Tuesday, January 12, 2010

NoVA Hackers is back!

Well, at least it's now a reality in web form. The NoVA hackers mailing list has been thriving for the last 3 months with over 1400 messages posted and 79 active members.

That group can be found at: http://groups.google.com/group/novahackers

It is an invite only group, but any member may invite. We have evening meetings once a month on the second Monday of the month. We will still be having our meeting in February on the 8th with the intention that people who might not be leaving suddenly can come and check out the meeting. These dinner meetings have at least one presentation and are currently hosted at:

Glory Days Grill 
3059 Nutley Street, Fairfax, VA 22031-1931

which is a stones throw from the Vienna metro exit.

We also have lunch meetings which are less formal and more centrally located:

China Garden
1100 Wilson Blvd
Arlington, VA 22209
(703) 525-5317

which is near the Rosslyn metro exit in the Channel 7 building, at the top of the escalators.

The lunch meetings happen on the last Thursday of the month. Next meeting being January 28th.

We have opened up the web site for members to post about the meetings, about conversations they have on the list, or other topics that relate to information security in the NoVA/DC area.


Sunday, October 4, 2009

Moving Home

With my move to SquareSpace, I've decided to Mubix Links over there as well.

You can find it now at: http://www.room362.com/mubixlinks/

Please update your feeds to: http://www.room362.com/mubixlinks/rss.xml or start using the FeedBurner address: http://feeds.feedburner.com/MubixsLinks

For those of you using the feedburner address, you shouldn't have to change a thing.

Sorry for the hassle, just trying to consolidate and slim down ;-)

Tuesday, September 22, 2009

Monday, September 21, 2009

Script to unblock people on Twitter – Ruby

I created this script because I couldn’t really find anything out there for it. Both the Twitter support page and all the Twitter APIs out there had the ability to unblock people, but only if you knew who you wanted to unblock. Recently I tried the Twitter Karma service that could Mass unfollow / block people (hence my last couple scripts). I clicked the wrong button one time and it blocked a whole bunch of people. But say your not a klutz like me, maybe you just forgot who you’ve blocked over time.

This script will dump the list of people you block and unblock them all. Now you could expand this to get the names of each individual that you block but that’s an API call for each. Let me know if there is a better way, right now, the only way to figure out who was unblocked is through the 302 response that is generated with each request that sends you to the users page that you unblocked. (Push this script through a proxy to see it.)

 

#!/usr/bin/env ruby

require 'net/http'

require 'rexml/document'
include REXML

use_proxy = false
proxy_srvr = "127.0.0.1"
proxy_port = "8080"
proxy_user = ""
proxy_pass = ""

twitter_user = "joeuser"
twitter_pass = "password1"

header = {
    'User-Agent' => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
    'X-Requested-With' => "XMLHttpRequest",
    'Cookie' => "__utma="
}

data = "authenticity_token=&twttr=true"

doc = "temp"

if use_proxy == true
    Net::HTTP::Proxy(proxy_srvr, proxy_port, proxy_user, proxy_pass).start('twitter.com') {|http|
        req = Net::HTTP::Get.new('/blocks/blocking/ids.xml')
        req.basic_auth twitter_user, twitter_pass
        response = http.request(req)
        doc = Document.new response.body
    }
else
        Net::HTTP.start('twitter.com') {|http|
            req = Net::HTTP::Get.new('/blocks/blocking/ids.xml')
            req.basic_auth twitter_user, twitter_pass
            response = http.request(req)
            doc = Document.new response.body
    }
end

blocks = doc.elements.each('//id') { |f|
    if use_proxy == true
            Net::HTTP::Proxy(proxy_srvr, proxy_port, proxy_user, proxy_pass).start('twitter.com') {|http|
            req2 = '/blocks/destroy/' + f.text
            response2 = http.post(req2, data, header)
            puts response2.code
            }
    else
            Net::HTTP.start('twitter.com') {|http|            
            req2 = '/blocks/destroy/' + f.text
            response2 = http.post(req2, data, header)
            puts response2.code
            }
    end

    puts "Unblocking: " + f.text
}

Script to unfollow people on twitter - Python

This is exactly like the last script with a few minor changes. 1st, the last script only has the ability to force people to unfollow you if you aren’t following them. 2nd, the api call and the request URL are different. GetFollowers instead of GetFriends, and friendships/remove instead of friendships/destroy. Don’t forget to fill in the same 4 fields that were missing/wrong in the last one.

 

#!/usr/bin/python

import twitter
import urllib2

headers = {
'User-Agent' : "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
'Cookie'  : "__utma=",
}

data = "authenticity_token=&twttr=true"

api = twitter.Api(username='joeuser', password='password1')
for b in range(1,100):
    users = api.GetFollowers(page=b)
    for i in users:
        request = http://twitter.com/friendships/remove/ + str(i.id)
        req = urllib2.Request(request,data,headers)
        post = urllib2.urlopen(req)
        print post

Script to force people to unfollow you on twitter - Python

I left the authenticity token and Cookie partially filled out so you know what to look for in your request. But basically you fill out those two variables, plus your user / pass of course and it will go through 100 pages of your followers, which should peg out your API calls. You’ll have to wait another hour to keep going, but you could easily put this on a loop until it you got down to 0. The out put could use a bit of cleaning up. You’ll need python-twitter, but BT4 and Ubuntu at least has it in it in their repos for easy install.

