Disaster Protocol – Episode 11 released
by tmac on Jul.21, 2010, under Uncategorized
Leave a Comment more...upSploit – Press Release
by tmac on Jul.01, 2010, under Personal, Projects
What is upSploit?
upSploit is a free service to the IT security industry to enable vulnerability and exploit advisories to be distributed between the founder, vendor and other security professionals easily. This Vulnerability Advisory Gateway (VAG) should break down the barriers for security researchers and professionals to pass details of vulnerabilities to vendors in a structured easy to follow process.
How does upSploit work?
upSploit consists of two sections. The first is public where you can search and view published advisories and also read more information about the project. The second is for the registered members where they will be able to either upload their existing advisory or, if unsure how to write one, can automatically generate an advisory by using our online advisory wizard form.
Once these details have been uploaded upSploit automatically then pass on the information to the correct vendor and arranges for a patch to be released.
Once this occurs the user can then choose which mailing lists and databases to submit their advisories to.
Why use upSploit?
With a number of options to the security professional regarding disclosure of vulnerabilities we are trying to create a process that will provide a natural balance for both vendor and security researcher.
A place where both vendor and security professional are equal, this is why we have put together a responsible disclosure policy. We will contact the vendor a number of times over a set period to try and arrange a patch date and then publish the advisory. If this time is exceeded we will then publish the advisory to the community, although this circumstance is decided on a case-by-case basis.
We have given the security professional the control to decide where each of their advisories is sent. If the user doesn’t want to upload to a particular mailing list or database then they don’t have to, if they want it to be anonymous it will not show up in their public profile.
How is this different to any other database or mailing list?
The service isn’t just a database. It provides the user with so much more. The main point of upSploit is that it distributes the advisory to the vendor and other databases and mailing lists. It does the job that otherwise can take the user hours to do themselves. After the advisory has been published we will then show all of our advisories in a usual manner for future analysis and historical reference.
Dates for the calendar
There are three stages to upSploit development plan and the dates are as follows:
19th July – 2 August 2010 –> Alpha Stage
2nd August – 6 September 2010 –> Beta Stage
6th September 2010 –> Version 1
These dates are not set in stone, however are no likely to change.
We are now currently opening our doors to three types of people, listed below:
Alpha Testers
Beta Testers
Sponsors
Alpha Testers are needed to find vulnerabilities and bugs within the service i.e. we are looking for web application assessments and testing.
Beta Testers are needed to actually use the service i.e. we need people who are actively finding vulnerabilities and exploits and contacting vendors.
Sponsors are needed to help support the development of the project. The hope is that upSploit is going to be used by a lot of people and by sponsoring upSploit your logo will be found on main page attracting views from those people.
To apply as any or all of the above please email the upSploit team at info@upsploit.com with your name and information on why you want to be an alpha/beta tester or sponsor.
Thomas Mackenzie & Duncan Alderson
upSploit
by tmac on Jun.11, 2010, under Conferences, Interviews, Personal, Projects
As some of you may have seen on Twitter I have been working on a new project this summer called upSploit. I am due to be giving a lightning talk at BruCON 2010 about the project and hopefully will be talking at AppSEC Ireland in September about it too CFP permitting.
The project is my brainchild and the beta version (date of which will be announced early next month) is due the hard work of both myself and Duncan Alderson – @Webantix.
Without reaviling any information now I hope to get you readers on edge for what is going to be a great project to work on in the future and something I hope will help alot of people.
The official annoucement is going to be given on the 1st July 2010 both with a number of blog posts describing the service and hopefully a couple of interviews on some better known security podcasts. Please keep you eye on my blog for more information about upSploit and if you want to get involved once the announcement has been made contact us at info [AT] upsploit [DOT] com
the beta logo
Getting Motivated
by tmac on May.17, 2010, under Personal
It isn’t that I cannot get motivated, in fact I pride myself in being very motivated. The problem I have is letting other things get in the way of my productivity. The two biggest problems I have are Twitter and Email.
