2012
04.03

I have barely used this blog at all and it’s time for some updates. Let me know if you actually read this blog…

Since January I have been living in Melbourne, Australia and working as a security consultant for Stratsec. I’m keen to hear from other infosec people in the area. Before that I was in Wellington, working for Security-Assessment.com, New Zealand’s coolest IT security consultancy.

So what’s new? Late last year I did a couple of presentations at Kiwicon V. The presentations are:

1) Abode Vulnerabilities. Learn how to bring hardware hacking closer to home by hacking New Zealand’s most popular garage doors. This project is powered by the Arduino, the opensource hardware platform that makes electronics more accessible.

2) Decrypting the Cloud. This is a cautionary tale about failed opsec, weak crypto and misplaced trust in the cloud. Take a guided tour through a treasure trove of cracked ciphertext booty including CCs, SQLis, 0days, password dumps, and more.

I haven’t published anything on this website about these projects yet. I’m considering making page for the Arudino Garage Door hacking if there’s sufficient interest.

2011
04.18
 _______ _____ _____                       __
|     __|   __|   __|.-----..-----..-----.|  |.-----..-----..----..---.-..-----.
|    |  |  |  |  |  ||  _  ||  _  ||  _  ||  ||  -__||__ --||  __||  _  ||     |
|_______|_____|_____||_____||_____||___  ||__||_____||_____||____||___._||__|__|
   G-G-Googlescan vo.4 (o4/2o1o)   |_____|          by urbanadventurer
------------.-------------------------------------------------------------------

Google scraper for automated searching. Returns URLs and hostnames

Homepage http://www.morningstarsecurity.com/research/gggooglescan
Download http://www.morningstarsecurity.com/downloads/gggooglescan-0.4.tar.gz
Version o.4, 18th April 2011
License GPLv3
Author urbanadventurer aka Andrew Horton from Security-Assessment.com

| Contents

2010
04.27

It’s time for the Christchurch ISIG (Information Security Interest Group) meeting again.

When: 6.45pm, Thursday the 29th of April (The last Thursday of the month)

Where: Upstairs in the couch area at the Canterbury Innovation Incubator, 200 Armagh St. The doors to the Canterbury Innovation Incubator will be locked. Press the doorbell inside the open roller doors or TXT 0272 646 959 for entry.

Speaker: Caleb Anderson will be presenting on social network security issues.

Sponsor: Nick FitzGerald of Computer Virus Consulting is sponsoring this month’s beer.

As usual, it’s a casual beer-friendly event.

For more information and the mailing list see NZISIG.

2010
03.22

It’s time for the ISIG (Information Security Interest Group) meeting again. This week MorningStar Security will be sponsoring some beer.

When: 6.45pm, Thursday the 25th of March (The last Thursday of the month)

Where: Upstairs in the couch area at the Canterbury Innovation Incubator, 200 Armagh St. The doors to the Canterbury Innovation Incubator will be locked. Press the doorbell inside the open roller doors or TXT 0272 646 959 for entry.

Speaker: Andrew Horton (urbanadventurer) will be speaking about fingerprinting the top 100,000 websites with WhatWeb.

See you there :)

2010
02.12

Tomorrow I leave for India to conduct a workshop at IIT Guwahati, a prestigious Indian university. I was invited by Vivek Ramachandran of Security Tube fame to lecture and provide a workshop on information security for ISEA (Indian Security Education & Awareness) which is a project organised by the Department of Information Technology of the Government of India.

The purpose of ISEA is to improve understanding of IT security so my first thought was that the OWASP Top 10 Risks is perfect for this so I’m going to explain the new 2010 release candidate list.

Here’s my talk abstract:
Introduction to web hacking. Information on how to detect, prevent and exploit the top ten most
common web vulnerabilities as specified by OWASP (Open Web Application Security Project). Practical
attack scenarios and demonstrations will be given for each of the classes of vulnerability. The 2010
OWASP Top 10 vulnerability classes are injection, cross site scripting (XSS), broken authentication
and session management, insecure direct object references, cross site request forgery (CSRF),
security misconfiguration, failure to restrict url access, unvalidated redirects and forwards,
insecure cryptographic storage, insufficient transport layer protection. Examples will be given in
PHP because it is the most common web language.

Interestingly enough, IIT is an Indian university featured in the Dilbert cartoon strips.

2010
01.26

Update: CISG has been absorbed into the Information Security Interest Group (ISIG). All meeting details are the same except for the name which is now, ISIG Christchurch Chapter.

I’m setting up the Christchurch Information Security Group (CISG) ISIG Christchurch Chapter to help organise the local Information Security community. It’s a casual meeting for information security enthusiasts to network and collaborate on projects. Business, academic and amateur people are welcome.

When: 6.45pm, the last Thursday of the month, beginning Thursday 28th of January.

Where: Upstairs in the couch area at the Canterbury Innovation Incubator, 200 Armagh St.
The doors to the Canterbury Innovation Incubator will be locked. Press the doorbell inside the open roller doors or TXT 0272 646 959 for entry.

Questions and comments are welcome :)

2009
12.02

I was a speaker at the annual, New Zealand IT security conference, Kiwicon, in Wellington this year. I spoke on “New Zealand Web Reconnaisansse with WhatWeb”. Kiwicon is fast growing a reputation as a conference of the highest international standard.

Talk abstract: Ever wanted to web scan all of New Zealand but didn’t have the right tools? Me too, so I developed WhatWeb, a next generation website identification scanner. With stealth-mode turned all the way up to 11 it’s less intrusive than the Google crawler and eminently suitable for large scale internet scanning. Look foward to juicier web statistics than at NetCraft.com and a guided tour to the unindexed websites hidden among NZ’s 6 million allocated IPs. The web space is littered with voip phones, web cameras, printers, routers and bizzare devices to amaze and astound you. WhatWeb will be officially released at Kiwicon 2009.

Tools published at the Kiwicon conference:

  • Whatweb – next generation webscanner. Whatweb homepage
  • bing-ip2hosts – Enumerate hostnames from Bing.com for an IP address.
    Bing.com is Microsoft

2009
12.02

I was a guest speaker at the NZITF (New Zealand Internet Task Force) meeting on Friday, November 27th. I spoke on the topic of WebWatcher and next generation web scanning. I wish to thank Paul McKitrick for inviting me to speak. The talk was well received, I enjoyed presenting and met some interesting people.