 

#!/usr/bin/python

import twitter
import urllib2

headers = {
'User-Agent' : "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
'Cookie'  : "__utma=",
}

data = "authenticity_token=&twttr=true"

api = twitter.Api(username='joeuser', password='password1')
for b in range(1,100):
    users = api.GetFriends(page=b)
    for i in users:
        request = "http://twitter.com/friendships/destroy/" + str(i.id)
        req = urllib2.Request(request,data,headers)
        post = urllib2.urlopen(req)
        print post

Saturday, September 19, 2009

Security is Simplicity: Comment by Akibako

This was posted as a comment to my blog before I took it down, and the information in it I didn't want to go to waste. So I've reposted it here:
akibako <nobody@nowhere.com> (unregistered) wrote:

I wholeheartedly agree with your main point. That said -- and I hate to be the one to split hairs -- I would argue that your Japanese citations are inaccurate.



Japanese people have and use credit cards all the time. According to the Bank for International Settlements, the number of Japanese credit card holders is roughly equal to that of Germany, and even exceeds Canada. It *is* true, however, that Japan does not have 'check cards', but this is simply because Japan does not have checks. The vast majority of cards in Japan work the system of automatically deducting the *entire* balance of the credit card once every month.



Getting a credit card just as easy as in the States. I got my first Japanese credit card after filling out a half-page form which took less than 5 minutes. No major form of identification was necessary. I get offers for "pre-approved" credit cards in my mail box every month.



Japanese people bank online constantly. Earlier this year, #2-seated cell phone carrier AU launched a partnership with Tokyo Mitsubishi UFJ Bank to access all of your banking functions over your cell phone, including balance transfers. It's been hugely popular, and other carriers have followed suit. The most profitable bank in Japan in 2004 was Shinsei Bank, which differentiates itself by essentially running an online-banking-only presence. Visiting a branch requires you to interface with your account using a PC, not a bank clerk.



Japanese people buy stuff online constantly. Last year, online sales figures per capita in Japan were only slightly below that of America.



In such a disaster-prone country as Japan, It would be short-sighted to assume that the Japanese government doesn't keep easily-backup-able electronic versions of important documents. My family registry, proof of residency, and marriage certificate are all given to me via a laser-printed document (made official by a number of stamps).



Stamps (hanko, inkan) are just as easy to copy -- if not more so -- as written signatures. Life is made infinitely more difficult for the average person as one usually has a number of these stamps in slight variations in design. They are the antithesis of simplicity. There are no records provided telling you which stamp was used for a given document. I've had documents rejected for not having the "correct" inkan, only to have the company later apologize for incorrect verification. The illusion of security is amplified by the perception among people that hanko/inkan are un-forgeable (password analogy, anyone). It is common practice for a business to accept a document from someone other than the document holder simply because it has the correct hanko. There have been numerous news stories of wives emptying their husband's bank accounts and fleeing the country.



The amount of data I push over my lines every month would *easily* be classified as "excessive use" (many times over). While it might be detected by the ISP, disconnections due to it are unheard of.



I agree with, and appreciate, the crux of your argument completely, but do not think that these specific examples from Japanese society are strong fodder.

Thursday, September 17, 2009

Download without touching a site

Blocked from a specific download? On a pentest and don’t want your IP seen pulling a file? Doing malware analysis and don’t want to directly get a file? Here’s the solution:

http://filecanny.com/

I’m sure you’ll figure out how to use it that best fits your needs.

Getting 3D video working on Dell Mini 10

Really had to find (for me at least):

http://credentiality2.blogspot.com/2009/08/accelerated-video-on-dell-mini-10-with.html

This is THE way to get it working right.

FastStone Capture

This tool jaded me for any other screen capturing. I can’t live without it: (The following link is to the freeware version)
http://www.portablefreeware.com/?id=775

It went to trialware after 5.3 so you can download the version 6.5 at:
http://www.faststone.org/FSCaptureDetail.htm

It’s only 19.95 and adds a lot of features including a Screen Recorder.

Both versions are completely portable.

.htaccess tricks

16 cool htaccess uses that help you get a better grip on it’s use:
http://www.thomsonchemmanoor.com/16-useful-htaccess-tricks-and-hacks-for-web-developers.html

Pentest Console

This was talked about at Security BSides ( by @jcran ), and the video is on the site, but it boils down to a collaboration tool that is super fitted for pentesting.

http://www.pentestconsole.com/

Monday, September 7, 2009

Offline Microsoft Updates

I’m surprised I haven’t added this my links before:

CTUpdate 6.0 - http://www.h-online.com/security/Offline-Update--/features/112953

The USB stick option in 6.0 is sweet (which you could kinda already do if you knew what directory to copy)

Add this thing to a hacked U3 device to make it silently install updates for Windows / Office products makes a really quick update process.