Starting with Twitter, I am addicted. I have to be on all the time, checking what everyone is tweeting, tweeting back. Just keeping in scene really. The problem here is that I can be writing a report/essay/reply to an important email and when I get a pop up on tweetdeck I will abandon it, reply to my tweet and then forget exactly what I was thinking. This is why from now on I will not be using any Twitter App on my computer and just the web front end. I will make sure that the tab doesn’t stay open and that I check twitter on a timed basis instead of being constantly online. I hope that in doing this my reports and essays are going to be better and I don’t have to redo them.
Emails. I have two email account that get mail sent to them, (I do have more but my mail gets forwarded to these two accounts). I used ThunderBird to check my email and have it updating on a 1 minute basis, this means constant emails coming through over and over again. Just like twitter, when I get an email I cannot resist but read and then reply, I pride myself in being a quick replier to an email 
however my productivity is going down because of it. From now on all my email will be again, web based, and it will be checked on a timed basis just like twitter.
I hope that this will help me be more productive and in turn boost my motivation. This is just the begining of a series of posts I am going to do on productivity whilst I read Getting Things Done.
Cheers
Projects
by tmac on May.14, 2010, under Personal, Projects
So it has been a while again since I have last posted but thats with good reason. I have had a couple of exams today, one of which I am sure I passed haha, I have been spending a lot more time at work and I have been spending some time on some projects which I am going to speak to you about now.
SHITcast
SHITcast stands for the Student Hacker Information Podcast and I co-host the podcast with a fellow student, Matthew Hughes. The show has become quiet well liked with students over in America and we had 50 downloads in less that 24 hours of the last release The podcast alhtough not very well though out before hand does take time out of the day but is something I am really happy doing, it is really fun.
I would like to give a shout to Duncan Alderson/@webantix who built the website found at http://www.shitcast.co.uk, so thank you very much.
Self Promotion
Even though I have a great and stable job over at RandomStorm it is always good to get your own name out there and that is why (hopefully) soon, again with the help of Duncan I will be releasing a new website that is an introduction about myself and links to all of my social networking and “information security stuff”. It is always great to plan for your future and this is something that is going to hopefully help me. As for self promotion please add me on your linkedin account at http://uk.linkedin.com/in/thomasmackenzie1991
Reading
Now I don’t want you all to think I am some machine, so I do take time out of my day to read, infact too much time. I recently read two books by Peter V. Brett called The Painted Man and The Desert Spear – both of which are amazing. I am currently starting Lord of The Rings as that is one book I have never had the chance of reading. I recently bought The Ambassadors Mission by my favourite author Trudi Canavan which I am saving for my holiday to Tenerife in June. I also have just bought a book that by boss has built an entire website around called Getting Things Done by David Allan. It is a book about productivity and such like, so I am excited to get my teeth stuck into this tonight
Travelling
A few posts ago I talked about my travels and here is an update: -
June – 10 days – Tenerife with some friends from College
July – 7 days – Turkey, all inclusive, with my Girlfriend
September – BRUcon 2010 in Brussels and maybe APPsec in Ireland too.
Facebook API changes
by tmac on Apr.25, 2010, under Projects
Last week after watching the keynote speech by Mark Zuckerberg I have been really interested in new concepts in to abusing the Facebook API.
My interest in the API all started at the beginning of TRACsec when Arron Finnon did a tech segment on this very subject. I was astounded by what you could do with an application that Facebook themselves have created and it drew me into writing a report for University on the subject. A report that if you wish to read leave me a comment.
So these new changes, what have then added? Well first of all everything is becoming more “open” (excuse the pun). Open Graph has been released and has made the API abuse a lot easier. By simply typing in http://graph.facebook.com/(username or ID) you can get information on that account. You can then add directories onto the end of this, so for example ??http://graph.facebook.com/(username or ID)/friends and if they have the right privacy setting/if you have an API key you can start enumerating peoples friends etc – there are a bunch of other calls you that you can do too, just search google for them, they are there.
One thing that Facebook had when I first started messing about with the API was the rule that you couldn’t hold any information for more than 24 hours. Well this rule has been dropped. So officially, although there is probably some extra rule against this, you can get information on people using the API and then store that information for future use. “What would you want to use the information for” a lot of people say to me, or “so what you can get my name”. What some people don’t know is that I used to work in sales at CPP in York. Here I was one of the top agents selling identity theft protection insurance and if I had know about this back then I would have used these techniques to tell my customers about what criminals can do to gather information.
