OWASP

I have been reading about the OWASP Top 10. Apparently they are a list of common web security breaches. There seems to be a new list each year. Figure I had better know what they are, to lock down my site and maybe open up others.

OWASP stands for the Open Web Application Security Project. They are a non-profit. They focus on software security. But back to the Top 10. Last year they focused on things like SQL injection (or general injection). Of course cross site scripting was up there. So was miconfigured security.

Good stuff. I wonder what will be on the list for 2014?

Game King Video Poker Hacked

I read a great Wired article on two dudes who exploited a hack in the casinos to win a lot of cash. It was only one of the guys who actually discovered the bug in the video poker machines. He shared the info with his friend to extract the most cash from casinos. Unfortunately, things grew sour between the friends. Then a casino got wise and had the guys arrested.

Turns out these guys found a scenario where they could change their bets after the game was played. They used this to rack up big money when their hands won. It required a certain option switch for mega-money to be enabled on the machine. In the end, their cash was confiscated. And the IRS still wants to tax these dudes.

What was the moral of the story? There were a few. It is possible to hack even the seemingly locked down world of video slot machines. You should not enlist an accomplice. Don't get greedy when milking a cash cow. And so on.

Trouble on the LAN

I got a wireless network running at home. Got a lot of devices on it including a few printers. Recently I found that I could not print to any of our printers. Then I dug further and found I could not access any computers on the network. WTF?

The really weird thing was that I could access the Internet fine. What happened recently? Got a new wireless router that I plugged directly into to configure. Also took my computer to another location and tried to connect to the wireless network there. These things should not have messed me up.

I could not for the life of me figure out what the hell was going on. I contemplated restoring my system back to the factory settings and moving on from there. But I got all kinds of programs installed. So I took a chance to restore the system back to a recent restore point.

I recalled when I last knew the machine was working. Restored Windows back to that point. Bamn. The printing is working now. Got to check any other system changes I made. But I should be good to go. I still rely on printing out stuff. Did not know how much so until I could no longer print.

Hakar at the Gate

I was reading the paper while eating lunch. There was an ad for something titled "Hackers @ the Gate" near the back page of my paper. Not sure what that title even means. There were two featured speakers shown in the ad. One of them was Arati Prabhakar. Umm, is Hakar her real last name?

Turns out it is. She is the head of the Defense Advanced Research Projects Agency (DARPA). Previously she was head of the National Institute of Standards and Technology (NIST). If those credentials are not enough, she has a PhD in Applied Physics from CalTech. Bamn.

I went online to check out the link from the ad. Turns out this was for the Cybersecurity Summit being held tomorrow morning. The funny thing is that the other featured speaker was Mike Rogers, Chairman of the House Intelligence Committee. Yeah he might be a big deal. But Hakar is the one that caught my attention.

Making the Master

Sometimes you cannot get access to key blanks. That's okay. You can buy a bunch of locks and study similar keys that work. Or you can go the route of a smart key. This is a key that can potentially open multiple different locks. Just be warned that you might need to use a little force to budge the lock open.

If you do have access to some blanks, you can try a couple times to get through. The key (no pun) is to cut one key depth at a time. You might be able to create a key that works on multiple locks. You produce a master, then you become the master. Sounds like Star Wars, right?

The Reflecting Key

Some dude who goes by the handle Josh invented a key called the reflecting key. It was a simple but effective hack. This is also called the smart key. The key itself has wafers. You can look inside to see the heights that the key needs to be to unlock the lock.

The key itself is hollowed out. There is an angle that shines up into the lock mechanism. You can take pictures of what you see in the key. There are six possible depths you need to measure. This works on Schlage locks, even the secure ones.

Impressioning

Let's talk about rake keys. These are also called gypsy keys. You take a key blank and file it down. In essence you use the key like a pick. There is a large bump at the end of these type of keys. They are the same types used for automobiles.

This is a subset of what's known as impressioning. Like with rake keys, you start with a key blank. Then you use the lock itself to get information on how to modify the key to fit. You will need a file to carve the key. You will also need a magnifier to spy on the lock you are trying to bypass.

You should have a couple of key blanks if you are trying this technique. You should also have something to hold the key steady like vice grips. You put the blank in the lock and turn it. The marks on the key indicate how you should cut it.

You can color the key with a sharpie to see where the lock interacts with the key. Or your could use ultraviolet rays to do the trick. The goal is to produce a real key that works in the lock.