tag:blogger.com,1999:blog-35120812613060952992024-02-07T14:14:25.588-05:00Justin M. Wray's BlogNothing special, just my life...Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.comBlogger19125tag:blogger.com,1999:blog-3512081261306095299.post-26536185250067562032012-08-26T18:14:00.000-04:002012-08-26T18:36:23.576-04:00Maryland Cyber Challenge and Conference & Global CyberLympics: TeamSploitThis post is part of a five part series: <a href="http://justinwray.blogspot.com/2012/08/maryland-cyber-challenge-and-conference.html">The Journey (Part 1)</a>, TeamSploit (Part 2), Trollware (Part 3), Unsploitable (Part 4), Defensive Tools For The Blind (Part 5).<br />
<br />
<h2>
Description:</h2>
TeamSploit makes group-based penetration testing fun and easy, providing real-time collaboration and automation. TeamSploit is a suite of tools for the Metasploit Framework. TeamSploit should work with any MSF product (include, OpenSource, Express, or Pro).<br />
<br />
Features Include:<br />
<br />
<ul>
<li>Exploitation Automation</li>
<li>Automated Post-Exploitation</li>
<li>Information and Data Gathering</li>
<li>Session Sharing</li>
<li>Trojans and Trollware</li>
</ul>
<br />
TeamSploit's primary goal is to automate common penetration testing tasks, and provide access and information to fellow team members.<br />
<br />
<h2>
The Origin:</h2>
TeamSploit's origin actually begins before the Global CyberLympics (GCL), and before Team ICF took first place at the Maryland Cyber Challenge and Conference (MDC3). The basis of TeamSploit was actually a result of our preparation for the Penetration Testing round of the MDC3. At that point in time it wasn't even called TeamSploit, nor was it nearly as feature-filled, but the foundation was laid.<br />
<br />
It is common knowledge that a penetration test entails a lot more than simply exploiting systems. When someone hires a team to preform a penetration test, they are not hiring a group to wreak havoc on their infrastructure, but instead they are buying a report. In fact, a great deal of a penetration tester's time is spent preparing, drafting, and organizing the final report that will be delivered to the client. While at the time, we didn't know the specifics of the final round of the MDC3, we did know it would include report writing or some simulation of that aspect.<br />
<br />
Enter <i>Auto Post</i> - a Metasploit Meterpreter Plugin I created to assist in the reporting aspect of a penetration test. It was essentially a collection of post exploitation process and tasks one would manually complete. It included other Meterpreter scripts and plugins and plenty of Windows commands, all with the goal of collecting a large amount of information about a system directly after exploitation. Many believe that Post Exploitation is the harder stage of an attack, and I aimed to make that comment obsolete. <i>Auto Post </i>would capture password hashes, obtain lists of running services, provide a comprehensive list of installed software, provide information on who is logged on to the system, network infrastructure information, and much more. <i>Auto Post</i> also automated the process of maintaining access, another key step of an attack, ensuring we wouldn't lose access to our targets. In all, when running this primitive, early version of TeamSploit, you found yourself with an exhaustive log file and persistent access for each target your successively compromised - all in an automated fashion.<br />
<br />
Ultimately, we did utilize <i>Auto Post </i>in our journey to victory at the penetration testing finale of the MDC3. After gaining access to all of the systems, we delved into the produced <i>Auto Post</i> logs and started generating the requested reports for the competition. In the end, we won and were rushing away to Miami, where we honestly didn't have much use for <i>Auto Post</i>, but we did have use to persistent access to the systems. So TeamSploit was officially born. At this point it was little more than a configurable, template driven version of <i>Auto Post</i>, but it was well on its way to becoming what it is today. TeamSploit was slowly evolving from a simple Meterpreter script to a collection of scripts, plugins, tools, and importantly, even more automation. For our North American Championship, we used TeamSploit to pass sessions to each other and manage our persistent access. However, our journey didn't end in Miami and we needed to prepare for the World Finals.<br />
<br />
