In one week, it's 44CON time again! One of our favourite UK hacker cons. In keeping with our desire to make more hackers, we're giving several sets of training courses as well as a talk this year.
Training: Hacking by Numbers - Mobile Edition
If you're in a rush, you can book here.
We created the course to share our experience testing mobile applications and platforms, and well, because lots of people asked us to. The course shows you how to test mobile platforms and installed applications for vulnerabilities. HBN Mobile provides a pretty complete and practical overview into the methods used when attacking mobile platforms and presents you with a methodology that can be applied across platforms (although we focus on iOS and Android). This course is mostly for existing penetration testers who are new to the mobile area looking to learn how to understand, analyse and audit applications on various mobile platforms.
For more information about the course, and to book a place, head over here.
Workshop: Malware Reverse Engineering
If we were marketing to hipsters, we'd use words like “bespoke” and “handcrafted” to describe this workshop. While it's not made out of yams, it was put together especially for 44con.
Inaki and Siavosh's workshop will cut through the black-magic often associated with reverse engineering and malware. Advanced attacks usually have some form of malware involved, and learning to pull these apart to understand the kill chain is an increasingly vital skill.
Using real malware used in attacks against large corporates, students will look at both behavioural analysis and code analysis, to determine what the malware does.
If you're keen to attend, speak to the 44con crew at the front desk on arrival.
Talk: 'Honey, I'm Home' - Hacking Zwave Home Automation Systems
Behrang and Sahand will be presenting the results of their research into smart homes on day two at 09:30am.
“Smart homes” employing a variety of home automation systems are becoming increasingly common. Heating, ventilation, security and entertainment systems are centrally controlled with a mixture of wired and wireless networking. In 2011 the UK market for home automation products was estimated at GBP 65 million, an increase of 12% on the previous year, with the US market exceeding $3 billion. Zigbee and Z-Wave wireless protocols underpin most home automation systems. Z-Wave is growing in popularity as it does not conflict with existing 2.4GHz WiFi and Bluetooth systems.
Their talk describes the Z-Wave protocol and a number of weaknesses, including how to build a low-cost attack kit to perform packet capture and injection, along with potential attacks on the AES crypto implementation. Bottom line: they can walk up to a house, disable security sensors, then open the front door. LIKE A BOSS
We are publishing the research paper and tool for our BlackHat 2013 USA talk on the Z-Wave proprietary wireless protocol security. The paper introduces our Z-Wave packet interception and injection toolkit (Z-Force) that was used to analyze the security layer of Z-Wave protocol stack and discover the implementation details of the frame encryption, data origin authentication and key establishment process. We developed the Z-Force module to perform security tests against the implementation of the Z-Wave security layer in encrypted home automation devices such as a door locks. The paper describes the details of a critical vulnerability discovered in a Z-Wave door lock that could enable an attacker to remotely take full control of the target device without knowledge of the network encryption key. The Z-Force download archive contains the GUI program and two radio firmware files for the receiver and transmitter TI CC1110 boards.
This research will also be presented at 44Con 2013 in London next month, followed by the release of Z-Force source code and US frequency support (908.4 MHz) in the firmware.
Link to conference page and paper: http://research.sensepost.com/conferences/2013/bh_zwave
Link to Z-Force project and download page: http://research.sensepost.com/tools/embedded/zforce
Today was our 13th birthday. In Internet years, that's a long time. Depending on your outlook, we're either almost a pensioner or just started our troublesome teens. We'd like to think it's somewhere in the middle. The Internet has changed lots from when SensePost was first started on the 14th February 2000. Our first year saw the infamous ILOVEYOU worm wreak havoc across the net, and we learned some, lessons on vulnerability disclosure, a year later we moved on to papers about "SQL insertion" and advanced trojans. And the research continues today.
We've published a few tools along the way, presented some (we think) cool ideas and were lucky enough to have spent the past decade training thousands of people in the art of hacking. Most importantly, we made some great friends in this community of ours. It has been a cool adventure, and indeed still very much is, for everyone who's has the pleasure of calling themselves a Plak'er. Ex-plakkers have gone on to do more great things and branch out into new spaces. Current Plakkers are still doing cool things too!
But reminiscing isn't complete without some pictures to remind you just how much hair some people had, and just how little some people's work habit's have changed. Not to mention the now questionable fashion.
Fast forward thirteen years, the offices are fancier and the plakkers have become easier on the eye, but the hacking is still as sweet.
