Teardown: Recon Sentinel

It might be hard to imagine now, but there was a time when the average home had only a single Internet connected device in it. This beige box, known as a “desktop computer” in those olden days, was a hub of information and productivity for the whole family. There was a good chance you might even need to wait for your turn to use it, since it’s not like you had a personal device in your pocket that let you log on from the bathroom whatever room you might be in at the time. Which is just as well, since even if you had broadband back then, you certainly weren’t shooting it around the house with the Magic Internet Beams that we take for granted now.

Things are a lot more complicated today. Your computer(s) are only part of the equation. Now there’s mobile phones and tablets sharing your Internet connection, in addition to whatever smart gadgets you’ve brought into the mix. When your doorbell and half the light bulbs in the house have their own IP address, it takes more than a fresh copy of Norton AntiVirus to keep everything secure.

Which is precisely what Cigent Technology says the Recon Sentinel was designed for. Rather than protecting a single computer or device, this little gadget is advertised as being able to secure your entire network by sniffing out suspicious activity and providing instant notifications when new hardware is connected. According to the official whitepaper, it also runs a honeypot service Cigent calls a “cyber deception engine” and is capable of deploying “Active Defense Countermeasures” to confuse malicious devices that attempt to attack it.

It certainly sounds impressive. But for $149.99 plus an annual subscription fee, it better. If you’re hoping this teardown will tell you if it’s worth springing for the $899.99 Lifetime Subscription package, don’t get too excited. This isn’t a review, we’re only interested in cracking this thing open and seeing what makes it tick.

Continue reading “Teardown: Recon Sentinel”

Do Your Part To Stop The Robot Uprising

One of the pleasures of consuming old science fiction movies and novels is that they capture the mood of the time in which they are written. Captain Kirk was a 1960s guy and Picard was a 1990s guy, after all. Cold war science fiction often dealt with invasion. In the 1960s and 70s, you were afraid of losing your job to a computer, so science fiction often had morality tales of robots running amok, reminding us what a bad idea it was to give robots too much power. As it turns out, robots might be dangerous, but not for the reasons we thought. The robots won’t turn on us by themselves. But they could be hacked. To that end, there’s a growing interest in robot cybersecurity and Alias Robotics is releasing Alurity, a toolbox for robot cybersecurity.

Currently, the toolbox is available for Linux and MacOS with some support for Windows. It targets 25 base robots including the usual suspects. There’s a white paper from when the product entered testing available if you want more technical details.

Continue reading “Do Your Part To Stop The Robot Uprising”

Lowering The Bar For Exam Software Security

Most standardized tests have a fee: the SAT costs $50, the GRE costs $200, and the NY Bar Exam costs $250. This year, the bar exam came at a much larger cost for recent law school graduates — their privacy.

Many in-person events have had to find ways to move to the internet this year, and exams are no exception. We’d like to think that online exams shouldn’t be a big deal. It’s 2020. We have a pretty good grasp on how security and privacy should work, and it shouldn’t be too hard to implement sensible anti-cheating features.

It shouldn’t be a big deal, but for one software firm, it really is.

The NY State Board of Law Examiners (NY BOLE), along with several other state exam boards, chose to administer this year’s bar exam via ExamSoft’s Examplify. If you’ve missed out on the Examplify Saga, following the Diploma Privilege for New York account on Twitter will get you caught up pretty quickly. Essentially, according to its users, Examplify is an unmitigated disaster. Let’s start with something that should have been settled twenty years ago.

Continue reading “Lowering The Bar For Exam Software Security”

Copy And Paste Deemed Insecure

Back when Windows NT was king, Microsoft was able to claim that it met the strict “Orange Book” C2 security certification. The catch? Don’t install networking and remove the floppy drives.  Turns out most of the things you want to do with your computer are the very things that are a security risk. Even copy and paste.

[Michal Benkowki] has a good summary of his research which boils down to the following attack scenario:

  1. Visit a malicious site.
  2. Copy something to the clipboard which allows the site to put in a dangerous payload.
  3. Visit another site with a browser-based visual editor (e.g., Gmail or WordPress)
  4. Paste the clipboard into the editor.

Continue reading “Copy And Paste Deemed Insecure”

Mitigating Con Deprivation: Disobey 2020

While the Coronavirus-induced lockdown surely makes life easier for the socially anxious and awkward ones among us, it also takes away the one thing that provides a feeling of belonging and home: conferences. Luckily, there are plenty of videos of past events available online, helping to bypass the time until we can mingle among like-minded folks again. To put one additional option on the list, one event you probably never even heard of is Disobey, Finland’s annual security conference that took place for its fifth time in Helsinki earlier this year, and they recently published the playlist of this year’s talks on their YouTube channel.