As was discussed in the previous post of this series; we knew the long wait between the regional Championships and the World Finals would breed a large amount of development, tools, and automation from our various competitors. It was during this window of time that TeamSploit grew into the product it is today. Feature after feature was conjured, developed, and implemented. The team practices became a breeding ground for novel ideas and tactics, and my development time became an orchestration to develop these new tactics and automate them as much as possible. If it could be automated, our plan was to have it automated. And let's be honest, it is possible to automate almost everything we do, so automated it would become.<br />
<br />
Yet the World Finals of the GCL are not the end of the TeamSploit story. In fact, it is just the beginning. Today TeamSploit is still under active development. More automation is added on a constant basis and the team and I still come up with ideas that are added regularly.<br />
<br />
<h2>
Setup:</h2>
Downloading and Installing TeamSploit is simple - as the project is hosted on Subversion at Source Forge. To checkout the latest copy of TeamSploit, simply run the following command in a terminal:<br />
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">svn checkout svn://svn.code.sf.net/p/teamsploit/code/trunk teamsploit</span></blockquote>
The next step is to properly configure TeamSploit for your given team and environment. You'll find the configuration file in your newly created <i>teamsploit</i> directory - <i>teamsploit.conf</i>. TeamSploit comes with a large comprehensive configuration file, I'm not going to go over the entire configuration file, but I'll hit the important points.<br />
<br />
First things first, make sure you change the first configuration option:<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"># Change this to a '1' (no qoutes) when you finish editing this file...</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_CONFIG=1</span></blockquote>
<br />
This ensures that you actually configure TeamSploit before attempting to run it the first time, saving you a great deal of headaches down the road.<br />
<br />
Now you'll need to specify the interface you are using:<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_MY_INT=eth0</span></blockquote>
<br />
Next you are going to want to configure the team database to which you are connecting. Obviously someone needs to be running a database. The team member who plans host the server simply needs to setup a PostgreSQL database and share the following information with you:<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_DB_NAME=teamsploitdb</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"></span><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_DB_HOST=192.168.1.100</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"></span><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_DB_PORT=5432</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"></span><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_DB_USER=teamsploit</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"></span><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_DB_PASS=password</span></blockquote>
<div>
If a fellow teammate is running the MSFD service, you'll want to specify connection information for that as well:</div>
<div>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_MSFD_CONNECT=1</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_MSFD_HOST=192.168.1.100</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_MSFD_PORT=51337</span></blockquote>
</div>
<div>
The final item you'll want to properly configure happens to be one of the most important. The team mates and ports you'll be sharing sessions with:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_TEAM_MATES="192.168.1.101;192.168.1.102;192.168.1.103;193.168.1.104"</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"></span><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_TEAM_PORT=1025</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"></span><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_TEAM_PORT_2=7000</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"></span><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_TEAM_PORT_HTTP=80</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"></span><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_TEAM_PORT_HTTPS=443</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"></span><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">TS_TEAM_PORT_DNS=53</span></blockquote>
</div>
<div>
At this point, TeamSploit should be configured and ready for you to start using.</div>
<div>
<br /></div>
<h2>
Usage:</h2>
<div>
Loading TeamSploit is as simply as running the TeamSploit executable in your <i>teamsploit</i> directory:</div>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">./teamsploit</span></blockquote>
<div>
Unless otherwise configured, TeamSploit is now going to load two windows (three if you are connecting to a MSFD Service):<br />
