Airport Runways And Hashtags — How To Become A Social Engineer

August 23, 2019 by Sharon Lin 11 Comments

Of the $11.7 million companies lose to cyber attacks each year, an estimated 90% begin with a phone call or a chat with support, showing that the human factor is clearly an important facet of security and that security training is seriously lacking in most companies. Between open-source intelligence (OSINT) — the data the leaks out to public sources just waiting to be collected — and social engineering — manipulating people into telling you what you want to know — there’s much about information security that nothing to do with a strong login credentials or VPNs.

There’s great training available if you know where to look. The first time I heard about WISP (Women in Security and Privacy) was last June on Twitter when they announced their first-ever DEFCON Scholarship. As one of 57 lucky participants, I had the chance to attend my first DEFCON and Black Hat, and learn about their organization.

Apart from awarding scholarships to security conferences, WISP also runs regional workshops in lockpicking, security research, cryptography, and other security-related topics. They recently hosted an OSINT and Social Engineering talk in San Francisco, where Rachel Tobac (three-time DEFCON Social Engineering CTF winner and WISP Board Member) spoke about Robert Cialdini’s principles of persuasion and their relevance in social engineering.

Cialdini is a psychologist known for his writings on how persuasion works — one of the core skills of social engineering. It is important to note that while Cialdini’s principles are being applied in the context of social engineering, they are also useful for other means of persuasion, such as bartering for a better price at an open market or convincing a child to finish their vegetables. It is recommended that they are used for legal purposes and that they result in positive consequences for targets. Let’s work through the major points from Tobac’s talk and see if we can learn a little bit about this craft.

Continue reading “Airport Runways And Hashtags — How To Become A Social Engineer” →

Circuit VR: Advanced Falstad Logic With Geniac

August 20, 2019 by Al Williams 2 Comments

I find that if I’m trying to make a point with a student or a colleague about a circuit, sometimes the Falstad online simulator is worth a few thousand words. You can draw the circuit, play with the values, and even see the current flow in an intuitive way as well as make traditional measurements. The simulator not only handles analog but also digital circuits. At first glance, though, the digital functions appear limited, but if you dig deeper, there is a custom logic block that can really help. I dug into this — and into how switches work in the simulator — the other day in response to a Hackaday post. If you use Falstad, read on!

Continue reading “Circuit VR: Advanced Falstad Logic With Geniac” →

Cheap Electric Scooter Gets A Big Brake Upgrade; Unlocks Proper Drift Mode

August 14, 2019 by Lewin Day 7 Comments

The last few years have seen a huge rise in the prominence of electric scooters. Brushless motors, lithium batteries, and scooter sharing companies have brought them to the mainstream. However, electric scooters of a variety of designs have been around for a long time, spawning a dedicated subculture of hackers intent on getting the best out of them.

One such hacker is yours truly, having started by modifying basic kick scooters with a variety of propulsion systems way back in 2009. After growing frustrated with the limitations of creating high-speed rotating assemblies without machine tools, I turned my eye to what was commercially available. With my first engineering paycheck under my belt, I bought myself a Razor E300, and was promptly disappointed by the performance. Naturally, hacking ensued as the lead-acid batteries were jettisoned for lithium replacements.

Over the years, batteries, controllers and even the big old heavy brushed motor were replaced. The basic mechanical layout was sound, making it easy to make changes with simple hand tools. As acceleration became violent and top speeds inched closer to 40 km/h, I began to grow increasingly frustrated with the scooter’s one glaring major flaw. It was time to fix the brakes.

Continue reading “Cheap Electric Scooter Gets A Big Brake Upgrade; Unlocks Proper Drift Mode” →

Blacksmithing For The Uninitiated: Curves And Rings

July 18, 2019 by Jenny List 9 Comments

You know the funny looking side of the anvil? That’s where the best curves come from. It’s called the anvil horn and is the blacksmith’s friend when bending steel and shaping it into curves.

