Category Archives: security

Hackito Ergo Sum 2015

Hackito Ergo Sum 2015 is being setup one more time! Created by /tmp/lab and for hacking & security passionate researchers, HES 2015 will be the 6th edition of this conference. HES 2015 will take place at Cite des sciences et de l’Industrie (Paris – FR) – October 29th & 30th 2015.

http://2015.hackitoergosum.org/

CryptoParty – Thursday 11th June @ 7pm

TOG is very pleased to announce that we will be holding the 4th Dublin CryptoParty. Doors will be open from 7pm on Thursday the 11th June 2015, and we will stay open as long as people are happy to stay ( within reason ).

CryptoParty attendees request you to respect their privacy and refrain from taking pictures or video unless participants express otherwise. Ask before snapping.

The idea of a CryptoParty is to make everyone more aware of their own on-line privacy and security in this vast inter-connected world that we live in.

We haven’t had one in a while, so we will discuss basics to bring everyone up to speed. Topics can include any of the following:

  • Tor
  • Tails
  • PGP/GnuPG
  • Text Secure / Signal
  • OTR

CryptoParty have a mailing list if you are so inclined. Its an open event, so no need to sign up.

See you on the 11th

Wireless Hacking Workshop – Saturday 27th June 2015 @ 12:30pm

On Saturday 27th June at 12:30pm our very own jester`, Martin Mitchell or @jayester depending on the circles you run in, will be teaching a Wireless Hacking Workshop.

Wireless networks are everywhere. They have been available to many of us for well over 10 years, and it is something most of us rely on daily. Majority of us have a wireless network in our house, and connect to it regularly with our laptop, phone, games console, media player and now even televisions.

In this practical, hands on workshop I will be stepping you through the different wireless network security modes of 802.11 (WiFi), and demonstrating practical attacks against them. This workshop is not intended to teach you to perform malicious tasks on wireless networks, but it is to show you how easy it is, and how dangerous someone can be knowing even the most basic a few commands. This knowledge can also be used to audit wireless networks. This workshop will to make you more aware of the dangers of using a wireless networks with bad or no security enabled.

For this workshop you will need:

  • A laptop that can run a Virtual Machine, or boot into Kali Linux (https://www.kali.org/)
  • A linux install/Virtual Machine with aircrack-ng tools installed or a running Kali Linux installed on Laptop, installed in a Virtual Machine** or or USB/DVD boot
  • A wireless card that can perform injection. Known external USB wireless dongles that support injection are the following : TP-Link WN722N (sold on booking form), Alfa AWUS036NHA, Alfa AWUS036H (not manufactured any more)

For the advanced user, there is an option to use a tablet that is supported and installed with a version of Kali Linux known as NetHunter (https://www.nethunter.com/). While I have used this before, it is entirely up to you to get it installed and working. It takes a lot of time to get this set up, and I will not have time to troubleshoot on the day. I will of course discuss this device on the day. This will still require a USB wireless cause that will support injection, and an OTG adapter. Not recommended for a beginner.

If you prefer not to take part in the practical side, and just want to take notes for your own future practice, no problem, and you certainly will not be the first. You can shoulder surf someone who is taking part. I will be performing all attacks on the projector.

During this course the format is, I will present information on a certain type of attack, demo it, then you will give it a go yourself on the number of wireless networks set up around the building for your attacking pleasure.  Please only attack the wireless networks set up for the course. It will be obvious by the network name. The attacks you will perform during the class, will work out in the real world. I’m trusting you to not attack a wireless network you do not own. So whether this course is to improve  your security auditing ability, satisfy the curious thirst of knowledge or just  want to finally get it working after your own failed attempts, this course if for you.

  • Security technologies and dangers discussed during the course are:
  • Open networks
  • WEP
  • WPA/WPA2
  • WPS
  • WPA Enterprise (RADIUS)

I will also discuss and demo attacks what can be performed on roaming devices, typically laptops and smart devices, and discuss ways of protecting yourself against these types of attacks.

** If you install Kali in a VM, like Virtual Box, you then may need to install the Guest Additions to be able to mount the wireless adapter into Kali to be able to use it. I have done this on OSX, Windows and Linux. Contact me if you need further instructions.