Along with Open Graph you also have all the compatibilities with other websites across the internet. Imagine your personal Facebook page is interacting with countless websites maybe even without you knowing if you save your credentials in the browser. For example if you have you Facebook page open to the Open Graph and new features you could be sending out your personal details and friends etc. to this webpage.
Do you want to see what information you are giving out through Facebook – take a look here – http://zesty.ca/facebook/
Scary isn’t it? I must admit that most of what I have said here is not very technical but is coming from the eyes of someone who likes to have their privacy online. For a more technical insight into Facebook take a look here http://theharmonyguy.com/
Cheers,
Thomas Mackenzie
Ubuntu PE – A Review
by tmac on Apr.24, 2010, under Hacks, Linux, Projects
For a while now I have been trying to find ways in which I can have my pen-testing computer and personal computer together. At the end of the day as long as my work reports and test results are encrypted, and I am not doing anything stupid in my personal time on the computer why not have them together.
I currently have two working computers. I have my laptop which I use most of the time as it is (at the moment) the best machine I own. I also have a very old computer that was built around when I was about 13. The laptop is currently running Ubuntu 9.10 (although as soon as the upgrade to 10.10 is made public I will defiantly be off of this) and the computer was running BackTrack.
BackTrack is a great pen-testing distribution, it does exactly what it is supposed to do. However as a personal opinion and someone who is really used the gnome interface and just Ubuntu as a whole, I prefer Ubuntu. I have been trying for a while (and not succeeding) in creating my own personal distro that I can install all the tool that I need using Ubuntu Minimal. At first it seemed like a great idea, but the time quickly came upon me and with Uni and work commitments I found myself having to throw the project to the side into a very high pile.
That was until however I saw a post on Twitter mentioning Ubuntu Pen-Testing Edition. I quickly jumped on to the website at which point I found out that they were changing to a new dedicated website and the download wasn’t going to be available till tomorrow. Let me please point out however that the lead developer of this project, Vitomir Margetic, has been so helpful right from the start of my life with the distribution – every email I have sent has been answered with the utmost quickness and respect, so thank you.
After some server issues when it first came up I finally got it downloaded and installed into a virtual machine – which if your planning on doing make sure you allocate at least 1gb of ram or more. As soon as it was installed I knew I was at home. Ubuntu PE was everything I liked about Ubuntu and BackTrack all into one. Ubuntu – because I knew how to get everything working exactly how I wanted it i.e. Adobe Air, Sound, Play on Linux etc and BackTrack – because I used it in my pen-testing for work that evening and I wasn’t a tool short, that night anyway.
There are a large amount of tools within Ubuntu that I must admit are within BackTrack, however there are other tools in there that are not. Then on the other hand there are parts of Ubuntu PE that I would want to change.
First of all I installed it because I liked the gnome interface, the one bar at bottom and the other at the top, that wasn’t there. It was a gnome interface alright, but looked like a copy of KDE, just the one bar at the bottom type thing. That was changed straight away. Secondly there are tools I have installed on my computer that I use for testing that were not installed. An example of this is the screenshot taker – Shutter which if I am honest I couldn’t live without so take a look.
All in all it is much simpler. Which to be fair is exactly what Ubuntu was designed for. Somebody who is new to Linux (in my opinion anyway). The argument you have here is that should somebody who needs something simple be using hacking tools that are included in both of these Distro’s? If they struggle with BT should they not really be thinking is this the Distro for me? I think it all comes down to how you want to use your pen-testing machine. Do you want a machine that you can use for everyday use as well or do want a machine just for your work? In my personal opinion the more things I can bunch together the better, this way I can use my other computer as a vulnerable machine to test my tools on.
