Welcome to my digital home! There are lots of articles you might find helpful buried in this site on topics such as modifying an Alfa Romeo 159, rebuilding a Lotus 7 (Robin Hood 2B), not to mention a ton of stuff on technology in general. It’s all here somewhere, so use the search function or navigate using the menu structure. if you want to talk, reach out via the contact function, I usually do answer!
Random Post Selection
InfoSecPersonally, I think this is one of the most important concepts of today. Its simple enough to grasp and illustrates the point very well.
Consider these examples:
From an effort perspective, the effort required to secure a system is significantly less than that required to exploit it.
From a cost perspective, it is less expensive to prevent a serious data breach than it is to clean up and recover from one.
Point 1 above was illustrated very clearly to me on the IISP’s TopGun event I attended recently, and is a scenario that you have to step back from to fully appreciate. Eg. If you have a smallish network, with most modern services such as web, email, mobile, databases, websites etc, then the effort to secure that is quite mammoth. You have to consider the perimeter, the information, how its stored and used, what services are on offer and the impacts etc. Then you have to consider every conceivable vulnerability, patching strategies and stay on top and at least up to speed with the curve of change. All of these efforts equate to a team of people, but all it takes to break in, is 1 person with a brain, motive, and a few freely available tools.
Point 2 of course, was illustrated very well by a study by the Pnemon Instutue LLC in conjunction with PGP and Vontu (Symantec), this study evaluated the true cost of a breach of data security and considered factors such as direct and indirect costs, and has trended the data over the last few years with enlightening results.
Despite both of these points clearly illustrating that the best way to tackle the security conundrum is head on and proactively, those of us in the industry will all surely testify that getting the right backing, funding, and often, even the right audience with the business, is still a hard task. From my perspective, I will keep on trying, and keep on flying the flag in the hope that one day reality sets in and my job / life gets easier!Related Images: [...]
InfoSecI was recently asked to comment on the new Chip & Pin attack created by Prof Ross Anderson from Cambridge University. In my original comment released to the press I make an assertion in relation to a change in process that “breaks the circuit” of this attack – see below:
Jay Abbott, director in charge of Threat & Vulnerability Management, PricewaterhouseCoopers LLP (PwC), said:“Essentially, what the scientists have come up with is a very effective and simple way of exploiting weaknesses in the system.
However, it is important to bear in mind that the fraud requires a very specific scenario to become effective.
“A simple process change by the retailer of asking for the card holder to hand over the card would break the circuit, although this isn’t always possible as sometimes the card reader is fixed to a point on the other side of the counter.
“At present, the customer is accountable for the fraud as banks argue that PIN verified transactions are secure. Given this attack demonstrates a clear method of bypassing the PIN system, this assertion by the banks stands on shakier ground.”
With the original comment came a caveat, which as you would normally expect, was not quoted by the media, this caveat was that the process change suggested brought with it the opportunity for cards to be skimmed, which was in fact one of the original reasons behind the Chip & Pin changes. In fact, the change works in the favour of the retailer rather than the consumer, however, before you hang me, allow me to demonstrate the rationale behind this.
Consider first that Chip & Pin is in fact “two factor” authentication, which anyone in the security business will explain is more secure than “one factor” authentication. The first factor is the card itself or the “chip” in this instance, the second factor is the “Pin” which in this context operates as a pass code. Given both elements are authenticators in their own right, both are required, and as such any attack must include them both. The attack designed by Prof Ross Anderson targets the Pin aspect of the authentication, and relies on the original card accessed through a series of technology components that have to be connected together in some way. The method shown in this attack makes use of concealment to hide these components on the person of the attacker, and relies on a custom built “attack” card with wires hidden up the sleeve of the attacker, back to the other components involved. The obvious way to therefore detect and prevent this attack at the retailer is by separating the card from the attacker, thus showing the wires and revealing the ruse.
The cloning of cards must be treated separately as the current methods of cloning (that I am aware of at this point in time) only create “yes cards” which would not work in this attack scenario as they are not true copies and would be detected by the PoS equipment as fraudulent. As I understand it, there is no economically viable way of cloning Chip & PIN Cards effectively at this time. Any cloning would still focus on the magnetic stripe data, which can be easily cloned, but is not accepted by the retailers (usually) when a Chip & PIN card is presented. This of course is at the discretion of the retailer and out of the control of the consumer or the banks.
