Hack in the Box Amsterdam and Haxpo 2019

I like attending conferences, they provide a front row seat to the lastest research and other people in your area are doing and thinking. For me they are inspiring. They also provide a great space for networking and getting to know great people, especially in our security community.

Around the conference, there is normally a lot going on, and I normally miss out on most of it because I’m focused on the talks. So this time, I decided to skip the conference all together and just visit the Haxpo (or the program around the main conference)

Hack in the Box (Amsterdam) is a great event, I’ve attended a couple of times: trainings and talks. They also organize a great Expo, it runs parallel to the conference and always has a lot to offer. This piece covers my day at the Haxpo.

Keep Reading →

My impressions of the Digital Demo Day 2019

Yesterday I participated at the #DigitalDemoDay19 in Düsseldorf, Germany. My overall impression: great event. A nice mix of talks, pitches and fair grounds. I was not able to hear any of the talks, because we had our first stand ever.

We got to share our stand / booth with 5 other start-ups () and #CGI, which was kind enough to select us and sponsor our presence. The CGI team was great from before the event. It was a pleasure partnering with them. They had a really cool chocolate kiosk that was a people magnet!

For the event we prepared some roll-ups, which did a great job attacking people. But the biggest hit was the IoT Security Hacking Kit. I took one of the boxes and used it as a stand for the presentation tablet. Lots of people where interested in it, even today I got some pings via LinkedIn. Next time I need to prepare a full box for show and tell 😉

Table stand, with kit, presentations and demo.

Keep Reading →

Entering SevenShift

I’ve been working as a freelancer for a while now and lately been wanting to grow and attempt bigger things. That is why starting today I have officially founded SevenShift

 

This new company will be the place I will be doing all my work from. The main idea is to have a legal entity that can enable me to work on any future endeavors.

The main focus will be on IoT Security, which is what I have been working on lately, but we will see where the road takes us.

I hope I find some time to post here as well, now that I will be responsible for an additional site.

IoT Makerthon

At the end of March 2017, I participated in an IoT Makerthon (Hackathon) at my co-working space in Cologne.

The turnout was not what I expected, we were only approx. 15 participants. Considering it was planned on a Monday in working hours the only people who could attend were those who were either sent by their day job or those who could take the day off.

Keep Reading →

Links of the week

chains

I’ve been sending myself emails with links at the end of the week for some time now and I’ve decide to share this list of curated links. These links are to articles that I have run by during the week, that at least when I decided to set them aside, had the value for them to be revisited, shared or stored.

The topics vary a lot, depending on what I ‘m working on or am interested at a given point or what I run into.

So without further delay here is the first edition

Keep Reading →

Who signed the .apk file?

After a while searching for an older version of an App from the Play Store, I finally found the version I wanted and downloaded it.
In order to install it, you have to “Allow the installation from unknown sources”. So there goes the chain of trust for the app.

Android

So how do you know:

  • Where did the app came from ?
  • Did someone plant Malware in it?
  • Can I trust it?

These are cases for your trusted cryptographer or in the case your certificates.

Basically you need fo follow these steps:

# Dump the apk information
$ANDROID_HOME/build-tools/23.0.0_rc2/aapt dump badging www.apks.org-de.hafas.android.db.apk |grep package

# verify the signer
jarsigner -verbose -verify www.apks.org-de.hafas.android.db.apk |less

# Verify that all files have been signed with the same key
jarsigner -verbose -certs -verify www.apks.org-de.hafas.android.db.apk |less

 

Error -505 while installing Android App

I’ve had the DB Navigator app trying to update itself for the last 3 to 12 months, but hadn’t really put some time into figuring out why it didn’t work.  If figured I was not the only one affected so they would fix it themselves someday. Since that never happens, I took some time and wrote this post.

In a nutshell the problem is that the ticket database was owned by another DB app: de.bahn.dbtickets. I uninstalled it and then could update / re-install the DB Navigator app.

How did I figure this out?, you say

  1. Enabled developer mode on my phone
  2. Connected to it and used adb logcat to see the logs
  3. Tried to install the app
  4. Found this in the logs

E/Finsky (28878): [1] PackageInstallerImpl.handleCommitCallback: Error -505 while installing de.hafas.android.db: INSTALL_FAILED_DUPLICATE_PERMISSION: Package de.hafas.android.db attempting to redeclare permission de.bahn.dbtickets.permission.WRITE_DB already owned by de.bahn.dbtickets
W/Finsky (28878): [1] 3.installFailed: Install failure of de.hafas.android.db: -505 null

So the highlighted part is what told me the problem.

Have fun.

Security mindset reviewed by Matty Beddoes

I normally try to post only original content, but I ran into an interview with Matty Beddoes at Tripwire THE STATE OF SECURITY which is worth sharing. It is a good reminder that security is not just about controls and suits but also about hacking (learning driven by interest) and having the correct mindset really helps.

Here is the money quote:

"

It’s never a good idea to mess with a 16-year-old, especially one who can use a computer to cause chaos. Honestly, if they had said “Thank you,” things might have turned out differently. But they didn’t.

Sadly, that’s not a unique reaction in today’s industry. In fact, I find that IT staffs generally do not want their managers to know of a vulnerability for fear of looking bad at their jobs. This creates an unhealthy environment where no one wants to hear about vulnerabilities. If you talk to the staff, they will just ignore you, and if you contact the manager, they will take it personally and think you’re criticizing their staff. You’re blocked either way.

This problem is found all over the place but it usually changes after a company has been hacked. And that’s where I came in.

"

I have also seen this attitude a lot, although I welcome the people that find themselves at the other side of the engagement and see the opportunity that it being given to them to learn and grow..  event make a business or career out of the experience.

deutschlandfunk

old time radio
At the end of last year a friend gave my contact information to a radio producer with an interesting project. She wanted to learn as much she could as you can from a person through different means:

  • Getting his writing analyzed
  • Getting his voice analyzed
  • Using a private detective to follow him for a couple of days
  • And of course the digital perspective (which is where I tried to pitch in)

Basically we had a target (which gave us written permission to hack him and his systems) and the idea was to go, collect all the information we could from his online presence, hack any of his accounts and / or his personal computer. One of the things we had in mind, was since “the Target” was one of the producers, is that we didn’t want to kill any of his devices.

Keep Reading →

sysunconfig

I just released a set of scripts that come in handing when creating clean images for virtual environment, heck you can even use it for cloud images.

What they do is:

  • clear all the logs
  • clean up the networking scripts, because the normally get references to the mac address in CentOS
  • clean up the repository files
  • in some cases create a root user

There are scripts for: CentOS 6, Debian and OpenSuse.

They can be be found in the tools section or in github.

12346Next