With slightly under 1500 hackers, makers, and generally curious people attending this year, Disobey is still on the smaller side of conferences, but comes with everything you’d expect: talks, workshops, CTF challenges, and a puzzle-ridden badge. Labeling itself as “The Nordic Security Event”, its main focus is indeed on computer and network security, and most of the talks are presented by professional security researchers, oftentimes Red Teamers, telling about some of their real-world work.

In general, every talk that teaches something new, discusses important matters, or simply provides food for thought and new insight is worth watching, but we also don’t want to give everything away here either. The conference’s program page offers some outline of all the talks if you want to check some more information up front. But still, we can’t just mention a random conference and not give at least some examples with few details on what to expect from it either, so let’s do that.

Continue reading “Mitigating Con Deprivation: Disobey 2020”

The United States Air Force Would Like You To Hack Into Their Satellite

The Air Force is again holding its annual “Space Security Challenge” where they invite you to hack into a satellite to test their cybersecurity measures. There are actually two events. In the first one, $150,000 is up for grabs in ten prizes and the final event offers a $100,000 purse divided among the three top participants (first place takes $50,000).

Before you get too excited, you or your team has to first qualify online. The qualification event will be over two days starting May 22. The qualifying event is set up a bit like the TV show Jeopardy. There is a board with categories. When a team solves a challenge in a category it receives a flag that is worth points as well as getting to unlock the next challenge. Once a challenge is unlocked however, any team could potentially work on it. There are more rules, but that’s the gist of it. At the end of the event, the judges will contact the top 10 teams who will then each have to submit a technical paper.

Continue reading “The United States Air Force Would Like You To Hack Into Their Satellite”

Hackaday Links: August 11, 2019

By the time this goes to press, DEFCON 27 will pretty much be history. But badgelife continues, and it’d be nice to have a way of keeping track of all the badges offered. Martin Lebel stepped up to the challenge with a DEF CON 27 badgelife tracker. He’s been tracking the scene since March, and there are currently more than 170 badges, tokens, and shitty add-ons listed. Gotta catch ’em all!

Nice tease, Reuters. We spotted this story about the FAA signing off on beyond-visual-line-of-sight, or BVLOS, operation of a UAV. The article was accompanied by the familiar smiling Amazon logo, leading readers to believe that fleets of Amazon Prime Air drones would surely soon darken the skies with cargoes of Huggies and Tide Pods across the US. It turns out that the test reported was conducted by the University of Alaska Fairbanks along an oil pipeline in the Last Frontier state, and was intended to explore medical deliveries and pipeline surveillance for the oil industry. The only mention of Amazon was that the company reported they’d start drone deliveries in the US “in months.” Yep.

Ever wonder what it takes to get your widget into the market? Between all the testing and compliance requirements, it can be a real chore. Nathaniel tipped us off to a handy guide written by his friend Skippy that goes through the alphabet soup of agencies and regulations needed to get a product to market – CE, RoHS, WEEE, LVD, RED, CE for EMC. Take care of all that paperwork and you’ll eventually get a DoC and be A-OK.

A French daredevil inventor made the first crossing of the English Channel on a hoverboard on Sunday. Yes, we know it’s not an “actual” hoverboard, but it’s as close as we’re going to get with the physics we have access to right now, and being a stand-upon jet engine powered by a backpack full of fuel, it qualifies as pretty awesome. The report says it took him a mere 20 minutes to make the 22-mile (35-km) crossing.


We had a grand time last week around the Hackaday writing crew’s secret underground lair with this delightful Hackaday-Dilbert mashup-inator. Scroll down to the second item on the page and you’ll see what appears to be a standard three-panel Dilbert strip; closer inspection reveals that the text has been replaced by random phrases scraped from a single Hackaday article. It looks just like a Dilbert strip, and sometimes the text even makes sense with what’s going on in the art. We’d love to see the code behind this little gem. The strip updates at each page load, so have fun.

And of course, the aforementioned secret headquarters is exactly what you’d picture – a dark room with rows of monitors scrolling green text, each with a black hoodie-wearing writer furiously documenting the black arts of hacking. OpenIDEO, the “open innovation practice” of global design company IDEO, has issued a challenge to “reimagine a more compelling and relatable visual language for cybersecurity.” In other words, no more scrolling random code and no more hoodies. Do you have kinder, gentler visual metaphors for cybersecurity? You might win some pretty decent prizes for your effort to “represent different terms and ideas in the cybersecurity space in an accessible and compelling way.”