Monday, September 30, 2013

Preparing for the SSCP

This Saturday I am taking the Systems Security Certified Practitioner (SSCP) Exam which is pretty much the mini Certified Information Systems Security Professional (CISSP). I was originally going to take the Security+ test, but it ended up my job wouldn't pay for that so instead I ended up with this. Throughout the week I will continue to prepare for the exam and put any useful material I find helpful in preparing as well as update this after I take it to give my perspective on the exam. I have been reading materials and taking practice exams throughout the last month so this is the home stretch for me. Fingers crossed that I'll pass. From what I hear others say about it I hear its a doozy.

***UPDATE***

I passed! Below are some sources that I found helpful. Overall I didn't think it was that tough, but I also have some background in it.

RESOURCES:

ISC2 SSCP Candidate Information Bulletin
This is a handout the ISC2 has of what the exam will be covering. Found it helpful just to review this to match my reading to the area that the exam was going to test on.

SSCP Systems Security Certified Practitioner All-in-One Exam Guide by Darril Gibson

 My biggest resource used. Read this a couple times through and did all the quizzes as well as the Master Exam that you can download with it.

Quizlet, Skillport, any other place that you can get practice questions
One thing that I did that I thought was really helpful is just took as many practice tests as possible to see the most questions. Nothing I saw was a great comparison to the exam I took, but just seeing a bunch of questions and having to answer them helped me greatly in being prepared.

Monday, August 19, 2013

Fiddling with JavaScript

I have been working on some web stuff lately trying out different ideas with JavaScript and PHP. While trying learn some things in JavaScript I found a neat online tool called JSFiddle. Its kind of like a JavaScript IDE that let's you see your HTML, CSS, and JavaScript separated out and another window showing a preview of all your code running. I found it pretty handy for quickly trying out new ideas and will probably use it to show examples of JavaScript when I have something cool put together. Here's a link to it.

Monday, August 12, 2013

Fun with NFC Tags and Tasker for Android

I was wanting to do something with a bunch of NFC tags I had laying around and finally found a real life use case that I have everyday. When I get in my car I hook my phone up to the speakers and play music from the Google's Play Music App. After loading the app I have to find the playlist I want and it really just becomes too many button presses for me. So I came up with the idea to use the NFC tags to launch the app and auto play a given playlist. I have a couple NFC tags set up now for different playlists and when I tap a tag it loads up and starts playing. To do this I used a combination of NFC Task Launcher, Tasker, and a plugin for Tasker called Tasker AutoShortcut. Click the jump to see a guide on how to set this up.

Monday, August 5, 2013

More Friends Than You Can Handle

So my expected results of this were not quite what I wanted, but I do have scripts now to sign up and spam friend requests. The biggest issue is how many fake facebook accounts you can signup for before Facebook catches on and starts making you verify. Got 3 users using this twice during testing. Tried messing around with Tor in case it was something with Facebook watching the IP, but that didn't seem to help. Posted all my code to GitHub. Still working on the read me file, but it should just be a matter of running Main in PeopleGenerator, then moving the People.xml to FFacebook and running SignUp, then after that runs you should be able to run ActionRunner. ActionRunner is the file that needs to be edited for directing the fake users to spam friend requests. Might go back and streamline this a bit so files don't have to be moved and so you don't have to edit the code for spamming the target.

GitHub Repository - https://github.com/ChuckWoodraska/FFacebook

Monday, July 29, 2013

Facebook Filters

I worked on the 2nd part of a project to try and automate signing up users for Facebook accounts. I can successfully do this when Facebook is playing nice. Unfortunately, Facebook doesn't always play nice and asks you to verify that the user signing up is a real person. Facebook also will filter out e-mails that it doesn't like, which just so happen to be the e-mails I want to use because you don't have to sign up for them. I found a couple like YopMail and MailTrash that work. The real issue is that Facebook will randomly (probably not randomly but I haven't seen a good pattern) ask you to verify through a phone call that you are a real person and you can't use the same number for different people. Its possible it tracks accounts being made from the same IP but I tried using Tor for some testing on this and still had problems. My program does work when this doesn't happen and if it was just a CAPTCHA like I've seen happen before than I can just prompt the user to fill it out. I have a few users made now so I can try some things with the 3rd part of the program which is actually the spamming engine. If I come up with a solution I will update this. I will also work on getting up a GitHub to share this project's code.

