Midnight Research Labs

MRL challenge coin
aaron posted in Uncategorized on September 12th, 2009
comments:0

This post is long overdue since we’ve had these for at at least a couple months now, but I definitely wanted to give props to Jeremy for hooking us up with some cool MRL coins that he had created. He has a pretty good blog post on the process of how he created them. He also included a small QR code tag in the design. If you’re a MRLB member, hit me up, and I’ll give you one if you don’t have one already (as inventory allows).

Jeremy also has lots of other interesting laser/robotics/art/music projects on his site (who doesn’t love laser bacon), so check it out. Also, if like his work, or you’re feeling generous, consider donating or buying one of his Jansen walker robot kits. Especially since he just fried his laser’s power supply.

Here are some pictures of the process:

NAISG presentation
aaron posted in Uncategorized on September 12th, 2009
comments:0

If you’re around Boston this Thursday night, definitely check this interesting presentation from Zach at the Boston NAISG (National Information Security Group) on “Disclosure Samsara” or “The Endless Responsible Vulnerability Disclosure Debate”. This is the official meeting page, and details for the time/location/RSVP can be found there. It will be held at the Microsoft building in Waltham, and chances are there will be some type of MRL caravan, so let us know if you’ll be heading out.

Here’s the full synopsis on the talk:

Vulnerability disclosure can help make software and hardware vendors and service providers accountable for shortcomings in their offerings; and full disclosure can give IT and information security professionals the information they need to validate the resilience and efficacy of their controls. Generally speaking, a happy balance is achieved when vulnerabilities are disclosed in a responsible manner. But what is “responsible?”

It’s been nearly a decade since the introduction of RFPolicy, a document often considered to be the basis for modern, responsible vulnerability disclosure, yet there still remains a significant division between the camps of “full disclosure,” “partial disclosure,” and “zero disclosure.” The “responsible disclosure” debate seems to be an endless cycle, coming back fully reconstituted just when we think it’s run dry.

Lawsuits, gag orders, and boatloads of drama are some of the negative points researchers have dealt with when disclosing a bug or flaw to a vendor. This type of reaction can be very discouraging for a security researcher, possibly resulting in them avoiding communication with the vendor in favor of disclosing it outright or even selling the details to the highest bidder.

With continued, accelerated awareness and discussion, the information security community can work toward solidifying an approach to responsible disclosure that, amongst other things:

* Facilitates interaction between the researcher and vendor or service provider
* Acknowledges the researcher’s work
* Provides adequate protection for the security researcher
* Builds a reasonable timeline and plan for a solution to the bug or flaw and its public disclosure (and keeps parties from stalling)

Zach Lanier is a New England-area security consultant and occasional security researcher. His areas of focus are network and application penetration testing, intrusion analysis, and general hackery. He’s the maintainer of the Security Twits list and one of the co-founders of Midnight Research Labs Boston, a local hackerspace.

Netsec Podcast
aaron posted in podcasts on August 26th, 2009
comments:0

Go check out the Network Security Podcast — MRL’s Zach Lanier aka Quine has been doing some extended guest appearances on the the show recently. The NetSec podcast is a good podcast I’ve been listening to recently that covers general network security and the relevant current news with insight from some industry veterans. Zach’s been in a couple different episodes as well as helping to cover defcon and blackhat including different interviews with the presenters.

Zach’s also been busy working on the new boston.midnightresearch.com site that will have other information regarding the MRLB hacker space as it continues to be developed (more on this to follow). Zach’s posted a few times on this blog, and maybe when he’s not doing other security twit wrangling he’ll have some more time to post, .

MRLB 082709 — Burp suite presentation
aaron posted in meetings on August 26th, 2009
comments:0

Here’s some information on our next MRL Boston meeting coming up this Thursday.

From the meeting announcement:

Start: 2009/08/27 18:30
End: 2009/08/27 20:30
Timezone: America/New York

For our meeting for Thursday, August 27, we’ll *finally* be given the
long-awaited “Burp Suite” presentation by our very own Craig Ingram
(cji). For those of you not familiar with Burp Suite [1], it’s a web
application attack/testing tool consisting of a proxy, spider,
fuzzer/brute forcer, session token analyzer, and more.

Craig will discuss Burp in a bit more detail, give us some tips and
tricks he’s picked up, and demonstrate Burp’s use against a sample web
application.

Hope to see you there!

[1] – http://portswigger.net/suite/

Open Security Foundation Mangle-A-Thon
aaron posted in Uncategorized on August 21st, 2009
comments:0

Midnight Research Labs Boston will be hosting the Open Security Foundation’s inaugural “Mangle-A-Thon” on September 19, 2009. This free event, broken up into two to three sessions, is a great opportunity to learn about and contribute to the Open Source Vulnerability Database (OSVDB), the DataLossDB, and more. As an added bonus, the OSF will be providing food and drinks.

