Dec 29, 2013

Defcon vs. CCC

2013 was a big year in terms of information disclosure, leaks and whistleblowing. People reacted to the events very differently and shared their opinion online on social media platforms, Blogs and their websites as well as offline face-to-face and on conferences. I gathered some first-hand conference experience 2013 on America's Defcon and the German Chaos Communication Congress. Since I was a first time visitor of both conferences I started to compare the conferences. Here is what I liked and disliked about Defcon and CCC and why you should be prepared for everything during a hacker conference - even for things like Quadcopters visiting you during mealtime.

Dec 25, 2013

Must See And Read: Hacker Movies And Novels

What got me started into hacking was partly the thrill of knowing more about computers than most people do and partly the image I got from hackers by main stream media and pop culture. I started to dive into hacker culture and to read up about the roots of hacking. In this article I just want to quickly drop off my personal list of favorite hacker movies and hacker / cyberpunk novels. Maybe you can draw some inspiration for post-christmas presents?

Dec 20, 2013

Hacking Medical Systems

Image a world where computers are everywhere, ubiquitious. Everything (like in thing) is connected and able to communicate. A world where your car can talk to you fridge to tell it that you will be home in 10 minutes and it can start to unfreeze your pizza already. Wait! Isn't that our world of today?

Although we are not quite there yet, trends are pointing in this direction. The Internet of Things is becoming more real day by day. So is the increased use of technology in medical contexts. We get used to the idea of smart grids and computer viruses attacking nuclear facilities but we are still shocked when it comes to hacks that target the life of individual, everyday people rather than in a business or governmental context. What happens if hackers would target your cardiac stimulator? Or your insulin pump? Imagine a hacker modifies your medical records while you are in hospital and you get treated with medicine you are allergic to. Sounds like science-fiction? I don't think so.

Dec 18, 2013

The Chosen Geek

How does a hacker look like? What do you imagine if you think of a hacker? What picture does the typical business guy have in mind when he talks about a hacker?
I don't know about you, but I tend to stand out of a crowd. Be it my mohawk, be it dressing totally in black or something else. Being able to tell someone on the phone who has no idea about my looks to pick me up and I have to think of something about my appearance to enable him to instantly recognize me once he spots me is usually no problem. This can be a blessing and a curse at the same time, it depends on the situation you are facing.

I guess a certain odd or different look comes with the job description of most hackers although I know some brilliant hackers who you could take for a financial analyst just by looking at them. Let's assume for a second that you are a hacker and there is something about the way you dress or act that makes you recognizable as a... hacker? Geek? Nerd? Techie? Whatever you call it, there are certain effects arising from this fact. For reasons of simplicity I will stick to the term geek for this article but it also applies for nerd and hacker.

Dec 12, 2013

Vulnerability Management Meets Big Data

Everyone who is employed in the offensive parts of IT-Security will stumble sooner or later upon the discussion about the difference between vulnerability management and penetration testing. For security professionals like us this is a very clear distinction but to the untrained (read: non-hacker) eye it can be difficult and blurry to draw the division line between these two concecpts. I won't elaborate on this topic since I feel it has been exhaustively dealt with in other places. It often boils down to factors like goal-orientation or breadth-focus vs. depth-focus.

Sometimes the discussion drifts into an argument about vulnerability assessment vs. vulnerability management. I did not see a lot of opinions on this debate on the internet hence I prefer talking about it rather than about the difference between pentesting and vulnerability management. People may switch labels for vulnerability management and vulnerability assessment or give it different names but the difference - and there is one, a very big one - remains the same.

Dec 9, 2013

A New Generation Of Penetration Testers

It is no big news that we are facing an ever increasing threat landscape when it comes to IT-Security. The last few years proved that cyber attacks not only grew in numbers but also in intensity and complexity. Voices from within the IT-Security industry point in a similar direction, the supply of cyber security professionals does not seem to satisfy the demand of the market. These facts can be accredited to a lot of different factors, one of them being the progress of technology itself as well as the professionalization of various criminal hacker organizations for example. Since better technology also brings better tools, a lot of hacking tools became available to a broader public.

Disable Password Policies in AD LDS Containing Proxy Objects

Active Directory Lightweight Directory Services (AD LDS) or formerly called ADAM, an Microsoft LDAP implementation, leverages the password policies of the local system or the domain if not told otherwise. If you don't want an application partition being affected by the password policies applied from the local system or the domain, you can deactivate this option by setting the "ADAMDisablePasswordPolicies" in the configuration partition from 0 to 1. You can read up on this here. However, the official Microsoft documentation is not specific about how the AD LDS handles proxy objects when changing the ADAMDisablePasswordPolicies attribute and I could not find any clear information regarding this issue on the web, so I decided to do this small write-up on this.

Dec 8, 2013

How To Become An Ethical Hacker?

So you want to dive into offensive security and (ethical) hacking? You are dreaming about putting on your _insert favourite colour here_ hat and start exploring and exploiting the digital highways?
I certainly wanted to do this 2,5 years ago. Back then I started my journey into hacking and penetration testing and everything related to offensive security. I was fairly experienced with computers in general, the web and programming but hacking was still a new world to me.

I often wonder about what tips and tricks I would pass my former self to accelerate my own journey if I had a chance to use the Delorian and go back to a point in time 2,5 years ago. This is a list of a few things that would have made my learning experience more comfortable and would have certainly enhanced my growing process.