This time on the show, NetBIOS Name Service spoofing in Metasplot with our friend Mubix, Playing Doom on a Dingoo Digital with the Dingux Linux distro and an alternative disc space reporter.
All that and more, this time on Hak5.
I was going to report on how Android devices prior to version 2.3.4 were vulnerable to a sidejacking attack due to the fact that they authenticated via HTTP instead of HTTPS. Similar to a cookie, the AuthToken of the Calendar and Contacts syncing service is good for up to two weeks and is device agnostic. But just a day after security researchers broke the story Google plugged the hole. A Google spokeman said in a statement “This fix requires no action from users and will roll out globally over the next few days.” Poor unencrypted HTTP — the protocol isn’t getting as much love since Firesheep…
There’s been a bit of trouble brewing in the Android marketplace. 11 apps that were in the Android marketplace were embedded with some malicious code that triggered a text message to be sent to three premium-rate numbers in China. Those text messages sign up the mobile user for a paid subscription service without their knowledge or approval. Google has since taken down those apps but there could be more. Malware like this has been growing on the Android platform, 400% since last summer, and this is just another hiccup in the security of Android Apps.
Poor Sony, they’ve consistently topped out hacker headlines and while I’m happy to report that they’ve reopened the PlayStation Network it hasn’t been without setbacks. Just two days after the service reopened attackers went after the password reset function, which supposedly only required email and date of birth. While far from a full blown remote exploit the bug has caused Sony to disable the function on PlayStation.com and Qriocity.com. In the meantime you can still sign into the PSN via your PSP or PlayStation 3 devices.
In awesome sauce news, a twitter vigilante found a guy’s stolen laptop using a program we had discussed many episodes back called Prey. Sean Power’s laptop was stolen and after just a few days, he was able to score a webcam photo of the thief using the free tool. Cops wouldn’t help him, so he went to Twitter. A follower of Sean’s, and also a stranger, went to the bar where the laptop was last seen and confronted the thief. He got the laptop back and now all is good. Hooray for social networking and free programs!
This video just started making its round and I’m going to take the liberty of directly quoting Teravolt.org:
Electrolytic capacitors are constructed using an electrolyte-soaked piece of paper between two strips of aluminum foil. One piece of foil is oxidized and this ultra-thin coating of aluminum oxide becomes the capacitor’s dielectric. Because this layer is so thin and has a high dielectric constant a large amount of capacitance can be squeezed inside of a small space, even more so when the foil is rolled up tightly.
Electrolytics have one flaw though; they are polarized. When a reverse voltage greater than 1.5V hits the capacitor the aluminum oxide starts to reduce and its insulating properties are lost. This destroys the capacitive effect of the device and essentially the capacitor short circuits which allows a lot of current to flow. A lot of heat is generated, heat which boils the electrolyte and causes pressure to build inside the capacitor.
Then it goes boom!
Kerby’s Internet Protocol Star Trek Captain of the Week
As an alternative to WinDerStat which I explained a few weeks ago, you can try out JDiskReport. This freeware tool enables you to understand what files on your drive take up what amount of space. This tool can help you figure out what files or folders are just sitting on your hard drive taking up space. JDiskReport features a Size Perspective pie chart for easy viewing, a size distribution tool, modified size distribution view, file extension type size distrubution, and a top 100 list of your largest files.
To use, go to jgoodies.com and download the tool. Java must be installed for this to work and it will run on Windows or Mac. Open JDiskReport and choose ‘Scan A File Tree’. This will scan all the files inside a chosen drive. After a few moments, JDiskReport will display an easy to navigate pie chart, showing you which files take up so much room on your computer. You can right click to open explorer and browse to those files to edit or delete them. You can also choose things such as excluding a directory for the scan under the preferences menu on the filter tab.
For more info on JDiskReport check out jgoodies.com, and tell me what you think!
Got an idea for a tip? Share them with us at email@example.com. And now for our sponsor.
NetBIOS Name Service spoofing in Metasploit
Segment Descirption (HTML):
This week our friend Mubix returns to demonstrate an awesome Metaspoit module for spoofing NetBIOS Name Service.
Last weeks trivia: This popular project was a light installation in Berlin that transformed a building front into a giant low-resolution monochrome computer screen. What’s the projects name?
The Answer was: Project Blinkenlights
This week’s question is: Including icons for snow men, octopuses and alien faces, this specification is the Japanese term for emoticons.
Answer at hak5.wpengine.com/trivia to win some sweet swag. And now a word from our sponsor.
Doom on the Dingo
Last week I showed you how to install Dingux, a version of Linux, onto your Dingoo Digital. Today, I’m digging a bit deeper into the world of the Dingoo by setting up a game and an emulator. Lets get started!
First, check out nongnu.org/freedom and download the Complete Iwad from the download page. Extract the file to your PC. Copy the doom2.wad file to your mini SD card that has Dingux on it. You’ll need to copy it to the local\games\prboom\ folder and make sure it is called Doom2.wad. Once copied, you can plug the SD card into your Dingoo Digital. Make sure it’s turned off any time you remove or put the SD card in the slot because it’ll freeze if you take it out while cut on.
If you don’t want the freedoom version of Doom, you can also try original Doom. To do so, go to doomarchive.com and download the Doom1.wad. Extract this zip file anywhere on your PC. Now, copy the doom1.wad to the local\games\prboom\ folder. Rename doom2.wad from the freedoom.com website. If you decide not to rename doom2.wad, when you boot up Doom on Dingux, it’ll default to the freedoom doom2.wad instead of doom1.wad.
Now that you have your two versions of doom installed and have chosen which one you want to boot, put the SD card into your Dingoo Digital and hold down select while pressing up on the power button. When Dingux boots, choose Doom. This will be the topmost game under the games icon.
Ok, now after defeating one of the best games of all time, shut off your Dingoo and take the SD card out to install an emulator.
I’ve chosen Super Mario World… because it’s awesomely epic.
Get a super mario world ROM from anywhere online. It should be called SuperMarioWorld.smc. Copy this file to the local\emulators\snes\9x folder. Now, plug the SD card back in the Dingoo Digital and boot up Dingux again, this time choose the Emulators Icon, scroll down to SNES, and choose Super Mario World. Tada! You now have Awesome games at your fingertips to play on your next subway ride.
For questions or comments, email me at firstname.lastname@example.org.
I know you get a lot of emails so i will keep this to the point. I am new to the computer / technology world and find it hard to follow parts of your show. I’m not asking you to change the script, but I’m simply asking where are the best resources or really the best way to break into this and get caught up. I have an interest in technology and I know that it might take some work but really any general direction would be much appreciated.
Thank you in advance.
Darren recommends picking up a programming language. He isn’t going to get into a religious debate about which is best but learning any moden language will give you a fundamental understanding of how programs operate. There is a fantastic forum thread at forums.hak5.wpengine.com called Hacking: Where to begin which is a great resource for those new to hacking.
What is the best, free, open source, virtualization system for Linux?
Darren’s current squeeze for servers is Proxmox VE, which is a wonderful open source implementation of OpenVZ and KVM — two of the most popular virtualization technologies on Linux. He also still loves VirtualBox for desktop virtualization.
If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!
Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more
And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at email@example.com.