Dantevios.com

Update: This had a bug in it when printing ranges in the same month. This problem is now corrected and the file can be redownloaded at the same location.

If you have ever dealt with this problem before, you know it is a pain in the head. You have two dates and you need to print all the dates in between the two dates inclusively, but that darn Gregorian Calendar system has all uneven months. Furthermore after you get through twelve months you have to start a whole new year. The logic for this was just as painful to write as it looks in shell, but this is a very useful script and one I do not want to write again. You can download it here.

This is how it works:

Example: ./validateDate.sh -d “1337-01-04-09 to 1337-02-12-09″

Output:

1337-01-04
1337-01-05
1337-01-06
1337-01-07
1337-01-08
1337-01-09
1337-01-10
1337-01-11
1337-01-12
1337-01-13
1337-01-14
1337-01-15
1337-01-16
1337-01-17
1337-01-18
1337-01-19
1337-01-20
1337-01-21
1337-01-22
1337-01-23
1337-01-24
1337-01-25
1337-01-26
1337-01-27
1337-01-28
1337-01-29
1337-01-30
1337-01-31
1337-02-01
1337-02-02
1337-02-03
1337-02-04
1337-02-05
1337-02-06
1337-02-07
1337-02-08
1337-02-09
1337-02-10
1337-02-11
1337-02-12

Today I was walking and I came across something I thought was very interesting. A lot of people say in order to be a good penetration tester you have to think “outside the box”. Well I’m not going to be preachy here, but the way this person thought to modify a fire hydrant with some PVC pipe in order to water the lawn was genius. I just had to take some pictures and share it. Here they are:

Normally when people in the information security community think of phishing attacks, they think of the 409/419 gang sending you emails to ask you for your password, or links to fake websites that try to steal your account information. At the Information Security Privacy conference I participated in, there was a phishing scheme I had never seen before. There were people that were slipping physical advertisements under hotel room doors that were offering pizza and other types of food. Unsuspecting tourists would call the number on the flyer to order pizza and the owner of the number would take their order and steal their credit card information. The only disclosure the Imperial Swan hotel made was to post about this scheme on their TV in the lobby. I would not even have known about it if someone else doing a presentation in Security Awareness had not mentioned it in her presentation.  I had a flyer for pizza slipped under my door and decided to save it. Here is what I think the flyer looks like:

Here you see I scanned the pizza flyer into my computer on the front and back side. I believe this is the legitimate flyer from the phishing scam. I say this because if you look up the numbers on the flyer they are unpublished. What kind of business does not want their number publicly known? Also if you look up numbers for Roma’s Pizza in Orlando Florida near universal, the closest one away from the Imperial Swan hotel is on International Dr. and their numbers are different from the numbers on this flyer. In fact, no numbers for Roma’s Pizza in the area even come close to matching those the phone numbers listed on the flyer. I didn’t want to call the numbers on the flyer because I did not want my phone number to be data mined for advertisement schemes, but when my friend called at 3 am we did not get an answer. The flyer says they are open until 4 am. This may be a legitimate business on the flyer, but I sure am not going to call and find out. On another observation, this just goes to show you how lucrative a business phishing can be if people can afford to print out and distribute flyers at physical locations in order to steal your credit card/debit card information.

As many of you know that are probably coming here for the slides you requested, I spoke at Multiconf last Tuesday in orlando florida (7/13/2010) for the Information and Security Privacy sub-conference. My paper was ISP113 “HIPPA Violated by Wireless Access Points”. On the slide where I give statistics, here is what the statistics mean:

Green bar (no encryption) – 113 Access Points

Blue bar (WEP encryption) – 152 Access Points

Orange (WPA-TKIP encryption) – 23 Access Points

Yellow (WPA-AES encryption) – 56 Access Points

And if you combine the Access Points with no encryption, WEP encryption, and WPA-TKIP encryption, that all are vulnerable to being connected to or having their encryption cracked, this leaves 288/344.

The slide can be downloaded from here: HIPPA Violated by Wireless Access Points

If you were at the conference and want a copy of my paper I can give it to you, otherwise I’m pretty sure Multiconf reserves the right to publish my paper so I cannot give it out to the general public or publish it on my site.

Also thank you to Promote Research (http://www.promoteresearch.org) for organizing the conference.

Disclaimer: I am not a Black Hat hacker. If anything I am Grey Hat at worst, but I consider myself White Hat. I try my hardest not to break the laws of the land I am in when I know about them.

The following private conversation below is a dialog I had on IRC with a Black Hat. I have obscured the conversation to hide his or her contact details and other information throughout the conversation that may give hints as to who this person is. Normally, I do not snitch on people unless they are directly going to endanger other peoples lives.  This is why I am protecting this persons information. I enjoy social networking with all kinds of people, even if they are the kind of person that is on what people consider to be the “evil” side. My integrity for the bad guys means just as much to me as it does for the good guys. One thing I must state though is that I do not wish to be in contact with people that are foreign nationals or stupid people that are going to tell me about classified information. So if you have classified information, don’t talk to me about it. I do not want to end up being the next Adrian Lamo.

