Blog

Embedded Trust (P2): U-Boot Secured Boot

2013-02-12T05:55:41Z

This post will function as a short walk through for installing and using a TPM on a BeagleBone to implement a Secured Boot (wooo...). I will use an example Secure Boot implementation called libsboot for U-Boot. Let's jump right in with a schematic for the (mostly) required additions to the BeagleBone.

Defcon 20 NFPC Round 4 - Easy Mode

2012-08-02T06:02:14Z

This is an 'easy mode' guide to the NFPC at Defcon 20. Let's begin: starting at packet 253, there is a TCP/LPD session from 10.0.1.4 to 10.0.1.3. A quick scan of the reconstructed session reveals little:

Having never seen LPD traffic, we gave the RFC 1179 a quick read, lucky it's relatively short.

Embedded Trust (P1): Beginning to trust my BeagleBone

2012-07-06T05:57:05Z

I plan to have a series of posts outlining my curiosity with embedded development and trust. Let's start with poking around where my (our) trust lies when deciding on a SoC for embedded development, using the BeagleBone [SRM] as an example. In this post we'll move trust from CircuitCO's (the Bone manufacture) included bootloaders, Angstrom Linux kernel, and Angstrom development environment to your own compiled bootloaders, kernel, and OS.

How To: DIY (Improved) Inexpensive Fog Screen

2012-06-10T18:44:40Z

Last month we built an improved version of the DIY Fog Screen found here.

We call it "improved" since we managed to create a thinner sheet of fog, maintain the projection longer (a fog machine is bursty), and thicken the sheet. We use the same technique of creating a laminar flow. Instead of using a window fan we installed 10 120mm [17] computer fans with a variable speed controller [20] to optimize the flow, since we did not know the fog density.

Since the original article doesn't explain the steps / tools / resources required to create a DIY Fog Screen, we'd like to take the opportunity and provide a "how to". In a nut shell, the screen needs to distribute "fog machine"-fog from end-to-end, width-wise, and keep the fog flowing downward sandwiched between two flows of air.

Gelf: L1 Emulation, L2 Tunneling, using an HTTP Client

2012-04-10T23:00:16Z

Simply: Gelf uses an HTTP client to bridge two or more networks. The iPhone is the primary use case; it has access to both AT&T's mobile network as well as an ad-hoc network. You can bridge the two using Gelf, without running any code on the iPhone, aside from client-side HTML and JavaScript.

This achieves a non-jailbroken, non-rooted, poor-man's network tether. Here's the catch, Gelf needs to run on a device inside each target network. Gelf functions as the L2 tunnel end-points, and the L1 emulation: achieved through an HTTP client.

CODEGATE 2012 - Network 100 Writeup

2012-02-26T23:49:27Z

Take a look at Eindbazen's write-up on Network 100.

I wanted to do the same write-up, highlighting an alternate path. (This will be the last CODEGATE 2012 write-up of mine, since both Leetmore and Eindbazen have all the other challenges we solved well documented.)

You start with a file: A0EBE9F0416498632193F769867744A3

And a note:

Someone have leaked very important documents. We couldn't find any proof without one PCAP file. But this file was damaged.

¡Ø The password of disclosure document is very weakness and based on Time, can be found easily.

Cryptographic algorithm is below. Msg = "ThisIsNotARealEncryption!SeemToEncoding"
Key = 0x20120224 (if date format is 2012/02/24 00:01:01)
Cryto = C(M) = Msg * Key = 0xa92fd3a82cb4eb2ad323d795322c34f2d809f78

Answer: Decrypt(Msg)

CODEGATE 2012 - Forensics 200 Writeup

2012-02-26T20:28:26Z

The challenge starts with a file and description:

File: C1E4775363DE0885E8360ED9A13A86B8

Question:

When IU who lives in Seoul tried to do SQL Injection attack a certain WEB site, suddenly the browser was closed abnormally. What is the SQL Injection value she tried to enter and when the browser was closed? The time is based on Korea Standard Time(UTC +09:00)

Time Format is YYYY-MM-DDThh:mm:ssTZD (TZD : +hh:mm or hh:mm)

Answer : injection_value|time ('|' is just a character)
Convert ' ' to '_' for injection value.

Forensic Challenge: Help stop the Sbuxnet trojan!

2012-02-11T03:51:20Z

This is a fun forensic challenge created originally for NYU's CSAW Capture the Flag Finals event. The story behind the challenge, along with additional forensic challenges were also used for ACSAC's Tracer Fire class. Now I'm hosting both the forensic image and command and control server on the net so anyone can play.

Begin here: [challenge01.c0.cx] (the challenge is over, thanks to those who played!)

Tools / Techniques / Skills involved:

Filesystem forensic analysis
Email forensics and cryptographic tools
Python, small bit of source code analysis
Filetype header analysis, image forensics
Minor HTML/HTTP understanding
Patience, etc...

Offensive Defense: Protect your high-hanging fruit ...from birds and stuff

2012-01-15T20:21:36Z

One of these days this webserver will be torn open by some low-hanging vulnerability. Sure, but that wont be very exciting, so let's think outside of the inevitable, and into the what-if.

What-if someone did break into this poor little webserver? Regardless of how they did it, what would they do? What would they find? Step 1: Break into my box, Step 2: ..., Step 3: Profit. You'll achieve profit without any 'Step 2' by killing my ego and any minuscule reputation I have among my friends. But assuming you're not out for defamation: let's think about the 'Step 2', and some possible defensive methods to protect a box once someone has broken in.

SIM card curiosity, and a little Hardware Hacking

2011-12-12T06:05:57Z

A few months ago I took an interest in the layer 2/3 protocols (and their implementations) for mobile networks. I quickly arrived at SIM card hacking and like a young schoolboy thought, “man if only I could MitM the hardware communication I could spoof other’s SIM cards and use free Internet!” Nope. Well, not nope, but it’s not that easy.