• Content count

  • Joined

  • Last visited

  • Days Won


Everything posted by lattera

  1. I forgot to mention in the show that emails about the show can be directed to for now.
  2. So I'm freaking nervous about this episode. It's the first time I've done something like this. I hope you guys enjoy this episode. Let me know what you guys think.
  3. Version


    Show Notes: Introductions Show Overview Scheduling/next show information News - Google Wardriving - Hackers Wanted Documentary Leak - A new type of phishing attack - Froyo and Google TV Interview with PurpleJesus - How he got into and out of phreaking - Current research Interview with Livinded - Preparing for the administration of oCTF Goodbyes and reminders
  4. It's a recorded show. I'll be posting it tomorrow in the Downloads section (I'll provide a link to it in this forum as well). I'm actually doing the final edit right now. I'll be exporting as ogg. Do I have any votes for an mp3 export? If I don't see a significant push for mp3, I'll only do open codecs.
  5. You'll want a full virtualization package. VirtualBox or Xen would suit your needs better. Both are free. If you have decent hardware, I'd run OpenSolaris + xvm + Crossbow. That's what I run at work to simulate two full networks separated by the internet. One network includes all the servers running the services to be attacked. The other network contains the client machines used to attack the trusted network from the outside.
  6. There are ops around. If you want a vhost, ask. Don't sit there and complain about a free service. We don't need that. Thanks.
  7. Yes, I'm being selfish. I'm dedicating a whole thread about none other than yours truly (for those slow people, that means ME!). Nah. I just wanted to share some links about me in case there's any stalkers on this board. Anyways, to the links!, my tech blog My google profile, including my recent buzzes News I find interesting that I've shared in Google Reader Public pics I've uploaded to Google Picasa Random vlogs on YouTube If you have any other links about me (especially ones I don't know about), feel free to post them.
  8. Medium- and large-size businesses everywhere are victims of countless hacking attempts. Attacks come from those that are curiously, chaotically, and financially motivated. As a security analyst for a successful company which grosses millions of dollars in profit, it is my job to ensure the security and integrity of the network. The company deals with retaining sensitive data for longer periods of time. Thus, preventative measures and proper response measures play a vital role in every aspect of the company. We recently had a surprise penetration test. No one in the company (not even me) except the president of the company knew about the penetration test. The test was twofold: to find potential vulnerabilities in our web-based product and to see how the security team (mainly just me) handles a hack attempt. The security analyst started out with Nikto, generating thousands upon thousands of 404 errors. We first caught wind of the penetration test because of how loud Nikto is. We quickly firewalled that IP. The attacker then used a proxy and continued attacking. He was able to find valid login credentials after a few brute force attempts. We then learned something really important: our intrusion detection methods weren't up to par. We rely on error emails (404 and 500/503) to tell us when an intrusion occurs. After monitoring emails for a while, we only know a handful of things: the IP, the date/time of the attack, and what types of attacks. We don't know if the attacker was successful. After a few hours of research, I was able to gather that the attacker successfully logged in. It really should not have taken hours just to find out if he logged in. It was on that day that I fully realized just how important detection is as a method of protection. Instead of looking at data for hours and guessing potential outcomes, proper detection and logging allows the security team to make accurate, timely decisions. Even now, a few days later, I don't know what the attacker accomplished. Without an audit trail, there's no way for me to tell what happened or how. Intelligent detection should be a part of every company's security plan. Without it, time is wasted and the chance of being fully compromised is much greater. So, to sum up, make detection a part of your security plan. Detection allows your IT department to know what's going on and what actions to take in an efficient, affordable manner. If intrusion detection and logging is not a part of your security strategy, you'll end up doing what I did: spent hours just trying to figure out whether the attacker successfully logged in. Originally posted on my tech blog.
  9. They were able to gain access to areas of our web app they weren't supposed to. They didn't gain remote shell/desktop access.
  10. We'll be officially launching BinRev Radio Remix on the 16th of June 2010 to better accommodate the schedules of the participants. We have a mix of old-school kids and newer-school kids in this upcoming episode. Everyone involved is very talented and deserves their respective titles. Stay tuned for more exciting information.
  11. I used to live in a place where deaf people lived. In 2006, I found some old abandoned TTY terminals. I wired them together such that my roommate could type me messages while in a different room. It was a pretty fun project.
  12. Apache has nothing to do with SQL injection. SQL injection is applicable to the web application itself. A good way to test is by hand. Automated tools are loud and will either get you just firewalled off or get you in trouble legally.
