Midnight Research Labs

netcat in the hat
sth posted in hacking contests on September 8th, 2006
comments:0

If you’re not familiar with The Ethical Hacker Network you should check it out, it has a decent amount of good content for the aspiring hacker. Among other things, they have new security news and tutorials, but probably the most interesting is the challenges that they post every other month or so. I found the latest challenge entertaining, so I thought I would forward it on. The challenge is in the form of a Dr. Seuss like peom titled netcat in the hat. If you are a winner in one of the categories for the challenge, you get an autographed copy of Counter hack reloaded.

hacked hacking competition
sth posted in hacking contests on June 8th, 2006
comments:1

A hacking contest that promised $100,000 as
first prize appears to have been weighted so
heavily against competitors that some decided to
hack the competition rather than the target server.

Some contestants got frustrated with what they thought was a rigged contest, and decided to go after the registration server instead of the target machines. The contest organizers now say that the original system which everyone was using as the focus for the contest, was really just a decoy honeypot designed to track what each of the hackers was doing, and from where. They also reduced the prize money to almost a tenth of the original offering. There was no real winner to the contest, but they did award 5 prizes to “outstanding competitors”.

Collegiate Cyber Defense Competition
sth posted in Uncategorized, hacking contests on June 1st, 2006
comments:2

A group of schools got together and through the Center for Infrastructure Assurance and Security formed a new capture the flag competition that sounds very similar to the defcon CTF game. By 2008 they hope to have a governing body with national tournaments. Aparently the first round had four colleges and an all-star team from five U.S. military academies.

The two tournaments mark a turning point for cybersecurity competitions from the mostly amateur affairs of the past to exercises throwing student, government and corporate competitors into the arena against each other. The competitions give students and professionals the opportunity to get hands-on experience responding to attacks, without serious consequences.

Here are the Rules for the game, and the national winner for 2006.

(Link from SecurityFocus)

interz0ne weekend
sth posted in cons, hacking contests on March 10th, 2006
comments:0

Some of the MRL gang will be out at interz0ne in Atlanta this weekend, so look us up if you’re around.  Some of us will be wearing the new MRL shirts, or competing with the new MRL team in CTF (put on by kenshoto).  Also, look for Jason’s talk on Saturday night. =)

See you there!

Shmoocon ‘06
sth posted in cons, hacking contests, meetings on January 19th, 2006
comments:1

Just checking in after meeting up at Shmoocon
this year. The conference was good, especially considering that it’s only a
second year con. Attendance was sold out at 800 people, and the additional
tickets on ebay were getting pretty expensive.

Highlights include:

Chilling with MRL people

We couldn’t seem to get all the slackers in the same room, but I was able to meet some people that were previously “virtual only”. Thanks to Focus for putting me up at his place, and showing me around. =)

Kaminsky is always a lark

Most of this talk was “the same-old”, but he also spoke a bit about network visualization with his new tool “xovi”.

Raw Fake AP, and Raw Glue AP and ??

I missed this talk by the guys at France Telecom, but heard about some new tools that werereleased. Raw Fake AP is a newer version of Fake AP that eliminates the obvious fingerprinting so you it’s harder to find the “real” AP in the noise.Glue AP sounds pretty cool too. It listens for the broadcast SSID request sent out when certain client cards start searching for a network. Glue AP then emulates whatever the card islooking for, and in some cases, the client will auto-join that network.

“Mystery tool” — I still want know what this one was, =). I’ve emailed them to try to get their slides, it doesn’t look like they’re posted yet on the shmoocon site.

H1kari and “cardbus bus-mastering: owning the laptop”:

This was interesting and informational, though unfortunately the demo part was eighty-six’d at the last minute. Instead David [someone?] spoke about weaknesses in USB, and the bottom line was that you could write directly into memory and own a system simply by plugging in a USB device. I’m still interested in H1kari’s company’s FPGA “on a stick” though, hopefully they’re not too expensive when they come out.

RenderMan (and others) and pre-hashed WPA passwords

‘genpmk’ (or maybe jdumas??) is supposedly a new tool for doing this kind of thing. Church of wifi has more details.

Oh, and by the way, all you windows weenies now have Kismet for windows.

Getting kicked out of the “mafia room” at the shmoocon party by famous Persian pop singers

Ok, we weren’t kicked out so much as edged out, but it took a little investigation to determine who the VIPs were. Their entourage was pretty intimidating too. The whole thing was a little surreal. I definitely had a little bit of “chest hair and over-sized sunglasses envy”.

An internet enabled arcade style crane

Somehow connecting random objects and making them either “internet enabled”, or “USB-powered” is always cool.

The .torrent’s of the talks and slides are supposed to be posted soon.
Someone post a comment if they see this before I do and I’ll update the post.

interz0ne update
sth posted in hacking contests, meetings, wifi on October 17th, 2005
comments:0

Just a quick update to mention how great Interzone was this year. MRL’s Jason gave a really good talk on Combat Reverse Engineering. He gave some insightful tips, tricks and tools for competitive hacking, and outlined a methodology for how to approach the “combat” scenarios you can find yourself in during a competition.

The only negative thing about the weekend was that Jason and I found out that we would not be able to compete in the rootwars competition because of our involvement in a previous competition. It ended up working out well though, I won the wireless competition, and Jason mentored the other people that were competing. There wasn’t too much competition, but I think that everyone had fun and learned some things. I was just glad I had a chance to break out the wireless gear, =).

Once again I’ll say that, if you’ve never been, you definitely need to check it out next year. And thanks again to Richard for hooking us up.