The Square Credit Card Reader
I was walking around at walmart and noticed this thing saying that it was a credit card reader, I was interested so I checked it out on my phone and sure enough it works on Android and Apple devices!
This is a very unique credit card processor not only makes payments easy on the go, the product is actually free. If you download the app they will ship it to you, however if you buy it at the store they give you a full cash-back refund that they'll deposit into your bank account. They will of course verify your identity and currently only support USA based banks as a method of withdrawing cash. They claim that you'll get your funds after 24 hours if your over the minimum $10 balance, in reality this takes 48 to 72 hours, this is actually quite normal, they do in fact process the payment in 24 hours however most banks do take longer to actually clear payments so its no surprise.
There was a concern that this could be used for skimming, ie:stealing credit card numbers. Its not really simple nor is it really all that hard if you know where to look or have some basic programming skills. The app is safe and secure and will not allow you to view or store any card information (I'll do a mitm attack soon to really test this, if its just ssl then its not that great) but they claim that it does DDDES and is PCI compliant.
PCI Compliant means that the data is always secured, however many claim this device is not, because the dongle itself just converts the card data into audio that could be played back, however that would require a modified app to do this, keep in mind that nearly all "pci compliant" readers don't secure they're swipes either, you can buy any old MagTek ps/2 card scanner and it'll convert the card into keystrokes, I've seen many stores that do this and have tested it first hand. VeriFone however the company that was so concerned was the ONLY offender, they published a modified app that would copy the card number to the phone and let the public have it... WTF VeriFone! The fact is the this thing is pretty well made and low-cost, VeriFone was losing money so they tried to dis-credit them and only hurt themselves.
I love this little guy its only 2.75% per swipe, if your running a card without swiping it it'll run you 3.5% +$0.15 each time (actually a good ass deal) and you can take Visa, MasterCard, AmEx, and Discover. They plan to add paypal support soon, I cant wait.
THE BOTTOM LINE ON SECURITY | If you don't trust someone with your card, you shouldn't give it to them, its really that simple.. Could someone modify this to work as a skimmer? Sure, and if they did chances are it'll be your waiter or valet guy. Not the mercant, there is no threat to you as a user or mercent. I highly recommend this product.
oh, and keep in mind, if you register via the app, make sure to goto the website to add your bank account. I've seen a few idiots make horrible reviews because they thought there was no way to add your bank account.
http://squareup.com
SSL-VPN | Secure, Safe, And Enjoyable…. :)
SSL-VPN's, they have many uses... Security, remote network access, and my favorite use... Evasion.
Now in this case I'm not talking about evading cyber crime or anything like that, I'm talking about evading blocks on free wireless networks. I'm currently in college and right now we have free wifi acesss, however there are two major issues with this...
1) Its a public network (security issues)
2) They block ports/hostnames
oh, and one more
3) I have to login (they can log my actions)
So we have some issues, the great thing with an ssl vpn is that port 443 is rarely blocked, ssl is (semi) secure.... (at least from the schools logs) and of course when I connect to my home vpn I now have access to my home ip address and have access to the ports I need.
So now I have access to my chat/im's, etc... Gotta love it.
Lenovo T61 | Gotta Love Packet Injection!
I just received my "new" Lenovo ThinkPad T61, I bought it as a work machine, Its rock solid and ready to go. of course as with all computers I've been buying as of late it has packet injection support built right in 
Usually I'm not a fan of Backtrack 5, however I've been using BT5-Gnome and well I'm a big Ubuntu 10.04 fan which is exactly of BT5-Gnome is based on. This thing has a fingerprint scanner, thanks to the think-finger software I can use it in the terminal and it is dual booted with windows 7. First thing I did was add my personal repo, install guake, openssh, and tightvnc server... and of course firesheep and downgraded my firefox to a usable edition. Now I just have to add my automation scripts and I'll be all set I highly recommend the Thinkpad T61 for anyone whos looking for a mid-sized laptop (14.1") but stills wants a solid machine with packet injection built-in. This machine is spill/drop resistant and cost only $200 with 2gb ram, 100gb hdd, 9 cell battery, and a 2ghz processor. Not a bad deal m8s.