Seats are limited, so register now!

Reposted from n0where.org

Back!
aaron posted in Uncategorized on August 21st, 2009
comments:0

After a hardware failure on our primary server the day after our secondary went away, we’re finally back! I’m hoping that’s the last of the fail for a while, . We’ll still have a couple of infrastructure changes over the next couple weeks, but hopefully the website should be stable. Lots of things have been going on in the last month or so, and other new things should start to trickle out over the next few weeks. We’re starting to schedule events at our fledgling hacker space near Boston, and we also have a couple new tools we hope to release in the near future. Stay tuned and keep hacking.

James Atkinson to speak at Midnight Research Labs Boston on Thursday (June 25, 2009)
quine posted in meetings on June 23rd, 2009
comments:0

(Copied from the MRLB mailing list)

Howdy! I’m pleased to announce that THIS Thursday (June 25) at 6:30 PM,
Midnight Research Labs Boston will have a special guest speaker: Mr.
James Atkinson, who will be giving (if memory serves me correctly) his
“Kill Your Cordless Phone” talk.

***This talk will be announced and open to the general public, and WILL
REQUIRE AN RSVP as space is limited. Given the size and layout of MRLB,
we’ll be doing a bit of re-arranging to accommodate attendees.***

Please RSVP to rsvp001 @ n0where.org

We hope to see you there!

Here’s a brief bio on Mr. Atkinson (more at http://tscm.com/biojma.html):

“”"
James M. Atkinson is the President and Senior Engineer of Granite Island
Group – a prestigous veteran-owned company started in 1987 that
specializes in the electronics engineering field. Assuring the
protection of classified, confidential, privileged, or private
information against technical attack, eavesdropping, or exploitation,
Mr. Atkinson has earned the respect of the of the most public and
private global client base in the industry. Prior to 1987, Mr. Atkinson
served in the military, and had a nationally recognized background as a
computer hardware and software developer.

He is a counter-surveillance expert, communications engineer, security
consultant, and instructor with a reputation for designing and
installing some of the most powerful secure communications systems used
by both government agencies and major corporations. He has designed over
130 electronic and tactical products such as GPS devices, test
instruments, radio equipment, audio products, modified bouchons, HRT
devices, cryptographic equipment, surveillance devices, SIGINT/COMINT
products, and various other devices and systems.
“”"

Keyboard Sniffing
aaron posted in hardware hacks on June 17th, 2009
comments:0

We talked about this before, and since it’s a pretty interesting project I thought it would be good to follow up on. The remote-exploit.org guys (responsible for backtrack) released a how-to along with source-code and parts list, etc, for their wireless keyboard sniffing project. They don’t have fabricated boards yet, but they’re looking at some options for the future. The hardware is based on a Texas Instruments TRF7900 chip controlled by an ATMEL ATMEGA microcontroller. Here’s the blurb they have on the site:

This opensource hardware and software project enables every person to verify the security level of their own keyboard transmissions, and/or demonstrate the sniffing attacks (for educational purpose only). The hardware itself is designed to be small and versatile, it can be extended to currently undetected/unknown keyboard traffic, and/or hardware extensions, for example, a repeating module or amplifier

Here’s a video that they posted of the sniffer in use:

SEAT Version 0.3 and Backtrack 4
iphelix posted in hacking, pentest, project updates, tools on February 16th, 2009
comments:0

It is with great excitement that we bring you the latest version of SEAT!. SEAT (Search Engine Assessment Tool) is the next generation information digging application geared toward the needs of security professionals. SEAT uses information stored in search engine databases, cache repositories, and other public resources to scan web sites for potential vulnerabilities. Version 0.3 includes the much needed Search Engine XML signature update, several performance enhancements, and the fix for the dreaded GUI “segmentation error”.

You can download the latest version of SEAT here. Detailed documentation is available in documentation.pdf. Also, if you are a big fan of Backtrack like me, you can get SEAT preinstalled with the upcoming final release of Backtrack 4.

TACACS+ password cracking^w auditing
aaron posted in passwords on January 22nd, 2009
comments:0

If you’re using the tac_plus implementation of Cisco’s TACACS+ server and want to do password auditing, I’ve written a quick script that will take the config file with all of its users and output a john the ripper compatible password file. You can run john directly against this generated file.

Here’s an abbreviated example:

$ ./tacacs-passwd-dump.py
usage: ./tacacs-passwd-dump.py <input tacacs file> <output passwd file>

$ ./tacacs-passwd-dump.py tac_plus.cfg tacacs.passwd
[*] Got user [john] [john smith]
[*] Got user [fred] [fred smith]
[*] Imported [2] accounts
[*] Done.

$ john tacacs.passwd
Loaded 2 password hashes with 2 different salts (Traditional DES [128/128 BS SSE2])
lamepassword (foo1)