upnp.ninja

U Plug, We Play, was the title of David Middlehurst’s (@dtmsecurity) presentation at the BSides Manchester conference. The presentation was about a new open source tool called 'UPnP Pentest Tookit' [1]  he developed and released on the day of the conference. I had the chance to catch up with David at the London Trust Forum the other day and shared some thoughts about the tool. I am 'a bit' of a geek so the next day after the BSides Manchester conference, it was the first thing I wanted to test. I downloaded the tool and started scanning my home devices. 

Well done David!

[1] upnp.ninja

London Trust Forum

I was invited to attend the London Trust Forum organised by NCC where Andy Davis talked about CANimation and highlighting the security threats to automotive systems. A very interesting talk on how you can hack into cars when you have physical access to them or in some occasions, remotely! 

It was really nice to see familiar faces at the event and catch up with Dr. Jessica Barker (@drjessicabarker), David Middlehurst (@dtmsecurity) , @netbiosX and @Emil_i.

Looking forward to the next Trust Forum event already!

BSides Manchester 2014

It was really nice to be invited to present at BSides Manchester (@BSidesMCR) this year [1]. Very interesting talks and one of the most organised events I have ever been. On-time information on the website and clear instructions about the event . I really enjoyed both days and tried to attend as many talks as I could. 

On the second day, I was presenting about the security of Point of Sale (POS) devices. These devices have a number of “features” which can be used to allow someone to deviate from payment process in a number of different ways. More specifically, it is possible to complete a transaction without actually being charged, pay with someone else’s card without knowing the PIN or even get paid instead of paying. The presentation gave a good understanding on how these devices work and basically demonstrated a number of “magic tricks” on how one could actually live for free! I was overwhelmed from the number of people attended the talk and their enthusiasm on the subject. Thank you all for your kind words, tweets and re-tweets, much appreciated.

The Subterfuge Project called Artemis

Artemis [1] is an advanced malware simulation suite capable of emulating the Advanced Persistent Threat (APT). Artemis raises the bar allowing ethical hackers and penetration testers the luxury of an advanced set of features equivalent to many of the tools employed by criminal gangs today. By abstracting polymorphism to a server based platform at cevincere.com Artemis is able to stay one step ahead of anti-virus vendors, and ensure that penetration testers can give their clients the value that they deserve.

[1] https://code.google.com/p/subterfuge/

BSides London 2014 - POS Devices

I was given the opportunity to present at this year's BSides London [1]. The talk was a 15 minutes presentation about Point of Sale (POS) devices, during a no-camera, no-recording session due to the sensitive content. 

I have been researching the features of POS devices for more than a year and I wanted to share my findings before someone else does something similar. However, due to the fact it is not easy to fix the issues overnight, I decided to keep the presentation "behind closed doors". During the presentation I demonstrated how it is possible for anyone to become a "hacker" and abuse these little devices with simple key combinations.