 by Mike Szczys 5 Comments

This weekend is ShmooCon, a hacker convention held in Washington DC. Brian Benchoff and I will be there, both of us for the first time. We’d love your input on what talks look the most interesting. Check out the schedule of speakers, then leave a comment below to let us know which talks you think we should cover.

It’s great hearing the big presentations, but I find a lot of times great hacks can be found in smaller venues, or just by walking around. Two examples from 2015 DEF CON: the best talk I sat in on had about 10 people spectating in the IoT village, and I had a great time trying to track down everyone who had an unofficial hardware badge. If you’re at ShmooCon and have something to show off, please find us (@szczys, @bbenchoff)!

On Saturday join us for a Hackaday meetup in the lobby of the Washington Hilton. ShmooCon is well-regarded for the quality of its “lobby-con”, what better place to gather? Look for the Hackaday crowd starting Saturday 1/16 at 8:45am. We’ll bring the donuts, and some swag like Hackaday Omnibus Vol. 02 and of course, some Jolly Wrencher stickers.

LUX Searches In The Deep For Dark Matter

January 12, 2016 by Mike Szczys 38 Comments

The Homestake Mine started yielding gold in 1876. If you had asked George Hearst, the operator at the time, if the mine would someday yield the secrets of the universe I bet he would have laughed you out of the room. But sure enough, by 1960 a laboratory deep in the mine started doing just that. Many experiments have been conducted there in the five and a half decades since. The Large Underground Xenon (LUX) experiment is one of them, and has been running is what is now called the Sanford Underground Research Facility (SURF) for about four years. LUX’s first round of data was collected in 2013, with the experiment and the rest of the data slated to conclude in 2016. The method, hardware, and results wrapped up in LUX are utterly fascinating.

Continue reading “LUX Searches In The Deep For Dark Matter” →

Free Cell Data Transfer With Slowest Morse Code Ever

January 6, 2016 by Mike Szczys 41 Comments

Readers of a certain age will remember the payphone trick of letting the phone ring once and then hanging up to get your quarter back. This technique was used with a pre-planned call time to let someone know you made it or you were okay without accruing the cost of a telephone call. As long as nobody answered you didn’t have to pay for the call, and that continues to be the case with some pay-per-minute cellphone plans.

This is the concept behind [Antonio Ospite’s] ringtone data transfer project called SaveMySugar. Don’t judge him, this work has been ongoing for around ten years and started back when cellphone minutes were a concern. We’re just excited to see that he got the excruciatingly slow thing to work.

Those wanting to dig down to the nitty-gritty of the protocol (and you should be one of them) will want to read through the main project page. The system works by dialing the cellphone, letting it ring once, then hanging up. The time between redials determines a Morse code dot, dash, or separation between characters. Because you can’t precisely determine how long it will take each connection to read, [Antonio] built ‘noise’ measurement into the system to normalize variations. The resulting data transfer works quite well. He was able to transfer the word “CODEX” in just six minutes and thirty seconds. But it is automatic, so what do you care? See the edge-of-your-seat-action play out in the video below.

If you can’t stomach that baud, here’s a faster Morse code data transmitter but it doesn’t use the phone.

Continue reading “Free Cell Data Transfer With Slowest Morse Code Ever” →