  13. You can also use non-blind SQL injection to enumerate servers, services, and other sensitive data.
  14. I know you want full control over your data, but Google's Picasa is actually pretty powerful. You can create private albums and give certain friends, family, etc. the access you want to give them.
  15. I don't agree with the statement. I think we're seeing more criminal activity simply because there's a greater population of criminals. A lot of people I know still hack purely for educational purposes. In fact, that number has grown throughout the years. I think we're just seeing growth is all. As more people use technology, both the market for criminal [mis-]use and innocent educational hacking of that same technology grows.
  16. Yeah, right now our DID options are pay only. Everything has a price that is per channel, per minute. Maybe I should open another poll/thread to discuss our other options. You should just stick to something like fwd or creating a sip/iax account when a person signs up for the show so they can connect. Phreak Phactor isn't worth that kind of money and it will get insanely expensive quickly. Yeah that sounds pretty good. There isn't any point in spending a ton of money on it when you don't really have to. I'd love to see the show come back though, phreak phactor was so epic. Edit: Hey, can someone seed on the phreak phactor torrent? I can only find MP3s up to episode 11 on I'll seed for at least a few weeks once I have a full copy. Sonofa bitch... This is Lunar first off, new ID. Second, I had the rest of the Phreak Phactor Episodes.... but guess what NO ONE WANTED TO HOST THEM, so they are probably gone forever now, unless someone wants to do data recovery on my external hard drive for free, seeing how I lost all my data. I dont wanna pay for data recovery quote if nothing can be fixed. So it's been a year but I will do everything possible to get this shit going. Also Im gonna somehow get the 40 dollars for an episode. 5th anniversary of its death. If you'd like to donate to getting an episode of phreak phactor for the summer special, send money via paypal to and I will make sure we get something going. If it's still 40 dollars, then it should be all we need. Also, wanna add, I wear my bin rev t-shirt all the time proudly, yall should get one too and do the same. Oh and if anyone is in florida, and has some bitch work I can do for a lil bit of cash, I really could use it Ill sick your cheesy unsircumcized dick if I have to. I NEED MONEY. /cry On that note I'd like to make people aware, the paypal money sent for Phreak Phactor will ONLY be used for phreak phactor. Are you authorized to accept payment in behalf of BinRev? For all those even thinking about donating, know the person with whom you are dealing. I don't know this guy. Also, please try to keep the language on this forum a bit cleaner than that. I don't care if you choose to swear a bit here and there, but offering blowjobs is not the purpose of this forum.
  17. This would work great until you notice the firewire port built into the motherboard and the BIOS doesn't have an option to disable it.
  18. VirtualBox 3.2.0 Beta 1 was released today. It officially supports running OSX as a guest OS.
  19. One of OpenSolaris's heralding features is a next-gen filesystem called ZFS. Managing ZFS backups could not be easier. All you need to run is zfs snapshot tank/dataset@backup. If you want to replicate or store that snapshot on another machine, you can run zfs send tank/dataset@backup > backup.zfs. I'll be demoing how to use GPG2 to encrypt ZFS backups created with zfs send. Here's the commands I used to do it: So you can see how easy it is to manage and create snapshots and backups of ZFS datasets. I love that the backup files are never stored in plaintext. They're stored encrypted. Originally posted on my tech blog
  20. I might throw in two more 1TB harddrives and do a RAID 5. I might also go AMD Phenom II processor with an NVIDIA chipset, but that's only because I'm an avid AMD fan. Overall it looks pretty good. I have an Antec Nine Hundred and Two case, and I love it. Great choice in case, but it's gonna be one heavy beast. I definitely wouldn't go with an AMD/ATI video card if you plan on using a non-Microsoft OS.
  21. Why wouldn't a hacker run Windows? Isn't it the most popular OS to date? Isn't it another opportunity to learn? Hacking isn't about following the rest of the sheep and hating Microsoft. Hacking is about learning. In fact, I would not consider someone who ignores Windows simply because it's popular to hate a hacker.
  22. I'm thinking this is just a spam thread. His beautifully spammed banner is bigger than his complaint...
  23. So I have an Ubuntu 2010.04 VM in VirtualBox at work set up for vuln-dev and pen testing. I'd like to start doing screencasting to show coworkers how attacks are performed and consequences of vulnerabilities. After unsuccessfully testing xvidcap, recordmydesktop, and VLC, I'm convinced that Linux has crappy (meaning, nonexistent) screencasting support. Has anyone had any success? If so, what's your setup?
  24. I figured out a semi-acceptable solution. I downloaded the trial version of Camtasia, which is for Windows. I can record my left monitor, which has VirtualBox running full-screen. Camtasia costs $300USD, so I'll use the trial for the 30 days I'm allowed then figure out what I want to do.
  25. I currently have Firebug and Tamper Data installed. I generally do everything by hand (hence why only two extensions), but I'm looking to automate my web app vuln-dev setup here at work. Anyone have any recommendations for extensions to install?