25C3 International Capture The Flag

December 23, 2008 by Eliot 5 Comments

Capture the Flag (CTF) is a long running tradition at hacker conventions. It pits teams of security researchers against each other on the same network. Every team gets an identical virtual machine image. The VM has a set of custom written services that are known to be vulnerable. The teams work to secure their image while simultaneously exploiting services on the machines of other teams. A scoring server monitors the match as it progresses and awards points to teams for keeping their services up and also for stealing data from their competitors.

The Chaos Communication Congress in Berlin December 27-30, 2008 will host a CTF competition. Most CTF matches are done head to head in the same room. While 25C3 will have local teams, it will also be wide open for international teams to compete remotely. Remote teams will host their own images on a VPN with the other competitors. Now is a good time to register and familiarize yourself with the scoring system. It will certainly be interesting to see how this competition plays out now that teams that can’t make the trip can still compete.

MBTA Drops Lawsuit Against MIT Subway Hackers

December 23, 2008 by Eliot 8 Comments

The Massachusetts Bay Transit Authority (MBTA) has dropped its federal case against three MIT researchers, “the subway hackers”. This happened in October and now the EFF brings news that the students will be working with the MBTA to improve their system. The overall goal is to raise security while keeping expenses minimal.

This whole mess started in August when a gag order was issued against the students’ presentation at Defcon. It’s a shame no one ever saw it because it covers a lot of interesting ground. A PDF of the banned slides is still online. They performed several attacks against both the subway’s fare system and physical security. Our favorites by far were using GNU Radio to sniff the RFID card’s transaction and bruteforcing Mifare Classic with an FPGA.

Free Issue Of Hackin9

December 23, 2008 by Eliot 9 Comments

hackin9

Until midnight tonight, you can download a free copy of the 1/2008 issue of security magazine hackin9. It’s 84pages, 10.5MB, and requires you to provide an email address they don’t verify.

[via TaoSecurity]

Tor Hardware Privacy Adapter

December 21, 2008 by Eliot 33 Comments

hardwaretor

The Janus team have published a preview of their new Privacy Adapter. It’s a small two port router. You just plug it in-line between your computer/switch and your internet connection. It will then anonymize all of you traffic via the Tor network. You can also use it with OpenVPN. The hardware appears to be a Gumstix computer mounted to a daughtercard with two ethernet ports. It will have a web configuration just like a standard router. This looks like a great plug-n-play privacy device. The only improvement we would suggest is adding auto-detect so a crossover cable isn’t required.

Janus is responsible for JanusVM, a virtual machine designed to protect your privacy with technologies like Tor and OpenVPN.

[via @hdmoore]

Securing Your Data

December 20, 2008 by Eliot 6 Comments

Lifehacker has published an overview of some of the many ways you can secure your data. The post was prompted by recently released browser vulnerabilities: first IE, then Firefox. They cover techniques far beyond just browser security, like how to properly wipe your iPhone. They mention disk encryption go-to TrueCrypt along with password management tools like KeePass. They also suggest using temporary credit cards to mitigate the impact of fraud.

[photo: Rija 2.0]

PS3 Home Hacking

December 15, 2008 by Eliot 21 Comments

ps3

Last week Sony launched the public beta of Home, their virtual world for the PlayStation 3. It wasn’t met with much fanfare and has proven to be quite buggy. Many were less than charmed by scarcity being ported to the virtual world. Others took it upon themselves to hack the service. Connections between the user’s home console and Sony’s server are unencrypted. You can sniff the requests and responses off the wire and modify them live. It seems you need the console to establish the initial connection, but after that you’re free to use builtin tools like Download.jsp, UploadFileServlet, and Delete.jsp to modify any file on the host server. You can also set up a proxy server to modify content, but that will only affect what your console sees.

[photo: nic0]

[via Joystiq]

Acrylic Tumbler Lock

December 9, 2008 by Eliot 21 Comments

acrylictumbler

Sometimes describing how a lock actually works can be the hardest part of teaching someone about lockpicking. [Mike Gee] has designed an acrylic lock that may just be the ticket for these situations. All of the pieces are cut from clear acrylic. As you insert the key, you can see it raise the four pins up to the shear line. He says that it will definitely take some tweaking as you assemble it to get it to function smoothly. Embedded below is a video of the lock in use. You can find plans on Thingiverse.

Continue reading “Acrylic Tumbler Lock” →