Blog

  • The mystery 50p coin I found

    • General
    • by Jacob Riggs
    • 13-09-2022
    5.00 of 3 votes

    Over 50 years ago a coin entered circulation. A coin that once belonged to a man named Sean Creamer. Engraved on the faces of this coin are the wordsThis once belonged to Sean Creamer 58 Henry St Limerick — worth £5 to me if returned Today this mystery coin resides with me, after what I suspect has been a very long journey.I'm not sure who Sean Creamer is or what motivated him to inscribe his message, though the words do make me think there's a certain desperation in the creative fight to declare our existence. Much like the reason many of us post online, we're participants of the past speaking our own timeless messages like a familiar chapter in a tattered book — messages that we hope might survive the test of time and someday outlive us. "See me. Remember me. I was here." Perhaps this small relic of the past is intended to function as more than a memento, a keepsake, or a souvenir. Maybe it's an artifact of history that truly belongs to nobody, only temporary caretakers during its journey, and serves to teach an important lesson about value.Maybe a value worth more than we ever realise at the time.

  • Shark Tank success 'LARQ' sent me a free water bottle

    • General
    • by Jacob Riggs
    • 27-08-2022
    5.00 of 6 votes

    Last week I fell into the abyss of watching random YouTube videos and at one point landed on a video featuring LARQ, the highest valuation company to ever pitch on the popular US television show Shark Tank. The product line they were offering was simple – self-cleaning water bottles that use UV light to purify water. Intrigued to find out if the company had found success since airing and intending to purchase one of their bottles for myself, I registered to their site.Shortly after registering I noticed a security vulnerability, and duly reported this to them that sameday. My report was well received, and as a thank you, they kindly offered to send me any product I wanted for free.Hi Jacob, Our Digital team is very grateful for your time and the issue you have brought to our attention, we would be happy to ship you any LARQ Product of your choice as a thank you! Please be so kind as to confirm which product you would like and your shipping address. Thank you! I opted to select the LARQ Bottle PureVis 740ml (insulated), as I figured this would have been my preferred choice for purchase. Thanks to the LARQ customer experience team for sending me this free gift.

  • UK ISPs prohibit ethical security research activities

    • General
    • by Jacob Riggs
    • 26-08-2022
    5.00 of 7 votes

    All major UK ISPs seem to stipulate contractual terms which specifically prohibit their customers from employing the use of their home broadband service for security testing activities, regardless of the lawful basis for those activities (such as when penetration testing and bug bounty engagements are authorised). Below are the relevant extracts I pulled from those associated policies. If you're a UK customer of these services and engage in any bug bounty or penetration testing activities, it's likely you've already agreed to comply with these terms, and may therefore be at risk of having your home broadband service suspended for violating them. POLICY EXTRACT Source: Vodafone Acceptable Usage Policy 2.  Your use of the Service ... 2.9   You must not use the internet to send information that has forged addresses or are deliberately constructed to adversely affect remote machines or other computer systems. 4.  Network security 4.1   You must not take any action that could inhibit or violate the network security of any person or company (including Vodafone) or that could adversely affect their use of the internet. POLICY EXTRACT Source: BT Acceptable Usage Policy Security Violations The BT Network may not be used to violate the security of a network, service or other system. Examples of security include hacking, cracking into, monitoring, or using systems without authorisation; scanning ports; conducting denial of service attacks; distributing viruses or other harmful software; smurf attacks; and unauthorised alteration or destruction of websites or other information. POLICY EXTRACT Source: Virgin Media Acceptable Usage Policy 5.   Your responsibilities - Virgin Media’s systems, services and equipment ... 5.2.   Specific prohibited acts in relation to Virgin Media’s systems, services and equipment are: ... 5.2.5.   attempting to circumvent user authentication or security of any host, network, or account (also known as “cracking” or “hacking”). POLICY EXTRACT Source: Sky Acceptable Usage Policy Do not violate anyone's systems or network security You must not use Sky Broadband, or allow someone else to use Sky Broadband, to violate Sky’s networks’ security or any third party’s system or network security by any method including: ... You must not send, receive, store, distribute, transmit, post, upload or download any materials that are designed to violate Sky Network’s security or any third party’s system or network security. Examples of such prohibited material may include (but are not limited to): ... •  tools designed to compromise the security of other sites; These terms make up the components of valid contracts, and as ISPs are in the business of making money, this raises a few questions. Do ISPs actually care what their customers do with their service? How enforcable are the relevant legal obligations in practice? Are ISPs actively monitoring customer traffic for attack characteristics? Do reports of abuse ever result in ISPs terminating services? Such unanswered questions might incentivise security professionals to consider the wider use of commercial VPNs.  