As we move into our teenage years (or statesman ship depending on your view), we aren't standing still or slowing down. The team has grown; we now have ten different nationalities in the team, are capable of having a conversation in over 15 languages, and have developed incredible foos ball skills.
This week, we marked another special occasion for us at SensePost: the opening of our first London office in the trendy Hackney area (it has "hack" in it, and is down the road from Google, fancy eh?). We've been operating in the UK for some time, but decided to put down some roots with our growing clan this side of the pond.
And we still love our clients, they made us who we are, and still do. Last month alone, the team was in eight different countries doing what they do best.
But with all the change we are still the same SensePost at heart. Thank you for reminiscing with us on our birthday. Here's to another thirteen years of hacking stuff, having fun and making friends.
We blogged a little while back about the Snoopy demonstration given at 44Con London. A similar talk was given at ZaCon in South Africa. Whilst we've been promising a release for a while now, we wanted to make sure all the components were functioning as expected and easy to use. After an army of hundreds had tested it (ok, just a few), you may now obtain a copy of Snoopy from here. Below are some instructions on getting it running (check out the README file from the installer for additional info).
Remind me what Snoopy is?
Snoopy is a distributed tracking, data interception, and profiling framework.
-Ubuntu 12.04 LTS 32bit online server
-One or more Linux based client devices with internet connectivity and a WiFi device supporting injection drivers. We'd recommend the Nokia N900.
-A copy of Maltego Radium
After obtaining a copy from github run the install.sh script. You will be prompted to enter a username to use for Snoopy (default is 'woodstock') and to supply your public IP address. This is depicted below:
This installation will take around 3-5 minutes. At the end of the installation you will be presented with a randomly generated password for the web interface login. Remember it. You may now run the server component with the command snoopy, and you will be presented with the server main menu, as depicted below.
Selecting the 'Manage drone configuration packs' menu option will allow you to create custom installation packs for all of your drone devices. You will be presented with download links for these packs, such that you can download the software to your drones.
From your drone device download and extract the file from given link. Run setup_linux.sh or setup_n900.sh depending on your drone.
All collected probe data gets uploaded to the Snoopy server every 30 seconds. All associated clients have their internet routed through the server over OpenVPN. If you so desire, you can explore the MySQL database 'snoopy' to see this raw data. Graphical data exploration is more fun though.
In the Snoopy server menu select 'Configure server options' > 'List Maltego transform URLs'. This will give URLs to download Maltego Snoopy entities and machines, as well as a list of TDS transform URLs. You will need to download and add the entities and machines to your local Maltego installation, and add the transform URLs to your Maltego TDS account (https://cetas.paterva.com/tds). This is depicted below.
We can explore data my dragging the 'Snoopy' entity onto the canvas. This entity has two useful properties - 'start_time' and 'end_time'. If these are left blank Snoopy will run in 'real time' mode - that is to say displaying data from the last 5 minutes (variable can be set in server configuration menu). This time value will be 'inherited' by entities created from this point. The transforms should be obvious to explore, but below are some examples (further examples were in the original blog post).
I shall write a separate blog post detailing all the transforms. For now, enjoy playing around.
You can access the web interface via http://yoursnoopyserver:5000/. You can write your own data exploration plugins. Check the Appendix of the README file for more info on that.
Shane Kemp, Daniel Cuthbert and Dominic White will be promoted to Global Sales Manager, Chief Operations Officer and Chief Technology Officer respectivley and will join SensePost's senior leadership structures, effective 01 October 2012.
The three new c-levels, along with a number of other emergent leaders, will be commencing a training and development program spanning a number of months as they gradually assume their new responsibilities.
These appointments follow on recent promotion of Yvette du Toit to Business Development Manager for the Africa region, Rogan Dawes as Assessments Manager as well as Behrang Fouladi and Ian de Villiers to our recently established Research Division (more on that to come).
We have a vision to build a dynamic global business that will impact our clients and the community in general in a lasting and meaningful way. To achieve that we need to attract the best people in the game and give them every opportunity to develop, to achieve and ultimately to make their mark on our business and our industry. These appointments will not only stretch and challenge these three guys and their teams, it will also optimally position SensePost to leverage of its current position of strength to redefine itself, innovate and grow.We were looking for a new generation of leaders who not only had the required skill and experience, but who also represented our company's core values of honesty and integrity combined with technical excellence and passion a for information security. We believe that in this team we have that. We expect that over time the new leaders will bring their own unique style to the way SensePost is run, but we're confident that the technical, business and ethical values that have characterized us as a company over the last 13 years will remain intact.
We're proud of them all and wish them the best of luck!