Thursday, June 25, 2015

Best of Securitycurmudgeon.com 2012 to 2014

You may have missed on of securitycurmudgeon.com's post in the past or perhaps you started following later and missed earlier posts.  Whatever the reason,  I thought it would be interesting to recap some of the sites best past blog posts.   Some are still relevant and it's interesting to see how security and privacy change over the years.  Many posts did not make the cut for this list.  If any of these posts peak your interests, I encourage you take a deeper look at some of the past posts.  It's been a pleasure to blog over the years and I appreciate your readership!

2012

Who is spying on you?  Your Car!
Privacy concerns about the confluence of information technology in automobiles.

Do Not Track, Why Does it Matter?
The verdict is out, nobody cares about our personal privacy preferences.  Still it was great to have hope at the time.

Java Spotlight Episode 106: Java Security Update
Roger Brinkley interviewed Bruce Lowenthal and I on Java security.  It was surprisingly popular since there was little discussion about Java security outside of Oracle at the time.

Movie Reviewed, We are Legion: The Story of Hactivists
Security pros on talk on camera about Anonymous hacking group in this documentary film.

Measuring Internet Connection Throughput
Discuss Java project to measure performance of Internet connection with Java.

Google Hacking -- Blast From the Past
Use advanced Google search commands to find the needle in the Internet haystack.  Useful to find anything of interest.

2013

Provided readers a teaser about the brand new JavaOne Security Track.

Highlights around security concerns from 2013 at these conferences.

Link to official Oracle post addressing Java security concerns at the time.

Interviewed by Roger Brinkley discussing the new Java Security Track at JavaOne.

Security is a big profession and their are many different domains of expertise covered in this post. 

Amazing eye opening movie about Internet privacy.

Academic research around posts we type but instead decide not to share.

2014

Overview of various technical security features found in Java SE 8.  A video is available as well.

Security metrics of the day and my first stab at an infographic.

My first Raspberry Pi project.  Explain my experiences assembling the Raspberry Pi with a 2.8" TFT touch screen.

SSL\TLS Introspection(project DeepViolet)
SSL\TLS is increasing under fire from attackers I decide to learn more about the low level protocol negociation.  Instead of opening a HTTPURLConnection I built some code to negotiate the connection myself (with some help from others on the Internet).  Several articles as well as code in GitHub.

Coverage for security concerns at Black Hat and DEFCON 22.  Describe experience with Software Defined Radio (SDR).  Ancillary coverage of DEFCON 22 computerize badges and pre-launch party for security book Iron Clad Java.

Second Raspberry Pi project.  I use the SDR radio I purchased from DEFCON 22, my recently completed Raspberry Pi with 2.8" TFT display, and dump1090 software to make ADS-B aircraft receiver.  I learn something about aircraft security - it stinks.

Links to security presentations from JavaOne 2014.

Ever heard of racing drones?  This isn't your daddies DJI Phantom, forget that.  This is a 100mi\h(158km\h) drone you fly with VR googles first person style.  Forget your wallet as well.

I try my luck at memes and developed an appsec focused meme.  Challenging to distill a message into a meme but a surprisingly effective way to communicate.

Honorable Mentions

All these are only honorable mentions since they are likely more relevant for me and not readers.  First is the blog post I decided not to write, I provided a public conference call around Java platform security that started a media fire storm (ComputerWorld,  JavaWorld, The Register, SecurityWeek, and others).   Another runner up is improved transparency around Java platform security by adding a Security Track to JavaOne (multiple posts, Conferences tag).  Last but not least, I was invited to speak at Black Hat 2013 USA, Oracle; On Java Security to security leaders from around the world on Java security.  The entire session was provided under NDA.  I had to eat my Powerpoint presentation when I finished.  But all is not lost, I developed a follow-up post about attending the conference for readers, Black Hat 2013 USA and DEFCON 21 Trip Report.

Tuesday, June 16, 2015

Wednesday, June 10, 2015

RedAlert, Change Your Password

Came across this article on Business Insider, A new flaw in Apple's iPhone software lets hackers collect your password with a single email.  The nut of the article, change your password ASAP!

Exploit Pack v4.03 Abyss Walker

 Exploit Pack, Abyss Walker, an exploit tool kit for Red Team style penetration tests.  A free version of the exploit pack is available to demo; however, its fairly crippled.  The paid versions carry may more exploit packs and boasts 33,000 exploits total.   The entry version runs about $155 USD. 

The exploit pack is written in Java.  Abyss Walker reminiscent of Metasploit in it's extensibility.  Unlike some popular exploit packs Abyss Walker is full-featured and includes discovery tools, reconnaissance tools, and RAT's.  Due to the rich features it will take you some time to learn but to help the author(s) provide links to videos and you can Google your own, of course.  Some of these exploit packs are difficult to learn, great pentesters don't necessarily make the best UX designers, still the UI looks comparatively well thought out.  Looking forward to exploring the videos and this software further.

Note the author is presenting the exploit pack at Blackhat USA 2015, ARSENALT | Exploit Pack.

Tuesday, June 9, 2015

Popcorn Time is Back but How Long?


Popcorn Time is a streaming movie player similar to Netflix and Vudu.  Like it's big brothers, Popcorn Time is easy to use but unlike it's big brothers - it's free.  I covered Popcorn Time's run-in with the movie industry in two posts last year.  Apparently Popcorn Time is back for more bludgeoning.

Previous Popcorn Time Posts

Sunday, June 7, 2015

Tuesday, June 2, 2015

Famous Reddit Users: /u/A858DE45F56D9BC9

Discovered a mysterious Reddit account, /u/A858DE45F56D9BC9.  Similar to, Webdriver Torso, if you like mystery accounts and puzzles.  The account has a 4 year badge on Reddit so it's not new news but it's new to me and perhaps you as well.  A related post describing decoding one of A858's posts with a base64 decoder along with transposing a few letters yields an ASCII image of Stonehenge.

Incidentally, the latest ciphers are not simple base64 transpositions.  If you have successfully deciphered them, feel free to post your example\scripts in the comments or leave a link to your site.

Share It!