Monday, July 22, 2013

Generating People

Got a new project I've been working on to try automate the process of making fake Facebook accounts. The first step was to make a bunch of fake people. I got some lists of popular first names from Social Security Administration website and a list of common last names for North America from Wikipedia. Depending on the generated sex it will pick from either a girl's name list or a boy's name list. All birthdays are in the range of 18-80 years of age. The email and passwords are just randomly selected alphanumeric values. I then save each generated person to an XML file. Here's an example of what gets generated:

<person>
<firstname>Michelle</firstname>
<lastname>Green</lastname>
<sex>0</sex>
<birthday>1989-02-25</birthday>
<email>TLOG9THWMKb1lTHX</email>
<password>2sQ2GWn8fnorhG28fEGcEMjxMSEjTEoA</password>
</person>

Some of the next steps for this project include automating the Facebook signup process, which involves using Selenium WebDriver. Then after all the fake people have a Facebook account I am going to try and spam someone with 100 invites or something silly.

Tuesday, June 4, 2013

Sophos Puzzle 2013

So one of my friends sent me a link to the Sophos puzzle which was a cryptogram to be solved. The rules are below or you can go here:
 So you can solve this year's AusSHIRT #sophospuzzle straight from the shirt, using nothing but pencil, paper and intellect. Of course, you can still throw some home-hacked scripts at the problem if you want: a little bit of brute force goes a long way, and you can leave your scripts running while you attend the conference parties.

How to get started

The puzzle is a cryptogram, which means that the letters on the cube have been scrambled using an encryption algorithm.

Encryption algorithms usually rely on a mixture of substitution, where one letter is changed into another, though not necessarily always into the same one, and transposition, where two letters are switched around, like an anagram.

The easy part in this puzzle is that the substitution always replaces each decrypted letter with the same encrypted letter.

And the letters in the answer appear in the same left-to-right, top-to-bottom order that they do on the cube.

The only transposition you need to worry about is to put the three faces in the right order, so there are only six possible combinations to worry about.

Usually, a straight letter-for-letter substitution is called a Caesar cipher.

The cipher gets its name because it was considered state-of-the-art back in 55BC, when J. Caesar first invaded Britain. He just shifted every letter two places along in the alphabet, writing C for A, D for B and so on. At the end, he wrapped round, so Y became A and Z turned into B.

Caesar ciphers are easy to solve because of repeated letters: the encrypted text shows the same bias (e.g. in English, that ETAOIN are more common than JKXQZ) as normal text.

So we've made this slightly harder than that, as follows:

Letters appearing more than once in the puzzle are all shifted by the same fixed amount (obviously, the shift is somewhere from 1 to 25). Each letter that appears just once in the puzzle is shifted by a different amount, with one letter shifted by 9, another by 8, and so on down to a shift of 1. By the way, the Sophos Shield icons are just for decoration - they don't count as letters in the puzzle.

How to get hints

Follow @Sophos_ANZ on Twitter, and keep your eye on the hashtag #sophospuzzle.

Oh, and bear in mind that a dictionary attack probably wouldn't hurt, so you might like to start out by trying to guess at text that is likely to appear in the solution.


I solved it by first brute forcing the key space of 26 to find out what key shift the multiple letters were using. After finding that out I pen and papered it to find out the solution. I decided to script the ability to give every possible combination for the single letters which then could be sifted through to find the correct solution. Both the solution and code can be found after the jump or you can go here to read the nakedsec solution.

Sunday, April 28, 2013

Paul Revere that is not Left

If Assassin's Creed 3 has taught me anything it is that I would have hated Paul Revere. During a certain part of the game you have to go around the country side and warn people the British are coming you know like the Midnight Ride. So to start it wouldn't seem so bad, but for some reason we only have one horse. Paul suggests we ride doubles I would have declined, but that apparently isn't an option. Whatever I guess, so I hop on the horse and Revere sidles up behind (kind of creepy) and tells me I can ask for directions if I need them. Of course you're riding through a forest so you need to ask him while avoiding the Redcoats and he shouts out left or right and points. Again I don't really care until I start getting chased by Redcoats and I ask for directions and guess what he does? He shouts "GO LEFT!" and then has the audacity to point right. Well which way is it Paul, I'm getting fired at by Redcoats and trying to find my way to the next town while you are sitting a little too close and giving me shitty directions. And that is why I will forever more despise Paul Revere even in real life.