Sunday, August 11, 2013

BSidesLV 2013: Dungeons & Dragons, Siege Warfare & Fantasy Defense-in-Depth

Other than the very long and terribly deceiving title, our talk facilitated a discussion on accepting the imminent failure of the defense-in-depth approach, the future pervasiveness of "pervasive/ubiquitous computing", and outlined a potential new data protection framework for ubiquitous computing.

We'll be releasing some updated diagrams/slides on the concept in posts to come and will hopefully have some code to post soon.  Per advice from several parties, we will state herein that technology frameworks discussed are Patent-Pending.  It is still the intention to keep the framework open source but certain protections must be in place first.  Thanks!


Thanks to @irongeek_adc for recording and posting as always!

If the discussion on defense-in-depth protection interest you, check out @selil's post HERE for a much more academic perspective.
Read more »

Poor Man's Pwn Pad…$200 vs $900!

Intro...

First, it has been 4-5 months since I worked on this, but I've had a couple people ask for some instruction.  I showed this off back at CarolinaCON and even flashed one from scratch for some friends there.  So, the instructions may be a bit rusty and you may have to do some extra legwork.

Second, I am in no way attempting to detract from the Pwnie Express Pwn Pad.  I am a big fan of their early stuff and own a couple Pwn Plugs myself.  I will say that their steep prices are only reflective of the effort taken to provide an out of the box solution.  If you're lazy, go buy their stuff…otherwise, take the time to learn it for yourself and save a TON of money.

Nexus 7 & Ubuntu…

In 2012 I read about developer builds of Ubuntu for mobile devices, specifically the Google Nexus series of tablets.  On an off weekend, I was able to pickup a 32GB Nexus 7 locally for $250 (16GB is $200) and took an evening tinkering.  To my surprise, I was able to get full-blown Ubuntu 12.10 installed with most hardware working correctly within a couple hours!

At the time, I remember some issues with bluetooth drivers, webcams, etc., but the only frustrating part was a semi-glitchy touchscreen due to Ubuntu not technically supporting touch interfaces at the time.  Almost everything worked, but there were some workarounds needed.  Last I tried, Ubuntu 13.x was supported and was more stable and handled touchscreen input better.

Installing Ubuntu...


I won't go into boring detail here…you can get very thorough instructions HERE.

If I was able to follow it, so can you!  Yes, you can reinstall Android if you change your mind later.

Also, keep in mind this is NOT "Ubuntu for Android"!  This is FULL-BLOWN Ubuntu and functions as such.

Review the release notes and forums for details on issues and workarounds you may encounter.  Battery life was not particularly awesome in my experience on the 12.10 builds.

Installing Tools…

Surprisingly, the Ubuntu update manager and software center work pretty well even though it is on an ARM CPU.  I was able to get Nmap, and other scanning tools available there to install no problem.

As for the crux of my pentesting operation, Metasploit required a bit of manual interaction.  At the time, there wasn't an official ARM build which required me to compile it from source.  I'm not claiming anything as I primarily followed @DarkOperator's instructions HERE.  It didn't work 100%, but you're on your own…

Hardware…

Ubuntu recognizes the Micro-USB plug as an input device and allows you to plug in whatever you want.  Standard driver issues exist, but I personally had no problems with my Alfa wireless cards working…just be prepared for degraded battery life!

You can pick up an OTG cable on Amazon or anywhere else VERY cheap!  If you have to follow the Pwn Pad use case, pick up a TPLink USB wireless wherever you choose.

I even tested a powered USB hub successfully and had several devices running simultaneously, though power became an issue.

Closing…

Go hack something!
Read more »