With millions of phishing attempts happening daily, we’ve probably all had our fair share of coming across one. For the trained or naturally suspicious eye, it’s usually easy to spot them — maybe get a good chuckle out of the ridiculously bad ones along the way — and simply ignore them. Unfortunately, they wouldn’t exist if they weren’t successful enough in the big picture, so it might be a good idea to inform the targeted service about the attempt, in hopes they will notify users to act with caution. And then there’s [Christian Haschek], who decided to have some fun and trying to render the phished data useless by simply flooding it with garbage.
After his wife received a text message from “their bank”, [Christian] took a closer look at the URL it was pointing to, and found your typical copy of the real login form at a slightly misspelled address. As the usual goal is to steal the victim’s credentials, he simply wrote a shell script that sends random generated account numbers and PINs for all eternity via cURL, potentially lowering any value the attackers could get from their attempt.
As the form fields limit the input length of the account number and PIN, he eventually wondered if the server side will do the same, or whether it would crash if longer data is sent to it. Sadly, he’ll never know, because after he modified the script, the site itself returned a 404 and had disappeared.
In the quest against phishing attacks, this should count as a success, but as [Christian] seemed to enjoy himself, he yearned for more and decided to take a look at a similar attempt he saw mentioned earlier on Reddit. Despite targeting the same bank, the server-side implementation was more sophisticated, hinting at a different attack, and he definitely got his money worth this time — but we don’t want to give it all away here.
Rest assured, [Christian Haschek] continues the good fight, whether by annoying attackers as he did with ZIP-bombing random WordPress login attempts or battling child pornography with a Raspberry Pi cluster. Well, unless he’s busy hunting down an unidentified device hooked up in his own network.
(Banner image by Tumisu)
Consider the piggy bank. Behind that innocent, docile expression is a capitalistic metaphor waiting to ruin your fond memories of saving for that BMX bike or whatever else it was that drove home the value of a dollar. As fun as it is to drop a coin in a slot, the act of saving your pennies and learning financial responsibility could be a bit more engaging.
It seems like [gzumwalt] feels the same way. He’s designed a coin bank for his grand-kids that takes a more active role in the deposit process—it straight up eats the things. Put a coin on the platform and the upper half of the apple’s face is pushed open by an arm that pulls the coin inside on its return path.
Continuing with the money-saving theme, [gzumwalt] didn’t use a micro or even a 555. No, the core of this project is a pair of micro lever switches, a small gear motor, and 4.5V DC. When a coin hits the platform, the first switch engages the motor. The motor drives a 3-D printed mechanism modeled after Hoeckens’ linkage, which converts rotational motion to (nearly) straight-line motion. The second switch stops the cycle. Confused? You can sink your teeth into it after the break.
Don’t worry, the kids don’t have to slice up the apple when it’s time to go to the candy store, ’cause there’s a screw-in hatch on the bottom. This is because [gzumwalt] is a wizard of 3-D printing and design. Not convinced? Check out his balloon-powered engine or his runs-on-air plane.
Continue reading “Apple Coin Bank Plants The Seed Of Saving”
When living in an area that is prone to natural disasters, it’s helpful to keep something on hand for backup power. While a large number of people chose to use generators, they are often unreliable (or poorly maintained), noisy, produce dangerous carbon monoxide, or run on a fuel supply that might not be available indefinitely. For truly reliable backup power, [Jay] has turned to a battery bank to ride through multi-day power outages.
While the setup doesn’t run his whole house, it isn’t intended to. One of the most critical things to power is the refrigerator, so this build focuses on keeping all of his food properly stored through the power outage. During the days following Hurricane Irma, the system could run the refrigerator for 10-11 hours, and the thermal insulation could keep everything cold or frozen overnight. Rather than using solar panels to charge the batteries, the system instead gets energy from the massive battery of his electric vehicle. [Jay] was out of power for 64 hours, and this system worked for him (and at a better cost) than a generator would have.
With the impact of major storms on many areas this year, we’ve been seeing a lot of interesting ways that people deal with living in areas impacted by these disasters. Besides riding through power outages, we’ve also seen the AARL step in to help, and also taken a look at how robust building codes in these areas help mitigate property damage in the first place.
[Thiago]’s bank uses a few methods besides passwords and PINs to verify accounts online and at ATMs. One of these is a ‘security card’ with 70 single use codes, while another is an Android app that generates a security token. [Thiago] changes phones and ROMs often enough that activating this app became a chore. This left only one thing to do: reverse engineer his bank’s security token and build a hardware device to replicate the app’s functionality.
After downloading the bank’s app off his phone and turning the .APK into a .JAR, [Thiago] needed to generate an authentication code for himself. He found a method that generates a timestamp which is the number of 36-second intervals since April 1st, 2007. The 36-second interval is how long each token lasts, and the 2007 date means this part of the code was probably developed in late 2007 or 2008. Reverse engineering this code allowed [Thiago] to glean the token generation process: it required a key, and the current timestamp.
[Thiago] found another class that reads his phone’s android_id, and derives the key from that. With the key and timestamp in hand, he figured out the generateToken method and found it was remarkably similar to Google Authenticator’s implementation; the only difference was the timestamp epoch and the period each token lasts.
With the generation of the security token complete, [Thiago] set out to put this code into a hardware device. He used a Stellaris Launchpad with the Criptosuite and RTClib libraries. The hardware doesn’t include a real-time clock, meaning the date and time needs to be reset at each startup. Still, with a few additions, [Thiago] can have a portable device that generates security tokens for his bank account. Great work, and great example of how seriously his bank takes account security.
[Norman] put together a rather impressive 22,500 uF capacitor bank. In addition to find things to torture with the strong magnetic field generated by a sudden discharge, he’d like to measure the current pushed from the device. He’s found a way to do this using a digital storage oscilloscope. To protect the oscilloscope [Norman] built his own interface box that includes a 50x voltage divider, and interfaces a current sensor called a Rogowski coil. When it comes time to run the experiment, he turns the safety lock-out key on the bank charger, then discharges the stored potential with the flip of a switch.
Take a look at the video after the break to see soda cans and hard drive platters mangled by the device. The oscilloscope measures the output near 10 kA, giving [Norman] the data he set out to capture. He’s entered this project into the Tektronix contest where it’ll compete with the piano tuner and laser light show tester just to name a few.
Continue reading “Measuring The ~10 Kiloamp Output Of A Large Capacitor Bank”