 

Have any questions? Please ask them below

[contact-form-7]

Evening Talk: Secure Yourself Online – Thursday 21st May 2015 @ 7pm

On Thursday 21st at 7pm our very own jester`, Martin Mitchell or @jayester depending on the circles you run in, will be speaking about some best practices of securing yourself on-line :

Whether you are a creator or user of on-line content, knowing how to secure yourself on-line is important. In a world that is becoming more and more digital, we are ever growing our digital footprint. During the talk we will go through a top 10 best security practices, and maybe a few more too boot. It will relevant to you whether your on a laptop, or smart device, getting on-line for work or personal. You only need to be compromised once for an nefarious individual to make for life awkward. Their intention may be for fun or profit, but I will give you the information to protect yourself on-line.

I shall cover a lot but it will touch on passwords, email, encryption, tracking and wireless just to name a few. Aimed at everyone from general viewers of cat videos, those of you that have compromised, to those that would like to become a little bit more paranoid on-line.

Please use the sign up form below. This is do I can track how many to expect on the night. Information submitted though the form will only be used for tracking attendance and a reminder email will be sent a few days before the event.

See you on the 21st.

[contact-form-7]

Privacy Security Talk in TOG – 22nd April @ 7pm – FREE

Dublin is lucky enough to have great speakers pass through town on occasion and on Wednesday the 22nd April 2015, Runa A. Sandvik (@runasand) and Per Thorsheim (@thorsheim) have kindly offered to speak in TOG from 7pm. The format for the evening is a general meet and greet, but both speakers have offered to give a presentation on a topic of their choice.

Anyone one interested in privacy, security, journalism, Tor and/or has previously attended a CryptoParty would be wise to attend. Doors are from 7pm and bring any projects with you you would like to share with other attendees. This is a free event, open to the public and no need to book. See you Wednesday.

Runa A. Sandvik is an independent privacy and security researcher, working at the intersection of technology, law and policy. She contributes to The Tor Project, writes for Forbes, and is a technical advisor to both the Freedom of the Press Foundation and the TrueCrypt Audit project.

Per Thorsheim as founder/organizer of PasswordsCon.org, his topic of choice is of course passwords, but in a much bigger context than most people imagine. Passwords, pins, biometrics, 2-factor authentication, security/usability and all the way into surveillance and protecting your health, kids and life itself.

Open Dag 28 Maart

Op 28 Maart is er weer de nationale open hackerspace dag waaraan TkkrLab ook mee doet.

Van 11:00 tot 17:00 (en eventueel later) zullen we deze dag laten zien wat we in onze space doen.

Tijdens de open dag laten we o.a. zien :

  • Workshops Arduino en Solderen
  • Projecten met Arduino en andere microcontrollers zoals:
  • Prusa i2 3D printer
  • Speel retro spelletjes op onze arcadekast, Holborn 6110, Amiga en C64
  • Voorlichting over ethisch hacken, (internet) privacy, etc.

Mocht je op de open dag niet kunnen? Geen probleem we hebben iedere dinsdagavond vanaf 19:00 open inloopavond, je ben van harte welkom om dan een keertje te komen kijken.

Aanmelden is niet nodig, het wordt vaak wel op prijs gesteld als pers zich vooraf meldt.

Voor meer informatie zie op onze wiki.

The 30c3 Security-Track

German version below.

This year, in order to better align the workload with the actual expertise of the reviewers, several topic-specific teams were formed. (More here.) Security related topics were staffed by a team of three to four core members. Additionally, six reviewers with differing security background were supporting the review.

Since in some cases the content of the actual presentations overlapped with the focus of more than one content team, submissions were shifted back and forth. Most of the overlap occured between Hardware, DiY & Making, and Science & Engineering. Overlaps with Society, Politics & Ethics as well as Art & Beauty were also present, but were far less common.

Altogether, approximately 130 hours were allocated for presentations among the entire content-team of the 30c3. 30 hours from this pool were specifically allocated for the security track and further split into 30 and 60 minute slots. In the end, the security content track received additional timeslots and accumulated 31 hours of content in total. We initially received a collection of around 100 submissions, which is roughly a third of all submissions.

While filtering content, we initially focused on reverse engineering of software and protocols, cryptography, and hardware & embedded security-related topics. Fortunately, a large portion of the submissions fell into these categories so that we were not forced to reconsider this focus. The majority of the submissions covered contemporary IT security related issues and current developments, which have yet to receive sufficient public attention.

In the end, we tried to find a balance between various current and imporant security issues. In cases where multiple submissions covering a particular topic were received, the team made a conscious decision in favor of one particular talk to avoid redundancy. This also involved some difficult decisions pertaining to presentations covering unique, novel, or noteworthy topics.