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT3u9wzgpyypa1AdWF0SQUMDGZN-3W3rov3pxMBkEkNckcUJhRwsukpthApPNw97y0An6_Uhhs1JsHwSmAidCooXgx_k258S9sRVDhsMNmG5QR6r-n35zlGU_IhRBB5xzG6nTv20_NuDFn/s1600/teamsploit_screenshot_01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="TeamSploit Screenshot" border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT3u9wzgpyypa1AdWF0SQUMDGZN-3W3rov3pxMBkEkNckcUJhRwsukpthApPNw97y0An6_Uhhs1JsHwSmAidCooXgx_k258S9sRVDhsMNmG5QR6r-n35zlGU_IhRBB5xzG6nTv20_NuDFn/s400/teamsploit_screenshot_01.png" title="TeamSploit" width="400" /></a></div>
<br /></div>
Within your Primary shell, you can exploit systems and Auto Post Exploitation will complete - passing sessions to both your Listener as well as each of your team mates.<br />
<br />
Within the Listener, you can interact with any sessions you've received, from both your own exploitation as well as sessions your fellow team mates have acquired.<br />
<br />
TeamSploit actually loads a number of very useful modules, like:<br />
<br />
<ul>
<li>Nessus</li>
<li>Nexpose</li>
<li>OpenVAS</li>
<li>Auto Exploit (<a href="http://www.darkoperator.com/blog/2012/2/16/nessus-5-making-my-pentesting-workflow-easier.html" target="_blank">Dark Operator's Exploitation Automation</a>)</li>
<li>Pass The Hash</li>
</ul>
<div>
At this point, you can compromise a target network with very little effort. The very first thing you'll need to do is configure a Nessus policy to only audit exploits that have a corresponding Metasploit module. You can follow the directions provided by Dark Operator if you'd like (<a href="http://www.darkoperator.com/blog/2012/2/16/nessus-5-making-my-pentesting-workflow-easier.html" target="_blank">Directions</a>).</div>
<div>
<br /></div>
<div>
Connect TeamSploit to Nessus (be sure to replace the relevant details):</div>
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">nessus_connect username:password@nessus_host:port ok</span></blockquote>
Find your newly created Metasploit-Only Nessus Policy:<br />
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">nessus_policy_list</span></blockquote>
Start a scan against your targets (be sure to replace the relevant details):<br />
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">nessus_scan_new PolicyID "Scan Name" AddressRange</span> </blockquote>
You can monitor your scan with the following:<br />
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">nessus_scan_status </span></blockquote>
Once the scan is done, you'll need to import your results to TeamSploit (the Scan ID should have been returned when starting the scan):<br />
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">nessus_report_get ScanID</span> </blockquote>
Now we are ready to exploit the systems:<br />
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">vuln_exploit</span> </blockquote>
As each system is exploited, the Auto Post Exploitation will complete - sharing sessions with your listener and your team mates. If during this time period you'd like to interact with your newly compromised systems, you can do so inside of your listener.<br />
<br />
Now that all of the systems (with vulnerabilities returned by Nessus) have been compromised, it is time to <a href="http://en.wikipedia.org/wiki/Pass_the_hash" target="_blank">pass the hash</a> and see if we can obtain any more of our targets:<br />
<blockquote class="tr_bq">
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">pass_the_hash</span> </blockquote>
At this point, all of the collected credentials will be used against all of the remaining targets. With any luck, this will obtain you further access (especially with password reuse and Windows domains).<br />
<br />
And that's it. With only a few commands and a couple of minutes, we've successfully infiltrated a target network, obtained ingrained access, gathered a large amount of system information, and can now laugh at the System Administrators as they fight with the Trollware.<br />
<br />
<br />
<h2>
<b><span style="font-size: large;">Video:</span></b></h2>
This demonstration shows the usage of TeamSploit from both the attackers (left window) and victims (right window) perspective.<br />
<br />
The attacker on the left has a base installation of TeamSploit on BackTrack R3 and is targeting the administrator on the right. The premise of this scenario is the admin on the right hand side is completing typical daily administrative work and does not know an attacker is targeting their system.<br />
<br />
<i>Note: This video is based off of Revision 4 of TeamSploit</i><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/aEhMURZnSyQ?feature=player_embedded' frameborder='0'></iframe></div>