I am moving away from Ubuntu soon, primarily because I think I am ready to move on to a harder distro so that I can learn more things about Linux itself, but secondly because of the way Ubuntu is changing – especially the new memory storage in version 10.10. So as for using this as my main system I would have to say no. However over BackTrack I will use this. It is new, easier and quicker to get going with and it does the job that I need it to do. I know you all may think all you need is the terminal window, but when your writing reports and taking screenshots its always better to have a look at something graphical that just text; and because I know my way around Ubuntu so well now and I can edit it the way I look i.e. RandomStorm logo on the bars etc. it works better for me.
This review wasn’t a dig at either community, just my personal opinion.
If you would like to download Ubuntu PE please visit – http://www.netinfinity.org/
There are new feature being developed as I am typing this review, I have some new found friends in Dundee that are getting involved with creating and making this a better distro for pen testers to use. A repository is currently being created so that you can port all the tools into an already existant Ubuntu setup – again some you can do with BackTrack but without having to read countless guides on how to do it.
Thanks -
Thomas MacKenzie
Dundee Talk
by tmac on Apr.09, 2010, under Conferences, Guest speakers, Interviews, Personal, Projects
Last night I performed a new talk that I have been working on called, Web Application Security using DVWA.
The aim of the talk was to get the user familiar with the DVWA project and how it can be using not to learn how to exploit, but how to stop attackers compromising the web application.
The consisted of three parts, I talked about myself slightly and introduced what I did. I then went on to talk about the DVWA project, what it was, what was happening to it, what it does, how it works and who created it. Then finally I talked about the command execution vulnerability and the cross site scripting reflected and how low, medium and high security can help a web developer secure the web app and understand how applications can be vulnerable to attack.
There were some good questions asked at the end and thankfully I could answer them all.
All in all I thought the talk went really well, there are a few things that I need to tweak slightly for future talks but apart from that I now have my first talk that I can give at other conferences/user groups. So if anyone is reading this and would like to hear the talk at their conference or user group drop me a tweet @tmacuk or an email at tmac<—@—>tmacuk.co.uk and we can arrange me coming and giving the talk.
The talk was recorded and I will upload it as soon as possible.
Cheers,
Update/Apologies/Travels
by tmac on Mar.28, 2010, under Conferences, Guest speakers, Personal, Projects
Preamble
First of all please allow me to apologize for my lack of updating to the blog. I have been super busy, what with work/university/small project I haven’t had time to think about anything else.
The aim of this post is to try and hopefully let you know what I have been up to, what I am getting up to soon and plans for the future up until September. After this blog post, I will aim to try and get a more technical one released by Friday at the latest.
RandomStorm
Back on the 23rd of February I post this blog post http://tmacuk.co.uk/?p=204. I started work on the 1st of March and have been super busy with work. It has been a great first month, I have really enjoyed myself. The company is amazing always there to give you a hand when you need it and the employees are just as great. So thanks guys for a great first month, and I am looking forward to next month, after my exams, when I can begin to work full time over the the summer.
University
So recently University has got a whole lot harder. I have an assignment due in on Wednesday for Networking Technology. An assignment that we have to compare the results of a wired and wireless network both simulated and real life. The problem isn’t comparing the results, or even creating these networks, the problem is the simulation package. The university have apprently spent 100k on a piece of software name ITGURU. ITGURU is shit. Well actually let me rephrase that, ITGURU is good, if we were told how to use it. I feel at the moment we have just been chucked the software and told there you go make me something at the end of the month. It isn’t just me the class are feeling the strain, the problem is that we cannot ask for an extension because it is the end of term!
I also have another two assignments due in for the end of April. Which seems stupid as we break up for easter on Thursday. Come back for a week at the end of April, and then that is it, unless we have exams. ONE WEEK where I have to go into University, where instead I could be earning myself some money for the places I am planning on going, which I will talk about next.
Traveling/Conferences
- So starting from this month up until September it looks like I will getting over my fear of flying. I am planning on going to a few local meetings and then starting to branch out starting from the 16th of April.
- Tomorrow I will be attending SuperMonday’s http://www.supermondays.org – Here John Lunn from paypal will be coming to talk about mobile payments. John has worked within fraud systems for over 15 years and I hope to be learning some things about the security paypal incorporate into their mobile payment systems.
- I will be spending a week with my girlfriend in the peak district (where she lives) from the 1st April.