FireSheep Revisit
I just wanted to post a quick update on the firesheep plugin.
If you decided to just install my copy instead of building it yourself (which is fine) you may or may not have issues running it.
If you did I'm very sorry, nobody bothered to tell me, I just found the issue.
You MUST run the following before you run the plugin
sudo su
apt-get install hal
hald
Original Thread Here: http://thecorrosiveone.com/2011/09/01/install-firesheep-on-ubuntu-10-04-lts/
Just so I don't forget, to edit the welcome term in backtrack 5 edit = nano /etc/update-motd.d/10-help-text
Downgrading Firefox In Ubuntu
I recently needed to downgrade firefox, in order to install firesheep in my linux distro.
So here is how you do it... goto a folder (like Downloads)
wget https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/3.6.11/linux-i686/en-US/firefox-3.6.11.tar.bz2
cp -R ~/.mozilla ~/.mozillabackup sudo tar -C /opt -jxvf firefox-3*.tar.bz2 sudo mv /opt/firefox/plugins /opt/firefox/plugins.old sudo ln -s /usr/lib/mozilla/plugins /opt/firefox/plugins sudo dpkg-divert --divert /usr/bin/firefox.ubuntu --rename /usr/bin/firefox sudo ln -s /opt/firefox/firefox /usr/bin/firefox Credit to: http://ubuntuforums.org/showthread.php?t=1477159
Metasploit:The Pentester’s Guide
I just received my book in the mail, Metasploit:The Pentester's Guide. Written by some of the best ethical hackers and security professionals in the business, I cant wait to read it. I'll get a review out to you when I can.
I’m An OSWP
Your probably wondering why I'm posting this, thinking. DUDE! You already told us this.
Well shutup because I've got more to say (jk, or am i?) anyway I just recieved my certification in the mail and couldn't be happier with it.
For me it wasn't official until I had the thing in my hands, and soon it'll be on my wall. If ANYONE has questions about the exam feel free to contact me about it.
OsmocomBB Makes A Return
So if you remember from my previous post I was messing around with osmocombb, this open source software along with some cheap hardware allowed me to intercept gsm phone calls (I'm still downloading the 1TB rainbow table required to pull that off btw) However Mr. Gregq of Coseinc Security was able to write a little script to work alongside the mobile software bundled with osmocom that will allow you to know specific users off the network, disable the entire cell network, and disable a specific tower. To do this I would have to have transmission support which was disabled by default, So I removed osmocom directory and changed the make file, after re-making the firmware from source I was able to enable that transmission support. Now all I have to do is get the script from him, when/if I can.. I will give you a video demonstration.
HAK.5 Jacket
Just received my jacket from HAK.5, It's freaking awesome although I should've listened and bought a larger size, still its not that its small, just snug. I'm a bigger guy so I buy shirts 1x larger than I actually need to make me look slimer.... shut up! lol
OsmocomBB | Phone Hacking
So I was looking around on the archives over at HackADay and found some information on hacking a pre-paid cell phones baseband to intercept data on the gsm cellphone network. Apparently with a 1TB rainbow table you can crack the encryption keys in 20 seconds (sounds off to me but ok) and once you've done that you can intercept and record phone calls or even make calls using that persons number. This project will also allow you to modify your phones location on the gsm network, the older phone not having a gps would have to tell the tower where it is at and this would alow you to change that data and appear to be somewhere your not...
Even more interesting you can locate other phones in your area and generate a kml file and load up a map or google earth and view their position... XD Phone phreaking is here to stay.
I of course have purchased a hackable phone, datacable, RS232/USB adapter, and have begun creating a distro based on ubuntu in virtualbox that will contain all the tools I need so I can dig in once it gets here.. It's even rumored you could perform dos attacks and shutdown service, but of course you don't want to do that unless your looking for jail time.