<br /><div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com2tag:blogger.com,1999:blog-3512081261306095299.post-70222466398514993972012-08-09T16:08:00.003-04:002012-09-11T20:58:46.259-04:00Maryland Cyber Challenge and Conference & Global CyberLympics: The JourneyWith the next season of the <a href="http://www.mdc3.org/" target="_blank">Maryland Cyber Challenge and Conference</a> and the <a href="http://www.cyberlympics.org/" target="_blank">Global CyberLympics</a> starting up, I am well overdue to write some posts about last season's adventure. This will be a five part series: The Journey (Part 1), <a href="http://justinwray.blogspot.com/2012/08/maryland-cyber-challenge-and-conference_26.html">TeamSploit (Part 2)</a>, Trollware (Part 3), Unsploitable (Part 4), Defensive Tools For The Blind (Part 5).<br />
<br />
<h2>
Maryland Cyber Challenge and Conference (MDC3)</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAn9S-Krfc43C53ayOvev3P-GHrE5HpsfcDYA6_kYxB1MsMLEoakmSxvt6MZgAM9W0JecrWvSknFn41Sxpt1Vem_nY5G6Y1jUtS5e5l0JUVnEeGEWPVbGAm4BZrd1EXuB4gCIn0e7DCNNn/s1600/MDC3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAn9S-Krfc43C53ayOvev3P-GHrE5HpsfcDYA6_kYxB1MsMLEoakmSxvt6MZgAM9W0JecrWvSknFn41Sxpt1Vem_nY5G6Y1jUtS5e5l0JUVnEeGEWPVbGAm4BZrd1EXuB4gCIn0e7DCNNn/s320/MDC3.jpg" width="320" /></a></div>
<br />
It all started with the MDC3, Maryland decided they wanted to cash in on the vast skill and experience they housed in the Baltimore-Washington DC Metropolitan Area, self-proclaiming to be the Silicon Valley of Information Security. Working for one of the larger Information Security firms in the area, my employer and I were directly in the cross-hairs of MD - we were the target audience.<br />
<br />
For the first time ever, my employer came to me to compete in a competition, instead of the other way around, a nice change in pace. I was asked to participate as the team captain and build a team due to my previous competition experience, having competed in every single <a href="http://www.midatlanticccdc.org/CCDC/" target="_blank">Mid-Atlantic Collegiate Cyber Defense Competition</a>; for the first three years on the blue cell (defense) and the red cell (offense) since.<br />
<br />
The team quickly came together, honestly I had some good candidates in mind already. Benjamin Heise was the first to get the offer, and was setup as the co-captain for the team. I had worked with Ben for a few years, he was good, one of the best I know, and he had some experience with the CCDC already. With Ben and I having extensive offensive experience, we needed some defensive folks, so I contacted Matthew Wines and Mark Reinsfelder. Both were good friends of mine, and both worked with me, plus they had competed on both the defensive and offensive teams at the CCDC. With the four of us, we already had a real powerhouse, stocked with plenty of previous competition experience. But we needed two more players. Enter Steve Collmann and Jesse Hudlow, both were new to the competition scene, but both really knew their stuff in their respective areas: Steve Collmann would primarily focus on Windows Defense, and Jesse Hudlow would round out our Offense. And so the team was born.<br />
<br />
The MDC3 was a phased-based competition, each phase focused on a different arena of Information Security. In total, we competed in three phases, the first two virtual and the last, in-person at the Conference. Each virtual phase acted as a qualifier or elimination round, slowly dwindling the list of teams down until eight fought head-to-head at the in-person event.<br />
<br />
The Phases:<br />
<ol>
<li>Computer Network Defense (CND)</li>
<li>Forensics</li>
<li>Penetration Test</li>
</ol>
The CND phase consisted of two virtual machine images, one Windows and one Linux. Both were a bit dated, Windows 2000 and Red Hat 9. We had six hours to secure the systems before they would be audited. Having a good mixture of Windows and Linux experience on the team paid off, we split up and tackled both systems simultaneously. We even used our vast offensive experience to do our own auditing and testing. In the end, while the points were not revealed, we know we made it to the next round.<br />
<br />
The Forensics round consisted of a single EnCase hard-drive image. We were to take this image, preform the forensics analysis, and then deliver a detailed forensics report (Who, What, Where, When, Why, and How) within six hours. Using a number of open source tools, we quickly found a number of items of interest: encrypted and encoded data we deciphered, stenography we uncovered, deleted files we recovered, and plenty of logs. The remainder of our time was spent drafting the detailed report. It just goes to show that writing is a skill required in the information security field. The point totals for the forensics round were not released, but after the round we learned we had indeed passed all of the qualifiers and would be competing in the final in-person event.<br />
<br />