This brings us to the counter argument, specifically in relation to the increased risk of your card getting skimmed/cloned by the retailer when you hand it over. Een if it were viable to clone the chip cards, given that a card skimmed by a retailer would typically not get the pin as well (this of course is not always the case), using the now cloned card would have to make use of Prof Ross Anderson’s attack method, which if the aforementioned process change was implemented, would not work, so in effect increasing the risk of cloning, but decreasing the risk of a successful attack using the cloned card and “breaking the circuit”.
This of course relies on the premise that the use of the cards magnetic strip is in fact not viable, and therefore if anything, reinforces the use of Chip & PIN ironically. Of course in real life the Magstrip is regularly used, but that, again is outside the scope of this discussion and considered irrelevant in the face of the specific discussion around Prof Andersons attack.
There is always of course the argument for using a small form factor wireless transmission device to remove the need for wires, but given the form factor of a credit card and the inability to alter this form factor without raising suspicion, I am personally unsure that significant enough range for a TX/RX comms loop could be achieved given the power that could be implemented into a credit card sized device.
Again, in my original comments to the press I clearly stated that the system needed to be fixed, and that the attack was effective, so this is not me suggesting that we should brush this under the carpet, in fact it is simply looking at what we can potentially do NOW to protect the system, while its eventual upgrade is debated and planned.
Don’t forget, in this context I am just as much of a concerned consumer as you.
Related Images: [...]
LiveMixesA fresh mix for you all – Happy New Year!
Track List:
Albin Myers – Time Like These
Robbie Rivera – New Direction
Oliver Twizt – Yo’re Not Alone
John Dahlback – More than I Wanted
Chris Lake – If You Knew
Doman & Gooding Feat Dru & Lincoln – Runnin
Guetta Angello Gerraud Ingrosso Willis – Everytime We Touch
Steve Angello & Laifdback Luke Feat Robin S – Show Me Love
Planet Funk – Lemonade
Kurd Maverick – Blue Monday
Nari & Milani Feat Max C – Disco Nuff
Kevin Bryant – Who You Wanna Be
Empire of the Sun – Walking on a Dream
https://jabawoki.com/wp-content/mp3/Jabawoki_Sunny_Side_Up_25012010.mp3
Podcast: Play in new window | Download
Related Images: [...]
LiveMixeshttps://jabawoki.com/wp-content/mp3/Jabs_20102001_Progressive_House.mp3
Podcast: Play in new window | Download
Related Images: [...]
LiveMixesOldschool Hard House from the archives
https://jabawoki.com/wp-content/mp3/Jabawok_17122000_Stompin_Pumpin_Hard_House.mp3
Podcast: Play in new window | Download
Related Images: [...]
Alfa 159The final stage was putting all the wiring in place. I opted for 4 gauge cable from the battery up front and a 4 gauge earth in the rear, both connected back to brass 4 way distribution blocks so I could pull 8 gauge runs to amps and the line converter. This also left me the easy upgrade route for adding additional amps to run upgraded mids & tweeters in the cabin, but that’s another project!!
” order_by=”sortorder” order_direction=”ASC” returns=”included” maximum_entity_count=”500″]
Related Images: [...]
Alfa 159I already had the amplifier and sub from a prior install, and in that install I had discovered a problem with the pairing. The sub is an Infinity Kapa perfect 12 VQ rated at 400w RMS and the amplifier is an Alpine MRV-420 rated at 350W RMS. Driving the sub at high voltage, with line levels in excess of 4v and the gains maxed out means that the amp is producing closer to 450W RMS and the sub, which is well regarded as being able to handle much higher loads than 400W RMS, just laps it up, but had one small issue that needed sorting. It would overheat during extended sessions of Drum and Bass at full power! To sort this issue, I stripped the amp back to bare metal, rebuilt it using high grade CPU heat sink paste and added a temperature controlled cooling system utilising 6 x 40mm fans in a push/pull config. Needless to say, it can run at full power and then some, all day long now !
These images are of the strip & rebuild:
” order_by=”sortorder” order_direction=”ASC” returns=”included” maximum_entity_count=”500″]
Related Images: [...]
InfoSecOpen post to see coverage:
North West Insider – August 2007 – IT Security
North West Insider – August 2008 – BERR Survey
Related Images: [...]
Alfa 159I finally got round to installing the Wireless OBD II dongle I bought off ebay into my car the other day and thought I would document the process for those that may be interested.
