December 4, 2017

Find a Hacking Con, B-sides or 2600 near you on Hackermaps.org

http://hackermaps.org/

Hackermaps.org

Hackermaps created by @nyxgeek, DM him on Twitter if he missed any.

November 23, 2017

Prt.2 – How to Setup MouseJack and JackIt

This blog post is Part 2 of our MouseJack series.  This post will focus on setting up MouseJack on the Crazyradio PA by flashing the firmware.  After that you can install JackIt and start scanning for vulnerable devices.  Please follow the steps below in-order to setup MouseJack and Jackit.

The hardware required is a Crazy Radio – $28 – $35 USD

/ continue reading

November 15, 2017

Prt.1 – MouseJacking is a Dangerous Threat if your Wireless Peripherals are Vulnerable

What is MouseJacking?

MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice (Bastille, 2016). These peripherals are ‘connected’ to a host computer using a radio transceiver, commonly a small USB dongle (Bastille, 2016). Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim’s computer by transmitting specially-crafted radio signals using a device which costs as little as $15.

An attacker can launch the attack from up to 100 meters away. The attacker is able to take control of the target computer, without physically being in front of it, and type arbitrary text or send scripted commands (Bastille, 2016). It is therefore possible to perform rapidly malicious activities without being detected. The MouseJack exploit centers around injecting unencrypted keystrokes into a target computer (Bastille, 2016). / continue reading

November 4, 2017

Are Lockpicks illegal or legal in your state?

Individuals and groups all across the country are interested in lockpicking as it is challenging and takes time to master.  One of the best resources found on the web for learning lockpicking techniques and determining laws can be found on a website run by an organization called “The Open Organisation of Lockpickers” (TOOOL).  Below is a US map overview of “Lockpick Laws in the United State” presented by TOOOL. Please keep in mind the latest updates and laws concerning lockpicks in the United States can be found with details of each states statues related to lockpicks on the official TOOOL website listed in the reference section below.

 

PLEASE NOTE the following two important facts…

/ continue reading

June 28, 2017

The Ten Commandments of E-Mail Security

E-mail isn’t secure.  It passes through many strange networks.  It can be examined.  It can be spoofed.  It can be tampered with.  It can be kept when you want it to be discarded.  It can carry so many nasty surprises. When using it, you need to be on your guard.

So let us help you out, Moses style:

  1. Thou shalt not click the links in messages.

    If an e-mail has a hyperlink to your bank — or some other website you would provide confidential information to — do not click or follow the link!  It is very easy to “spoof” a link (i.e. making a link display as https://www.mybank.com, yet having it forward to http://www.badguy.net).  It is better to copy the link to the clipboard and paste it into your browser. That way, you can inspect the real link URL before you submit it.

/ continue reading

June 24, 2017

A Simple Method to Exfil Data over HTTPS to a WordPress Back-end

In today’s enterprise insider threats can be tricky to detect and can easily fly under the radar for months and even years.  Oftentimes, these insiders use simple tactics to steal information from a organization.  The primary reason for this is because most insider threats have been granted access to authorize sensitive data or areas of the corporate network. This access is granted in order to permit the individual to perform specific job duties or fulfill a contractual obligation. But when an individual makes the decision to use this access in ways other than envisioned – abusing privileges with malicious intent towards the organization – that individual becomes an insider threat (Lord, 2017). One of the simplest ways for an insider threat to exfil data is through 3rd party email or storage sites, but in most cases these are blocked in enterprise environments.  Another way to exfil data out of an organization is by simply uploading files to a webserver.  Below, is a simple method on how to exfil data over HTTPS to a WordPress back-end.

/ continue reading

January 26, 2017

Reducing an Organizations Email Attack Surface

In today’s cyber space the threat landscape is evolving on a daily basis.  There are many ways to reduce your company’s attack surface.  A simple way to reduce a company’s email attack surface is by blocking incoming file types.  Email attachments frequently contain malicious content that are delivered to organization’s end-users. These inbound attachments can contain numerous types of malicious files (ransomware, ZIP attachments with SCR scripts, .exe, Macros, VBscripts, etc.).

To block incoming file types see methods and policies outlined below.

/ continue reading