  • The Royal Mint sent me a limited edition gold coin

    • General
    • by Jacob Riggs
    • 25-07-2022
    5.00 of 16 votes

    For some voluntary work I did, The Royal Mint sent me a limited edition 22 carat gold coin which commemorates the life and legacy of the great mathematician and codebreaker Alan Turing. This included bespoke packaging that contained a small 'Innovation in Science' series booklet detailing Turing's remarkable achievements, and featured one of his most famous quotes: We can see only a short distance ahead, but we can see plenty there that needs to be done ~Alan Turing I would like to express my thanks to The Royal Mint for this thoughtful gift.

  • How to access and trade on darknet markets

    5.00 of 18 votes

    Welcome to my first counter-economics walkthrough, featuring the darknet. The darknet is not just a domain for illicit activities, it also serves as a space that offers unparalleled opportunities for discourse, free market trade, and collective and communal discovery. It’s occupied by people from all walks of our complex and layered lives - from outright criminals and troublemakers, to journalists, dissidents, and security researchers (like myself). Whilst I can appreciate that the darknet is widely associated with illegal activity, it’s important to note that simply accessing the darknet is perfectly legal. There’s a lot of advanced cryptographic protocols and processes behind the workings of what I’m about to explain, but for the purpose of keeping this post short and tailored for a wide audience, I’m going to simplify everything as best I can. 1. Tor To access the darknet you’ll need to download and install the Tor (the onion routing) browser. This is an open source purpose-built and completely free browser based on Firefox that enables anonymous web surfing, by ensuring that all traffic it processes is heavily protected against traffic analysis. Download Tor Tor establishes a secure network circuit for each browser session, which connects Tor nodes deployed around the world at random. These nodes encrypt your browser traffic in layers at each node hop on its way to/from the source (your browser) and the destination (a hosted hidden service). 2. Darknet markets With Tor installed, you’ll next need to find a darknet marketplace domain to visit. The Tor network mandates that Tor clients (such as the Tor browser) can only access sites using the .onion TLD. However, these domains are not easy to distinguish, and are usually represented in long, often randomly generated alpha-numeric strings. Finding the correctly represented URL for a particular domain in the first instance can be a challenge. There are hundreds of marketplaces to choose from, each with their own set of communities, politics, and socio-economic motivations. I wont list them all here, as unfortunately not all survive long enough to outgrow the impulse of real-world influence and fallible human desires. Some get hacked, some get shut down by law enforcement, and some succumb to their own greed - whereby the operators 'exit scam' entire communities. This is why there’s no specific endorsement for any particular marketplace I can make, but I’ll include a few of the most common below for reference. Please beware of the many fake .onion addresses that frequently circulate the web and are set up as convincing phishing sites. The above hidden service URLs were validated as accurate at the time of this blog post being made, though may require further validation if they are to be relied upon in the future.   3. What you can buy Most darknet marketplaces have a large selection of categories populated with listings from reputable vendors. These are varied, and can include both legal and illegal listings.In no particular order, I’ve added a table featuring some of the most common categories I’ve observed below: Drugs Doxxing Malware Hacking Software Hosting Electronics Ebooks Firearms Graphics Databases VPNs Jewellery Fraud Passports Programming 4. Buying Bitcoin (BTC) The first step, if you’re new to this space and want to facilitate a trade, is to buy yourself some cryptocurrency.This process, in summary, is to trade a value of what you own in digital fiat currency (GBP, USD, AUD, etc) for a value of what you desire in BTC, and can most easily be achieved by registering to a centralised platform, like one of those I’ve included below. Coinbase Binance Bitfinex Poloniex Many darknet marketplaces employ the use of specific cryptocurrencies (such as XMR) that use technologies such as stealth addressing and ring signatures to evade traceability. However, these currencies, due to their decentralised and counter-economic nature, are often restricted by centralised platforms from purchase and practical use. This means it’s sometimes possible to buy these currencies (such as XMR) in exchange for fiat (GBP, USD, AUD, etc), but you may find yourself prevented from transferring such currencies outside of the platform you’ve purchased them from. 5. Exchanging Bitcoin (BTC) for Monero (XMR) A logical and convenient method I’ve seen adopted to get around this problem is to purchase another mainstream currency (such as BTC) via a centralised platform, then to use a third-party service to facilitate an exchange into a darknet marketplace supported currency like XMR.Below I've added an embedded interactive exchange utility that runs off a secure third-party API, and connects each transaction request with the best real-time market rates offered across a wide number of centralised trading platforms. If you'd like to use it to exchange currencies, please feel free. 6. Making a purchase Most reputable darknet marketplaces employ the use of escrow systems for mutual buyer and seller protection, with step-by-step client-side encryption features leveraging PGP to ensure end-to-end privacy and anonymity is preserved. This usually (but not always) means that when you supply potentially identifiable information, such as an email address or postal address to receive goods, the marketplace usually auto-encrypts your data to the vendor’s public key in your browser at the point of sale. This is to prevent your data being inadvertently disclosed at any time in the future to anyone other than yourself and the vendor, and ensures that trade participants can remain confidence that marketplace transactions are provably private.Understanding PGP usage in this context is important, but can be overwhelming for newcomers. A while back I made another blog post on PGP keys which helps explain what PGP is and how it works.

