This File Will Self-Destruct In 24 Hours

February 4, 2016 by Anool Mahidharia 75 Comments

[menkveldj] built a service that encrypts files which self destruct in 24 hours. The download link can only be used once. If the wrong people were to get the link and download the file, they’d need many years on a pretty powerful computer to crack the 256AES encryption.

The sender shares a file that is encrypted client side using a password generated Pbkdf2 key to encrypt the data before uploading it to the s3 storage service. The sender is then provided the one-time-use link to share with the recipient. After the first download, or 24 hours, the link and the encrypted file are both deleted. The receiver must enter the same password to decrypt and recover the file. No one but the sharer and receiver know what the actual file is.

It’s still work in progress, so chime in with your comments and suggestions. To dig into the code, check out his repository on Github, which also has instructions to build and run it if you’d like to do your own version.

Oh, and you’ll like this. If want to thumb your nose at the powers that be, the site has a redirect for the whimsical domain: NSAfu.com.

“Hello Barbie” Not An IoT Nightmare After All

January 29, 2016 by Elliot Williams 25 Comments

Security researchers can be a grim crowd. Everything, when looked at closely enough, is insecure at some level, and this leads to a lot of pessimism in the industry. So it’s a bit of a shock to see a security report that’s filled with neither doom nor gloom.

We’d previously covered Somerset Recon’s initial teardown of “Hello Barbie” and were waiting with bated breath for the firmware dump and some real reverse engineering. Well, it happened and basically everything looks alright (PDF report). The Somerset folks desoldered the chip, dumped the flash ROM, and when the IDA-dust settled, Mattel used firmware that’s similar to what everyone else uses to run Amazon cloud service agents, but aimed at the “toytalk.com” network instead. In short, it uses a tested and basically sound firmware.

The web services that the creepy talking doll connected to were another story, and were full of holes that were being actively patched throughout Somerset’s investigation, but we were only really interested in the firmware anyway, and that looked OK. Not everything is horror stories in IoT security. Some stories do have a happy ending. Barbie can sleep well tonight.

Fingerprint Scanner For Laptop And Raspberry Pi (or Giving The Finger To Your Computer)

January 29, 2016 by Rud Merriam 28 Comments

We’ve got two hacks in one from [Serge Rabyking] on fingerprint scanning. Just before leaving on a trip he bought a laptop on the cheap. He didn’t pay much attention to the features and was disappointed it didn’t have a fingerprint scanner. Working in Linux he uses sudo a lot and typing the password is a hassle. Previously he just swiped his finger on the scanner and execution continued.

He found a cheap replacement fingerprint scanner on hacker’s heaven, also known as eBay. It had four wires attached to a 16 pin connector. Investigation on the scanner end showed the outer pair were power and ground which made [Serge] suspect it was a USB device. Wiring up a USB connector and trying it the device was recognized but with a lot of errors. He swapped the signal lines and everything was perfect. He had sudo at his finger tip.

Next he wonder if it would work with a Raspberry Pi. He installed the necessary fingerprint scanning software, ran the enrollment for a finger, and it, not terribly surprisingly, worked.

On Linux the command fprintd-enroll reads and stores the fingerprint information. By default it scans and saves the right index finger but all ten fingers can be scanned and stored. Use libpam-fprintd to enable account login using a finger. Anyone know how you can trigger other events using a different finger? A quick search didn’t turn up any results.

In true hacker style, [Serge] created his own fingerprint reader from a replacement part. But you can jump start your finger usage by purchasing one of many inexpensive available readers.

TP-LINK’s WiFi Defaults To Worst Unique Passwords Ever

January 27, 2016 by Mike Szczys 82 Comments

This “security” is so outrageous we had to look for hidden cameras to make sure we’re not being pranked. We don’t want to ruin the face-palming realization for you, so before clicking past the break look closely at the image above and see if you can spot the exploit. It’s plain as day but might take a second to dawn on you.

The exploit was published on [Mark C.’s] Twitter feed after waiting a couple of weeks to hear back from TP-LINK about the discovery. They didn’t respond so he went public with the info.

Continue reading “TP-LINK’s WiFi Defaults To Worst Unique Passwords Ever” →

Steampunk USB Cryptex Keeps Your Data Secure

January 21, 2016 by James Hobson 10 Comments

Worried about people snooping around your USB drive? Digital encryption not good enough for you? What you need is a USB Cryptex to secure the drive from even being accessed!

Made completely out of copper and brass, [Scots72] really put a lot of effort into this beautiful piece of metalworking. The USB drive itself is encased in epoxy inside of a copper tube — the rest is built around it. Built almost entirely using hand tools, and we can only imagine how long the process took to complete. But patience is often rewarded with results like these!

Continue reading “Steampunk USB Cryptex Keeps Your Data Secure” →

Shmoocon 2016: GPUs And FPGAs To Better Detect Malware

January 17, 2016 by Mike Szczys 40 Comments

One of the big problems in detecting malware is that there are so many different forms of the same malicious code. This problem of polymorphism is what led Rick Wesson to develop icewater, a clustering technique that identifies malware.

Presented at Shmoocon 2016, the icewater project is a new way to process and filter the vast number of samples one finds on the Internet. Processing 300,000 new samples a day to determine if they have polymorphic malware in them is a daunting task. The approach used here is to create a fingerprint from each binary sample by using a space-filling curve. Polymorphism will change a lot of the bits in each sample, but as with human fingerprints, patterns are still present in this binary fingerprints that indicate the sample is a variation on a previously known object.
Continue reading “Shmoocon 2016: GPUs And FPGAs To Better Detect Malware” →

Shmoocon 2016: Phishing For The Phishers

January 16, 2016 by Mike Szczys 24 Comments

After years of ignoring the emails it’s finally time to get into a conversation with that Nigerian prince you keep hearing from. Robbie Gallagher — an Application Security Engineer with Atlassian in Austin, TX — wanted to find out where perpetrators of phishing emails actually live. Of course you can’t count on the headers of the emails they send you. A better way to track them down is to actually draw them into a conversations, and this means making yourself a juicy target.

Robbie gave an excellent talk on his project Honey-Phish at this year’s Shmoocon. Part of what made it stand out is his narrative on each step of exploring the social engineering technique. For instance, there is already a vibrant community that specializes in forming relationships with scammers. Those who frequent 419 Eater have literally made it into a sport called Scambaiting. The ultimate goal is to prove you’ve baited a scammer is to get the person to take a picture of themselves balancing something on their head. Now the image a the top of this post makes sense, right?

Writing personal emails to your scammer is a great system if you have a lot of time and only want to track down one scammer at a time. Robbie wants to catalog geographic locations for as many as possible and this means automation. Amusingly, the solution is to Phish for Phishers. By automating responses to phishing emails, and enticing the people originating those phishing scams to click on a link, you can ascertain their physical location.

Continue reading “Shmoocon 2016: Phishing For The Phishers” →