GNUCITIZEN

So we all know about cross-domain vulnerabilities that allow attackers to run code within the security context of the target domain. Typically, they are either a XSS bug on the server-side application, or a bug in the client (web browser plugin or web browser itself). Most of the times, these vulnerabilities require some type of interaction from the victim user. i.e.: being tricked to click on a link or visit a malicious page.

Now, most techies are familiar with bookmarklets. [...]

Defcon 16 was awesome! I’d like to congratulate Dark Tangent and all the Defcon goons for such an awesome event.

This year somehow I managed to meet more people, attend more parties and see more presentations than during previous years. I had the pleasure to meet other fellow researchers for the first time such as Nathan McFeters, Billy (BK) Rios, RSnake, id and many others! All of them are security warriors whose research I was familiar with, but had never met in person. [...]

Yesterday a friend of mine let me know that some of my BT Home Hub security research (details here and here) got nominated for the Pwnie Awards.

At first I thought “oh, that’s cool”, but then I learned the category my research had been nominated to: Most Overhyped Bug. [...]

About a month ago I traveled by train for a pre-sales meeting with a prospective customer. The trip was about two hours long, which would usually mean that it’d be boring. In this case it was different though: I was surprised with free OWI (Onboard Wireless Internet) on the train!

Simply connect to the available open (no encryption) wireless access point and you will be redirected to a login portal, aka captive portal. [...]

This is just a quick update regarding our previous post which details how to extract the default admin password for the latest firmware of the BT Home Hub (6.2.6.E at time of writing). I recommend you to read the previous post if you have not done so yet.

The BT Home Hub’s serial number - which is the default admin password - can also be found on UPnP description XML files. [...]

So BT added a new security feature on the latest version of the BT Home Hub firmware (6.2.6.E at time of writing) which changes the default admin password from admin to the serial number of the router. From BT Support and Advice site:

When I first noticed this new feature I thought it was quite cool and definitely a good move from BT. [...]

So here is the scenario: the attacker has limited access to a box and he/she needs to perform a portscan from it. However, he/she does not want to download any tools to the target system. There might be various reasons for not wanting to upload a portscanner to the box. Perhaps, the attacker wants to minimize the footprint. [...]

Yes, we’re back with more embedded devices vulnerability research! And yes, we’re also back with more security attacks against the BT Home Hub (most popular DSL router in the UK)!

As you know, we encourage folks in the community to team up with GNUCITIZEN in different projects as we’ve had very successful experiences doing so. This time it was Kevin Devine’s turn. [...]

Here is the second version of the ZyXEL routers penetration testing paper. This second part of the paper is also fully practical just like the first one. No theory whatsoever, but rather real juicy attacks which is what we pentesters/whitehats are interested in (after all we need to be aware of what the bad guys can do)!. Unlike the first part of the paper, this one focuses more on attack techniques rather than newly-discovered vulnerabilities. [...]

Hacking is not only about coming up with interesting solutions to problems, but also about exploring the unknown. It was this drive for knowledge philosophy that lead to surveying a significant sample of the Internet which allowed us to make some VERY interesting observations and get an idea of the current state of remote SNMP hacking.

Why SNMP?

2.5 million random IP addresses were surveyed via SNMP. Why SNMP you might be asking? Well, there are several reasons. [...]