Monday, August 30, 2010

An experimental presentation

Yes, I am going to have an experimental presentation in Lausanne, SW during the eGOV 2010 conference. Am I crazy ? Well .... first of all eGOV conferences have been not my field ( SO FAR ! ;) which means nobody knows me, so what a better chance to try with a new presentation concept ? I am bored about the usual "slides" LateX/Beamer presentations, I wanna do something different. Lets try it and see how it goes.

I know my prezi presentation is not really good in terms of fashion, images, graphics .. but it is my first one made in less then one day after the need to paradigm change from beamer to prezi. Every comment, suggestion critic is welcome.

Sunday, August 29, 2010

Leaving to Lausanne, SW

Hey guys, I am already in late.. I have my train in half an hour ! I am going to leave Italy to Lausanne, eGov and ePart conference. I am going to talk about "Penetration testing methodologies and how to apply them to Electronic Voting Systems". My talk will be available on the proceedings and on my blog late this evening or tomorrow.

I hate to travel by train :(, but this time seemed to be mandatory since Lausanne it's very close to my place.

Wednesday, August 25, 2010

Social Steganography: Learning to Hide in Plain Sight

Folks, a really nice short reading for the day.

From Danah Boyd:

Carmen and her mother are close. As far as Carmen’s concerned, she has nothing to hide from her mother so she’s happy to have her mom as her ‘friend’ on Facebook. Of course, Carmen’s mom doesn’t always understand the social protocols on Facebook and Carmen sometimes gets frustrated. She hates that her mom comments on nearly every post, because it “scares everyone away…Everyone kind of disappears after the mom post…It’s just uncool having your mom all over your wall. That’s just lame.” Still, she knows that her mom means well and she sometimes uses this pattern to her advantage. While Carmen welcomes her mother’s presence, she also knows her mother overreacts. In order to avoid a freak out, Carmen will avoid posting things that have a high likelihood of mother misinterpretation. This can make communication tricky at times and Carmen must work to write in ways that are interpreted differently by different people.

PS: I know, as Bruce pointed out it's not "new". Well, I am not on the "social side of security", so for me it was a new reading. If you are not into "social security" too, I strongly recommend these 5 minutes of readings.

Saturday, August 21, 2010

PAC-MAN on the Sequoia AVC-Edge DRE Voting Machine

Hi Folks,
today I wanna point out this funny and interesting web site where a group of students have taken a Sequoia AVC-Edge and turned into a PAC-MAN console.
Tampering with voting devices is not original by itself; the authors of the paper " Practical AVC-Edge CompactFlash Modifications can Amuse Nerds " (the same authors of the aforementioned web site ) admitted that by reporting on their great presentation (link of the presentation) during the EVT/WOTE 2010 conference the "story of voting device hacking". However they did a great job by hacking the machine, moreover the presentation was really fun !

How did they reprogram the machine ?

The original election software used the psOS+ embedded operating system. We reformatted the memory card to boot DOS instead. (Update: Yes, it can also run Linux.) Challenges included remembering how to write a config.sys file and getting software to run without logical block addressing or a math coprocessor. The entire process took three afternoons.

Good job guys !

Wednesday, August 11, 2010


A quick post from my mobile device to point out this incredible free service: PDFMyURL.

If you are behind a content filter or if you are not sure about the link you are going to open, you may want to use this great free service. It opens the link for you and it prints the home page on a PDF file.

Now I gotta some suspected about the security of this method, probably everybody knows about the last trojans propagation through PDF files. It would be interesting to analyze if it is possible to forge a webpage that will introduce Javascript malware into the crafted PFDmyURL's files

Tuesday, August 10, 2010

Summertime and DOMScan

Hi folks,
it is summertime, which means beaches, ocean, BBQ and friends. It has been long time since I had an Italian summertime, so apologize myself if you do not see much new stuff on my personal blog :).

Ok, now lets talk about DOMScan a great project for web pen testers:

DOMScan is utility to drive IE and capture real time DOM from the browser. It gives access to active DOM context along with JavaScripts. One can observe the DOM in detail using this utility. It has predefined rules to scan DOM. One can run the scan on existing DOM and fetch interesting entry points and calls. It allows tracing through JavaScript variables as well.DOMScan is a multipurose tool can be used for many types of testing like web application , penetration testing , code deguging or some what fuzzing. It up to us how to use it.