First your going to need to pick one up. I bought a clone Kiwi Wifi dongle off ebay for £45 which is a third of the cost of an original branded version so a complete bargain! Its a great little unit and perfect for interfacing with any OBD application you may want it for. Once you get the unit delivered you will notice that it is a simple plug and play job with no configuration. While this is true in its simplest form, one slight issue I found is that the OBD port is always powered up, therefore you would have to plug it in and remove it when you were not using it or it would always be broadcasting direct access to your cars ECU via a wireless network, which in my book is not the best of ideas!
So the first job you have is to retro-fit an on off switch to allow for a more permanent installation! Its an easy job and Maplin have micro 12v switches that will fit and do the job well for a few pence. Just slide your fingernails around the edge of the front plastic cover and it will literally pop off in your hands, giving you access to the internals. All you need to do is de-solder the power connection (trace pin 16 on the connector), add a new bit of wire from the board to your switch and back to the original wire where you can splice it back together. To do this nicely you need about 12cm of wire, 2cm of heat shrink wrap, a soldering iron & solder & a small switch.
Fit the switch on the side of the unit for easy access and put the cover back on with a dab of glue to hold it in place.
Here is an image of my modified unit.
Once the unit is installed in the car, you can connect it to your chosen application which for me was Rev2 from Dev Toaster on the iphone. This app is a bit pricey at £26 for the pro version, but gives me everything I want in terms of access to key metrics in real time, full data logging and even engine code interrogation and resetting! It can get data on a large number of points including:
Vehicle Speed
RPM
Fuel Consumption
Engine Coolant Temp
Fuel Pressure
Calculated Engine Load
Throttle Position
Intake Manifold Pressure
Air Intake Temp
Timing Advance
Mass Air Flow
Fuel Level
Barometric Pressure
EVAP System Vapor Pressure
Fuel Trim
Boost
Examples:
In terms of the actual connection between the iphone and the OBD II dongle, its as simple as:
Connect the OBD II and power on
Go to settings > WiFi on the iPhone
Press the arrow next to “CLKDevices” network
Set a static IP of192.168.0.11 & netmask of 255.255.255.0, save and exit
Open Rev2, go to settings, hardware choose Kiwi Wifi, then select custom from the bottom
Set the device to 192.168.0.10 and port of 35000
Done.
From this point your up and running!
You do need to configure a profile for your car, with its kerb weight as this is used to calculate torque and BHP. My kerb weight is documented at 1680KG, but I have the top spec TI version with all the extra trimmings so expect it to be closer to 1750KG. I am of course excluding the 75KGs of lard I personally add to the equation, but I think thats fair! I will actually get it weighed at some point just to be pedantic, but for now 1750kg’s is close enough for me.
http://www.youtube.com/watch?v=NWvbQ1RdHCo
Related Images: [...]
GeneralI can’t give these little devices enough praise! They are so easy to use and bring a new dimension to your sound. Ok, so most modern mixes have cuts and kills by default, but they are not a patch on one of these, not even on a Pioneer DJM600! These little gems use near analogue circuitry to give you a warm rich softer sound, rather than the cheaper mixer embedded kills you find these days.
If you can find some of these, buy them, they really are worth it. I had to get mine off ebay in the US, but despite coming with 110v power supplies and the hastle it took to find a suitable UK one to replace them, it was worth every penny.
This is what you get for your money:
“The Electrix EQ Killer ($299) is a Kill Box that lets DJs and producers EQ an element without investing in expensive equipment. Built like a tank, the unit comes encased in a rugged aluminium housing that will absorb a lot of abuse. With the included joiner plate, you can connect two Electrix Mods devices in a 19-inch rack. The EQ Killer can also rest on a flat surface. The front panel is tilted upward, making the controls easier to read.
Kill the Band The front panel is divided into three sections: Low, Mid, and High. Each section has a Momentary switch, a Band Kill switch, and level control knobs. The level knobs dial up the amount of gain or attenuation for their respective frequency bands, offering up to 6 dB of gain per band. Unity gain is achieved when the level knob is set at 12 o’clock. Between the Low, Mid, and High level knobs are the Low X-Over and High X-Over sweep controls. The Low X-Over sets the point where the Low band ends and the Mid band starts. The High X-Over adjusts where the Mid band ends and the High band starts.
The back panel has three input/output sections. Inputs 1 and 2 have standard RCA stereo connectors. There’s also a switch to select between line level and turntable input levels, and grounding posts for turntables. The third section’s Send/Return loop lets you apply external effects to the killed band. At the front of the unit’s bottom right-hand corner is an input selection switch for toggling between turntables or line-level devices. The button will act as a bypass switch if there’s only one device connected to EQ Killer”.
Related Images: [...]