  • How I found a vulnerability giving me infinite CPE credits

    5.00 of 39 votes

    This is my write-up on a vulnerability I identified which allowed me to credit my ISACA CISM certification with unlimited CPE credits. During my day off I was looking at ways to earn myself some CPE credits towards my CISM certification. For context, 1 hour of eligible activities translates to the accrual of 1 CPE credit, and for my CISM certification, I require at least 120 CPEs over a three year period. Quiz Night! First I logged into my ISACA account and completed an archived quiz from here. For ISACA members (if you have a valid ISACA membership), the successful completion of each archived quiz awards 1 CPE credit. Once I had successfully completed a quiz, I visited my Manage CPE portal to apply the newly earned CPE credit to my account. The first step was to take note of the unique CPE ID and proceed to apply it to my account. Here I noticed that when attempting to apply CPE credits from this type of eligible activity, the forms on the ISACA web app seem to restrict the numerical 'max hours allowed' value. However, this restriction appeared to only be enforced client-side, which meant that an attacker could change this numerical value before submitting it to the server. I was curious how the server would validate any modified input value (if at all), and what response the server might provide if this value was changed to extend or nullify the 'max hours allowed' limitation. Enter Burp I opened Burp (my intercepting proxy) and captured the request. I could see that the request was submitted in a JSON format, with a number of expected parameters that relate to the web form. The server considered the request valid, and issued a response which echoed a 'true' boolean statement. I took note of the request and response values, then saved the request to Burp's repeater module (we'll come back to this shortly). I then revisited the archived quizzes and successfully completed a different quiz. I again visited my Manage CPE portal to apply the newly earned CPE credit to my account. I again took note of the unique CPE ID. I then went back to the previous request saved in Burp's repeater module, and modified the values of the request to reflect those of the newly completed quiz, but this time I manually set the 'MaxHoursAvailable' parameter to 100 and the 'CismHours' parameter to 100. I submitted this request to the server, and received a 'true' boolean statement in the response. I then navigated back to my certifications dashboard and could see that 100 CPE credits were successfully applied. I was able to confirm this was as a result of the modified request being made by viewing the applied CPE records within my Manage CPE portal. This finding was duly reported to ISACA within 4 hours of being identified. It took 134 days for my report to close with an agreement for public disclosure. ISACA responded on 10/06/2022 with the following statement:We do not view this particular occurrence as having a major impact on our website or operations. Additionally our ability to audit member's CPE's would allow us to correctly identify those who made use of this or a similar technique and take the appropriate steps upon discovery.