The principle of bending a piece of steel stock is very easy to understand. Heat it up to temperature, and hammer it over a curved profile to the intended shape. A gentler touch is required than when you are shaping metal. That’s because the intent is to bend the metal rather than deform. Let’s take a look!

Continue reading “Blacksmithing For The Uninitiated: Curves And Rings” →

Linux Fu: Named Pipe Dreams

July 12, 2019 by Al Williams 30 Comments

If you use just about any modern command line, you probably understand the idea of pipes. Pipes are the ability to connect the output from one program to the input of another. For example, you can more easily review contents of a large directory on a Linux machine by connecting two simple commands using a pipe:

ls | less

This command runs ls and sends its output to the input of the less program. In Linux, both commands run at once and output from ls immediately appears as the input of less. From the user’s point of view it’s a single operation. In contrast, under regular old MSDOS, two steps would be necessary to run these commands:

ls > SOME_TEMP_FILE
less < SOME_TEMP_FILE

The big difference is that ls will run to completion, saving its output a file. Then the less command runs and reads the file. The result is the same, but the timing isn’t.

You may be wondering why I’m explaining such a simple concept. There’s another type of pipe that isn’t as often used: a named pipe. The normal pipes are attached to a pair of commands. However, a named pipe has a life of its own. Any number of processes can write to it and read from it. Learn the ways of named pipes will certainly up your Linux-Fu, so let’s jump in!

Continue reading “Linux Fu: Named Pipe Dreams” →

Reverse Engineering Cyclic Redundancy Codes

June 27, 2019 by Ted Yapo 17 Comments

Cyclic redundancy codes (CRC) are a type of checksum commonly used to detect errors in data transmission. For instance, every Ethernet packet that brought you the web page you’re reading now carried with it a frame check sequence that was calculated using a CRC algorithm. Any corrupted packets that failed the check were discarded, and the missing data was detected and re-sent by higher-level protocols. While Ethernet uses a particularly common CRC, there are many, many different possibilities. When you’re reverse-engineering a protocol that contains a CRC, although it’s not intended as a security mechanism, it can throw a wrench in your plans. Luckily, if you know the right tool, you can figure it out from just a few sample messages.

A case in point was discussed recently on the hackaday.io Hack Chat, where [Thomas Flayols] came for help reverse engineering the protocol for some RFID tags used for race timing. Let’s have a look at the CRC, how it is commonly used, and how you can reverse-engineer a protocol that includes one, using [Thomas’] application as an example.

Continue reading “Reverse Engineering Cyclic Redundancy Codes” →

Making A Mediaeval Nail

June 19, 2019 by Jenny List 69 Comments

If for some reason I were to acknowledge the inevitability of encroaching middle age and abandon the hardware hacker community for the more sedate world of historical recreation, I know exactly which band of enthusiasts I’d join and what period I would specialise in. Not for me the lure of a stately home in Regency England or the Royal court of Tudor London despite the really cool outfits, instead I would head directly for the 14th century and the reign of King Edward the Third, to play the part of a blacksmith’s wife making nails. It seems apposite to pick the year 1337, doesn’t it.

The woman blacksmith forging a nail depicted in the Holkham Bible. British Library (Public domain)

Why am I so sure? To answer that I must take you to the British Library, and open the pages of the Holkham Bible. This is an illustrated book of Biblical stories from the years around 1330, and it is notable for the extent and quality of its illuminations. All of mediaeval life is there, sharply observed in beautiful colour, for among the Biblical scenes there are contemporary images of the people who would have inhabited the world of whichever monks created it. One of its more famous pages is the one that caught my eye, because it depicts a woman wearing a blacksmith’s apron over her dress while she operates a forge. She’s a blacksmith’s wife, and she’s forging a mediaeval carpenter’s nail. The historians tell us that this was an activity seen as women’s work because the nails used in the Crucifixion were reputed to have been forged by a woman, and for that reason she is depicted as something of an ugly crone. Thanks, unknown mediaeval monk, you really don’t want to know how this lady blacksmith would draw you!
Continue reading “Making A Mediaeval Nail” →