The Penetration Testing round was far different than the previous two rounds, primarily due to the fact that it was in-person and live. We arrived at the Baltimore Convention Center to find a large competition area, furnished with equipment and plenty of camera crews. We competed that day under the bright studio lamps, and hundreds of spectators passing through as they rushed to their next conference talk. This event required us to obtain access to eleven different systems, plant a flag, and then write a detailed Penetration Testing report. We were actually the first group to obtain access to all eleven systems; in fact, we were the first group to gain access to all eleven systems in the history of that environment. The scores were broadcasted live to the spectators and we actually spent
a great deal of time in second place. During the last hour the scores
were taken down and we just kept on keeping on.<br />
<br />
We impatiently awaited the results at the award ceremony which took place at the conclusion of the conference. We were confident, but certainly unsure. Our Project Manager, who spectated for the day, looked as if he was going to faint at any moment. As tradition, they announced the teams in descending order, starting at third. When they announced that '<span class="st">Team Pr3tty</span>' had secured second place, we knew we had taken home the gold. Barely, containing our excitement, we awaited our name to be called and our chance to walk on stage.<br />
<br />
We joined the stage, shook hands, took pictures, and if you've seen any TV Game Shows you know how this next part goes - As we walk across the stage, the announcer says <b>"And you're GOING TO MIAMI."</b> Dazed and confused is the only way to describe it. We look down to our Project Manager as the announcer continues to explain that the first and second place team gets a seat at the North American Championship for the Global CyberLympics, <b>tomorrow</b>.<br />
<br />
After much fanfare and endless phone calls, we get all of the approvals in check and headed home, for in less than twenty-four hours later, we would be on the plane headed to the GCL...<br />
<h2>
Global CyberLympics (GCL)</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwIPaoCZ1xLZMzGDxIYjjzfJpnOcqYhizaE_NxWd6lZVCh33hlmcAl_Y03aTQ3wMI3C9G2sUWLMY9dLwg5a4Di8QxTgxn2HUaHaY2VhWbIO937aFIsaOcqXgeMkSa9kyhDokRf4zY0ky0r/s1600/GCL.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwIPaoCZ1xLZMzGDxIYjjzfJpnOcqYhizaE_NxWd6lZVCh33hlmcAl_Y03aTQ3wMI3C9G2sUWLMY9dLwg5a4Di8QxTgxn2HUaHaY2VhWbIO937aFIsaOcqXgeMkSa9kyhDokRf4zY0ky0r/s320/GCL.jpg" width="310" /></a></div>
<br />
We skipped right past the qualifications and eliminations, directly to the big show, the North American Championship.<br />
<br />
Unlike the MDC3, the GCL was a more traditional CTF event. Each team had a number of systems they needed to defend against all the other teams. Flags were replaced with "phoning home," a process which informs the scoring system you have access, and at which level. <br />
<br />
We broke the team down into two groups: Offense and Defense. We had two primary players for each group, and two floaters, the team broke down as such:<br />
<br />
<ul>
<li>Offensive Floater: Me</li>
<li>Offensive Group: Ben & Jesse</li>
<li>Defensive Floater: Matt</li>
<li>Defensive Group: Mark & Steve</li>
</ul>
The structure was simple, the dedicated defensive players would focus on defending our network and the dedicated offensive players would focus on attacking everyone else. The floaters would stick to their primary designation, unless the other group needed assistance.<br />
<br />
Right out of the gates, the offensive group gained and maintained access to just about every Windows box, and had most of the Linux boxes too. This situation didn't really change much throughout the entire event. We rarely lost access, and just slowly picked up the few stragglers here and there. The defensive players played cat and mouse with the attackers all day. It was a cake walk on the offensive side, but an all out grudge match on the defensive side. The scoreboard was live until sometime late in the afternoon, although we were in first almost the entire time.<br />
<br />
In the end we secured the title of North American Champions with almost <b>seven</b> times the offensive score of the second place team, but only a round's worth of points on the defensive side. We won, no doubt, but the event was a real eye-opener into where our team needed the most work: Defense. After much celebration in Miami, we headed home, home to work, home to life, but also home to prepare...prepare for the World Finals.<br />
<br />
