Now You See Me, Now You Don’t, Face Detection Scripts

June 27, 2010 by Jakob Griffith 19 Comments

Straight out of Ghost in the Shell, the Laughing Man makes his appearance in these security camera shots. [William Riggins] wrote us to let us know about his teams Famicam scripts. After taking a screen shot, faces are detected and counted, ‘anonymized’, and the final image is uploaded to Twitter.

The process is rather simple, and sure beats wearing a bunch of white reflective camouflage. All that’s left is detecting specific faces to make anonymous, and of course uploading the script to every camera in the world. Easy, right?

SOAP Compatibility For SQLmap

June 25, 2010 by Mike Szczys 11 Comments

[_coreDump] was doing some database vulnerability testing using SQLmap to automate the process. To his dismay, the package was unable to test using the Simple Object Access Protocol. Faced with having to manually test all of the SOAP vulnerabilities he decided to work some Python magic and add support. His solution allows SQLmap 0.8 to parses XML data from the SOAP protocol by modifying three files from the package. He’s made the diff files available if you need this functionality for your own security testing.

Win At Hangman, Gain Entry

June 16, 2010 by Caleb Kraft 16 Comments

Do not put anything in this box that you will need in a rush. You’ll have to successfully guess the word in a game of hangman to gain entry. He’s using an Atmega328 as the brains of this project with a rotary dial and an LCD for input and display. If you win, the box is unlocked and you can open it up to get whatever is inside. There are links to various tutorials along the way to help with each step, including the Arduino source code he used to build it. We think he should bump it up a notch and have the box destroy the contents if you fail. Sounds like fun, right?

Ground Your Car To Make It Go

June 14, 2010 by Caleb Kraft 27 Comments

[youtube=http://www.youtube.com/watch?v=FFb5_mKfnR8]

This security system called G-spot requires that you touch a special place on the car prior to attempting to start it. This is pretty slick as it could be completely un-obvious and doesn’t require any special fobs or minor surgery. With the right placement, no one would ever notice that you had touched it.

[via HackedGadgets]

Modern Car Data Systems Lack Security

May 18, 2010 by Mike Szczys 65 Comments

Tomorrow a team of researchers will present their paper on Experimental Security Analysis of a Modern Automobile (PDF) at the IEEE Symposium on Security & Privacy. Much like the racing simulators we’ve seen they’re exploiting the ODB-II port to get at the vehicle’s Controller-area network, or CAN-bus. We’re not surprised at all that they can display custom text on the dashboard display or read sensor data from the car. What does surprise us is their exposé on how truly unsecured the system is. It seems that access to any device on the CAN-bus gives them unobstructed control of the car’s systems. Any device can send commands to any other device. They’ve even found a way to write malicious code to the car’s computer which can be programmed to erase itself in the event of a crash.

Much like RFID the security risks here are basically nill for the vast majority of consumers. We just find it a bit surprising that there’s apparently been little thought put into fortifying the communications between the safety systems such as the brakes on the vehicle. For instance, team experimented with sending random packets over the CAN-bus and stumbled across a way to lock the brake on just one wheel. To us it’s conceivable that a malfunctioning device on the network could start sending out damaged packets and cause a dangerous malfunction like this one.

The 14-page PDF linked above is a page-turner, check it out on your hacked ereader during lunch.

Nike + IPod As A Tracking Device

May 13, 2010 by Mike Szczys 5 Comments

[Thomas] found a paper from 2006 that describes using the Nike + iPod system as inexpensive tracking devices. Yep, it’s old as dirt but we think it’s fascinating reading! [Scott Saponas] and his fellow authors take a hard look at the lack of security in the system in a twelve-page PDF. They cover several different ways to capture and track one of the $29 tags in someone’s shoe, including using the Gumstix reader above, or a slightly modified 3G iPod. If the sensors are not removed or manually switched off when not in use they can be picked up by any RF reader within range. Because the tags are cheap and available, one could be planted on an unsuspecting victim James-Bond-style. Maybe this is what prompted Apple’s half-hearted attempt to restrict hacking the devices to do things like unlock doors.

Of course if you don’t want to do the reading you could download their video presentation or just stream it.

RFID Immobiliser

April 28, 2010 by Caleb Kraft 27 Comments

[andrew_h] has put together this slick anti theft device for his car. The RFID immobiliser is used to keep the car from starting unless you swipe an RFID tag. Depending on how well you hide it, and how well the person stealing the car knows you, they would have no reason to suspect that they have to swipe the tag. Even if someone steals the car while it is already running, they won’t be able to re start the engine if they shut it off. As usual, schematics and PCBs are available.