Ultimately, the available time slots are limited. This resulted in recommending that talks instead be resubmitted at a later date or encouraging that they be presented as a lightning talk. In several cases requiring interaction with the audience or a hands-on approach, a workshop format was proposed instead.

In the coming days, the security track team will continue to publish a number of blog posts to highlight a few outstanding submissions from each of the three topic areas of the upcoming security track. Spoiler alert!

30c3 logo

In diesem Jahr wurden themenspezifische Content-Teams gebildet, um die Arbeitslast besser auf die Expertise mehrerer Reviewer zu verteilen. (Mehr dazu hier.) Das Team, das sich um die Security-Themen kümmerte, bestand im Kern aus drei bis vier Leuten. Dazu gehörte ein sechsköpfiges Reviewer-Team aus unterschiedlichen Fachbereichen.

Da es oftmals Überschneidungen mit den inhaltlichen Schwerpunkten anderer Teams gab, mußten hin und wieder Einreichungen hin- und hergeschoben werden. Die meisten Überschneidungen gab es mit den Teams Hardware, DIY & Making sowie Science & Engineering. Manche unserer Einreichungen wurden am Ende dort plaziert bzw. von anderen Teams entschieden. Weniger Überschneidungen gab es mit den anderen zwei Teams, Society, Politics & Ethics sowie Art & Beauty.

Insgesamt standen dem gesamten Content-Team fast 130 Stunden für die Vergabe von Slots für Vorträge, Entertainment und CCC-Themen zur Verfügung. Der Security-Track erhielt ein Kontingent von dreißig Stunden, die in ein- und halbstündige Slots aufgeteilt wurden. Mit einem “Notsitz” kamen wir schlußendlich auf etwa 31 Stunden. Etwas mehr als einhundert Einreichungen wurden dem Security-Track anfangs zugeordnet. Das entspricht etwa einem Drittel aller Einreichungen.

Thematisch wurde zu Beginn grob vorsortiert und ein Fokus auf die Themen Hardware & Embedded Security, Reverse-Engineering von Software und Protokollen sowie Erhellendes aus der Kryptographie gelegt. Glücklicherweise entsprach das Gros der hundert Einreichungen den gewünschten Schwerpunkten, so daß wir nicht gezwungen waren, an unseren inhaltlichen Erwartungen zu drehen. Der Großteil der Einreichungen deckte sehr zeitgemäße und vor allen Dingen auch aktuelle Entwicklungen ab, die bislang noch nicht oder nicht allzuoft in der Öffentlichkeit thematisiert wurden.

Somit haben wir in einer ersten Vorauswahl nach Ende der Deadline bereits die Einreichungen auf die Seite gelegt, die nicht zu unserem Themenschwerpunkt paßten. Letztlich haben wir versucht, eine Balance zwischen den verschiedenen aktuellen Themen zu finden. Gab es mehrere Einreichungen zu einem ähnlichen Thema, hat das Team darüber debattiert, wer den Zuschlag bekommt und wer nicht. Schwieriger war es am Ende, die Entscheidung über all die Einreichungen zu treffen, die thematisch einmalig waren und wo also jedes Thema aktuell und erwähnenswert ist.

Da die Zeit jedoch begrenzt ist, mußten wir leider viel zu viele Einreicher auf das nächste Jahr vertrösten oder haben sie motiviert, einen Lightning-Talk zu halten. In Fällen, wo eine gewisse Interaktion mit dem Publikum ohnehin angemessen wäre, schlugen wir die Organisation von Workshops vor, die allerdings nicht der Auswahl und der Organisation durch das Content-Team unterliegen.

Das Security-Content-Team wird in den kommenden Tagen eine Reihe von Blogpostings veröffentlichen, in denen jeweils aus einem der drei Themen-Schwerpunkte ein paar Highlights der angenommenen Vorträge präsentiert werden. Spoiler Alert!

HITB CTF Crew is Expanding

The new HITB CTF crew is looking for new talent, particularly challenge writers and web developers. If you have skills in reverse engineering, bug hunting, and exploit writing (no script kiddies claiming to be “hackers” please) or if you have elite web development skills (python, php, bash, mysql, etc), No script kiddies or wanna-be “HACKERS”! You mad? Got skillz? Drop an e-mail to CTF Crews to ctfi...@hackinthebox.org

Cryptoparty #2 – November 30th

A second Cryptoparty will be happening in 091 Labs on November 30th from 7pm! Cryptoparties are happening all over the world. These free events are for people who are interested in encryption so they can come and learn more about basic Crypto programs and the concepts behind their operation. You can check out more info [...]