I am publishing this conversation for two reasons. (1) Because I want to show people out there that real computer crimes are out there (paying well) and (2) I wanted to flaunt that this person apparently thinks I have enough skills that they sought me out to break into a database and steal personal information. I am flattered really, but again I am not a Black Hat and would never do anything like this. With that said, here is the conversation:

— Log opened Fri Jul 02 09:13:48 2010
09:13 -!- Irssi: Starting query in #obscured#  with #obscured username#
09:13 <obscured> hello
09:19 <Dantevios> hi
09:20 <obscured> Nice to meet you
09:20 <obscured> I want to know you,and i  make you my friend .Could i?
09:21 <Dantevios> Nice to meet you too, it is possible. I do like making friends, especially in the information security field. Where are you from?
09:23 <obscured> I’M from #obscured#
09:23 <Dantevios> Very interesting. I must ask though, do you work for the #obscured# government?
09:24 <Dantevios> Or are you a Nationalistic hacker?
09:25 <obscured> no
09:25 <Dantevios> Very good then, we can be friends
09:25 <Dantevios> How old are you?
09:25 <obscured> #obscured#
09:26 <obscured> are you?
09:26 <Dantevios> I’m 23
09:26 <Dantevios> What do you do for a living?
09:28 <obscured> I’m work about business information
09:28 <Dantevios> cool, do you have a website or a blog?
09:29 <obscured> sorry,no
09:30 <obscured> are you hacker?
09:30 <Dantevios> I wouldn’t say I was a hacker, but a Penetration Tester sure.
09:30 <Dantevios> Hacker carriers a negative connotation in America, we don’t like to use that word to classify our profession.
09:32 <obscured> Understand
09:32 <obscured> I need to hacking the database
09:32 <obscured>  i need  your help
09:34 <obscured> hello,in?
09:35 <obscured> Of course, I will pay you
09:36 <Dantevios> What database?
09:36 <obscured> #obscured# Database
09:37 <Dantevios> This is a company? #obscured#?
09:39 <obscured> #obscured#
09:40 <Dantevios> do they have a website or something? I’m not sure what you are referring to
09:42 <obscured> I need the Mobile phone users date
09:42 <obscured> #obscured website#
09:43 <Dantevios> why me? and how much would you pay for this data?
09:44 <obscured> 10000 dollar
09:44 <Dantevios> US?
09:44 <obscured> yes
09:45 <Dantevios> and how will you pay me?
09:47 <obscured> Bank Transfer
09:48 <obscured> or eBay
09:48 <Dantevios> you have never done something like this before have you?
09:49 <Dantevios> don’t you know escrow? paypal? etc
09:49 <obscured> yes.i know
09:50 <Dantevios> What kind of data are you looking for specifically?
09:51 <obscured> the Mobile phone users date
09:51 <Dantevios> yeah, are you looking for accounts/passwords or numbers or what kind of data
09:51 <Dantevios> there is a lot of data
09:53 <obscured> For example, the number, zip code, ID card, the bill, the age. . .
09:53 <obscured> yes
09:54 <obscured> 50-200G
09:55 <Dantevios> what do you mean 50-200G?
09:55 <obscured> I guess, maybe not so much?
09:56 <Dantevios> I don’t understand these numbers 50-200G
09:56 <Dantevios> what are you referring to when you say 50-200G?
09:58 <obscured> the database capacity
09:59 <Dantevios> 50-200 gigabytes of data?
09:59 <obscured> yes
09:59 <Dantevios> Is there any way I can contact you other than IRC?
10:01 <obscured> do you have ICQ?
10:01 <obscured> or gtalk?
10:01 <Dantevios> I have gtalk, what is your gtalk?
10:02 <obscured> #obscured email address#
10:05 <Dantevios> and ICQ?
10:06 <obscured> #obscured ICQ number#
10:07 <Dantevios> How did you find out about me? Did you just message me because I was in #obscured chatroom# ?
10:09 <obscured> no
10:09 <Dantevios> ah, where have you heard of me before then?
10:12 <obscured>  a friend in network. but I forgot the name
10:13 <Dantevios> A friend I wrote an email harvesting tool for perhaps?
10:17 <obscured> no understand
10:18 <Dantevios> Well you have contacted me from no where and I don’t know who you are, but you know who I am. I am trying to figure out how my friends know your friends .
10:19 <Dantevios> This is about trust.
10:19 <obscured>  understand
10:20 <obscured> what do you know?
10:20 <Dantevios> what do I kno wabout what?
10:20 <Dantevios> what do I know about what? *
10:21 <obscured> Do you want to know?
10:21 <Dantevios> yes
10:22 <obscured> #obscured email#
10:22 <obscured> it’s gtalk
10:23 <Dantevios> he told you about me?
10:27 <obscured> yes
10:27 <Dantevios> How does he know me? I do not know him….
10:28 <obscured> This I don’t know
10:29 <Dantevios> When do you need this information by?
10:33 <obscured> July, August.The sooner the better
10:35 <obscured> hello,in?
10:36 <obscured> 2010.7-2010.8.The sooner the better
10:36 <Dantevios> Give me some time to think about it. I am at work right now. I must bet back to my job. If I am in, I will contact you.
10:38 <obscured> ok.thanks.How do I contact you?
10:40 <Dantevios> You don’t. I will contact you.
10:41 <obscured> ok
10:43 <obscured> What time can you contact me?
10:44 <obscured> last?
10:47 <Dantevios> I will contact you by emailing you at #obscured email#
10:49 -!- obscured [~#obscured#] has quit [Ping timeout: 240 seconds]
— Log closed Fri Jul 02 10:55:26 2010
— Log opened Fri Jul 02 11:11:56 2010
11:11 <obscured> hello,in?
11:14 <Dantevios> hi, what?
11:15 <obscured> What time can you contact me?last time
11:18 <Dantevios> I told you I will contact you by email, probably at around 00:00 GMT
11:18 <Dantevios> to your address #obscured#
11:19 <obscured> ok
— Log closed Fri Jul 02 11:24:26 2010
— Log opened Fri Jul 02 12:11:05 2010
12:11 -!- obscured [~#obscured#] has quit []
— Log closed Fri Jul 02 12:16:26 2010