The MDC3 and North American leg of the CyblerLympics took place in October; however, the World Finals weren't held for another five months in March of 2012. We had plenty of time to plan and prepare. Ben immediately started work on a Lab environment, filled with countless vulnerable images, and I quickly put together a scoring engine. Between Ben and I, we created our own CTF in a box. After which, the CTF team got together time and time again, and did full-on pedal to the metal events. The offensive side would pumble the defensive side, and the defensive team would cry out in anger. But slowly the defensive team was getting better and better. I even devised a small training programming, consisting of a crawl, walk, run approach to under-fire windows defense. All in all, our defensive side was really shaping up, and our offensive team was getting an itch, and itch to automate.<br />
<br />
Knowing there was months before the World Finals, we knew people would code, script, and automate as much as possible. The environment was going to be the same, everyone had already seen it. In a lot of respects, the competitions came down to a ingenuity and/or coding competition. As our defensive group got better, we started transitioning our focus to tool development. If it could be automated, we were automating.<br />
<br />
We worked on both offensive and defensive tools. On the defensive side, we planned to have automated patchers, system monitoring, active response tools, and much more. On the offensive side, we planned out automated exploitation, automated post exploitation, even tools to automate the flag steps (phoning home) and plenty of other treats. In the end we really only came out with three viable products: <a href="http://sourceforge.net/projects/teamsploit/" target="_blank">TeamSploit</a>, <a href="http://sourceforge.net/projects/unsploitable/" target="_blank">Unsploitable</a>, and <a href="http://sourceforge.net/projects/dtftb/" target="_blank">Defensive Tools For The Blind</a>. I'll go into depth on each of these in the upcoming parts of the series, for now here is a quick description:<br />
<br />
<b><a href="http://sourceforge.net/projects/teamsploit/" target="_blank">TeamSploit</a></b>: <i>TeamSploit makes group-based penetration testing fun and easy, providing
real-time collaboration and automation. TeamSploit is a suite of tools
for the Metasploit Framework. TeamSploit should work with any MSF
product (include, OpenSource, Express, or Pro).</i><br />
<br />
<b><a href="http://sourceforge.net/projects/unsploitable/" target="_blank">Unsploitable</a></b>: <i>Unsploitable is an emergency patcher, providing critical security
patches and updates for commonly exploited vulnerabilities in common
operating systems, services, and applications. </i><br />
<br />
<b><a href="http://sourceforge.net/projects/dtftb/" target="_blank">Defensive Tools For The Blind</a></b>: <i>Defensive Tools For The Blind (DTFTB) is a collection of Windows and
Linux tools that automate discovery of post exploitation, backdoors, and rouge access, for defenders. DTFTB allows a system defender to quickly
and precisely locate common backdoor tendencies and system
misconfigurations used by an attacker to maintain access.</i><br />
<br />
In the end, we placed second in the World, against none other than Deloitte (one of the big four). Trust me, you can't complain. It was a wild journey, filled with fun and learning, what more could you ask for?<br />
<br />
Here are some articles about our journey and accomplishments:<br />
<ul>
<li><a href="http://www.icfi.com/news/2012/04/icf-team-second-place-cyberlympics%20" target="_blank">http://www.icfi.com/news/2012/04/icf-team-second-place-cyberlympics </a></li>
<li><a href="http://www.arl.army.mil/www/default.cfm?page=965%20" target="_blank">http://www.arl.army.mil/www/default.cfm?page=965 </a></li>
<li><a href="http://dundalk.patch.com/blog_posts/former-ccbc-students-lead-team-to-north-american-cyberlympics-championships%20" target="_blank">http://dundalk.patch.com/blog_posts/former-ccbc-students-lead-team-to-north-american-cyberlympics-championships </a></li>
<li><a href="http://gcn.com/articles/2012/03/20/cyberlympics-hacker-teams-olympic-challenge.aspx%20" target="_blank">http://gcn.com/articles/2012/03/20/cyberlympics-hacker-teams-olympic-challenge.aspx </a></li>
</ul>
<br />