- On April 8th I will be heading to Dundee to go and speak at a LUG and possibly at the University, but that is still being decided. More information further down.
- On the 16th of April I will be flying out to Dublin, Ireland. I am going the LiveCD training there.
“This CD collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can
boot from this Live CD and have access to a full security testing suite. This presentation aims to provide a showcase for the great OWASP tools and documentation materials available in the CD, tips and tricks, and also some introductory stuff regarding code review and penetration testing. Training is aimed at introductory /intermediate level in terms of pen testing, code review and tools. “
- On April 21st I will be attending NEBytes http://www.nebytes.net/ for a presentation on Office 2010 and SQL injection attacks and defense.
- I may be heading off to London on the 28th/29th of April for the last day of InfoSec http://www.infosec.co.uk/, that all really depends if work say it is worth me going.
- Hopefully sometime in between this and the next con I will be going away somewhere Spanish with my girlfriend.
- On the 3rd of September I am going to Ireland again, this time for a couple of days to attend Ireland AppSec – http://www.owasp.org/index.php/Ireland
- Then the best one
BRUCON!!!! http://2010.brucon.org – I AM SO EXCITED! 24-25th of September.
Projects
So recently I have been spending a lot more time on DVWA, reasons to follow below. I today in fact found a small bug in one of the vulnerabilities and fixed that and that will be released in the net version. I have also, with the help of Robin Wood, written a sign up script for DVWA which Ryan and myself are talking about if that could be included as a vulnerability.
I have been working a lot on tracsec recently, yesterday being a great interview with JanisSharp – Gary Mckinnon’s mother.
Speaking
As mentioned above I will be traveling up to Dundee on the 8th April to go and speak at a LUG. My talk is called Web Application Security using DVWA and contains the following: -
“Web Application Security with DVWA – Thomas MacKenzie
The talk is going to consist of three sections.
The first section is going to be a brief introduction about myself, my background and how I first got into this line of work.
The second section is going to look at DVWA which is an open source web application created by Ryan Dewhurst and has been recently acquired by RandomStorm LTD. DVWA stand for Damn Vulnerable Web Application and was created as an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
The third section is going to look at specific web application vulnerabilities i.e. SQL Injection and Cross Site Scripting, how they work and how they can be prevented. DVWA incorporates a high security level which will be used here to present what security should be in place in that particular environment.”
I maybe giving a similar talk at Abertay Dundee University to the third year students however as said above this is still being decided.
If anyone is interested in hearing the talk, or would like me to do the same talk somewhere drop me an email at tmac<~~@~~>tmacuk.co.uk
Cheers
tmAcUK
p.s. if someone can suggest some where else to travel to for a con etc. that is relatively cheap. let me know.
SHITcast: Episode One
by tmac on Mar.12, 2010, under Personal, Projects
Matthew Hughes here! Me and Tom made a podcast that lives up to its name! It’s called SHITcast. It’s Creative Commons licensed and it features banter about life at university and tech news. You can check it out at my respective blog, here.
Also, many thanks to @rcassidy from twitter, who let me use his bandwidth and space whilst my university internet was playing up. You’re a gent!
Matthew Hughes
-
Welcome to tmacuk
Thanks for dropping by! Feel free to join the discussion by leaving comments, and stay updated by subscribing to the RSS feed.
You can also subscribe by email by filling the field below:
tmacuk's twitter- @_wirespeed_ baby faced! can you not see that fluff!
- My daughter must use McAffee, this is her third virus and she's not even a year old. (via @DisK0nn3cT)
- @dh3ws0n cheeky bugger!
- @garyshort ask @masontech and @digininja haha they are having the argument now :D
- before i write a scraper script does anyone have a list of vendor security contacts please?
- How well do folk rate AMD chips these days? (via @wiredfire)
- @david_moorcroft can you jump over on to facebook chat please mate
- @acanthephyra more like, give me a replacement otherwise im hacking your website and 'acquiring' every single phone you have!
- the reason i was having problems with my new blackberry is that it was blacklisted.. having serious words with the company i bought it off!
- is it standard practise for #orange to drop calls when you call customer service has happened 2 times now...