<b>Keep an eye out for the upcoming parts of this series: TeamSploit (Part 2), Trollware (Part 3), Unsploitable (Part 4), Defensive Tools For The Blind (Part 5).</b><div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com1tag:blogger.com,1999:blog-3512081261306095299.post-11441272589089776052009-10-26T15:50:00.001-04:002009-10-26T15:50:49.746-04:00Regulations of Open Networks...say what?I am all for <i>open</i> networks, applications, projects, etc. I even strongly support FOSS software. In fact, every piece of code I personally write for public consumption is released under the GPLv2. (I'll look into v3 when it stabilizes a bit more; some of it is still too new for me to wage an accurate risk evaluation). I have, of course, written stuff for myself (and that code holds a strong IP copyright) ... but if I were to release it, it would be OS. Yet, even from a business standpoint, I would argue that FOSS is the way to go. You become the free, defacto standard...and fsck people for support. And then when you eventually fork a <i>professional</i> version that is more stable, has more updates, is more feature rich, and is more enterprise geared , those changes get backported to the FOSS version as time progresses and the pro version is further updated. (Examples: Nessus, Snort, Wine, Red-Hat, etc.)<br><br>Now...with all of that said, we live (last I checked) in a capitalist economic society. If you want to write software, platforms, firmware, etc. and charge for it, then so be it. If you want to keep other people from manipulating it, then so be it. More than likely, I will never personally use it or even support you -- but good luck to you anyway. With some smart marketing professionls (who then write "1x faster then the competition" on the package), you'll succeed either way.<br><br>Furthermore, I <i>strongly disagree</i> with patents on software. Great...you've come up with an idea! Have a cookie and go make it happen! Do it right, and you win!. Software patents protect people/companies who suck at turning an idea into a solution. Just because you had an idea doesn't mean that I shouldn't be able to implement it in my own way, for my own purposes, on my own terms.<br><br>Specifically concerning "Net Neutrality," there are currently two ideas of thought. The first feels that companies should be allowed to do as they choose. That is, they can block sites, customers, countries, applications, protocols, etc. The feeling is that "they" run the network, so "they" make the call. Conversely, the other line of thinking is that it should be open and that companies shouldn't be allowed to tell a customer how he/she can and should access some form of technology.<br><br>Consequently, I have never been one to support the government telling a company how to run a business. I believe that if the company is doing it wrong, they'll figure that out at bankruptcy court. At the same time, I don't think the companies have the right to tell you what to do in your own home. Thus, I am torn, really.<br><br>One thing I do know, though, is this: the side that is trying to keep things <i>open</i> is going about it ALL wrong. Net Neutrality doesn't just cover corporations...it covers government bodies as well. Every where I turn, someone else is pleading to the FCC to create laws to keep the Internet, networks, and technology from being infringed upon from both the government and the corporations.<br><br>HELLO? ?!? Did I miss something? How do you enact a law prohibiting the enactment of other laws? Do people not see that once the FCC gets involved (that is, once they get jurisdiction over this form), it will set a precedence and the very thing everyone wants them to protect WILL BE TAINTED?<br><br>Really. <br><br>Do I want my internet provider to tell me what I can and cannot do on the Internet? No.<br><br>Do I want my government to tell me what I can and cannot do on the internet? No.<br><br>Do I think the government should be protecting us from such infringement? No!<br><br>Lets make it simple: If there is a telco out there blocking access, drop them and get another one. Trust me, if they all close up, someone will step forward. OpenISP anyone? Seriously though, we CAN vote with our wallets...and we should! While some usage is already protected by law, there are fair use laws in place and laws protecting speech, etc. Those should protect the majority of the issues. The rest can be handled with our money.<br><br><b><i>Just think twice before you ask for more laws and regulations to protect us, it may be the very thing that hampers us...</i></b><br><br> <div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com1tag:blogger.com,1999:blog-3512081261306095299.post-63181979429863277062009-10-19T16:09:00.001-04:002009-10-19T16:09:22.085-04:00twitter2rss: Turn Friends into Feeds<br><u><b>A New Twitter Tool:</b></u><br><br>This past weekend I worked on a new project idea I had stored in the back of my mind. The project "twitter2rss" allows you to generate an OPML RSS feed list of all of the friends, for a particular twitter account. In other words, you give it the username of a twitter user, and it gives you a list you can import into your feed reader. The project is nothing elaborate, it is not supposed to be. It is just a simple tool that allows you to create a feed list.<br> <br>If you have any questions, comments, suggestions, or (hopefully not) complaints, leave them in the comments.<br><br><u><b>Why</b><b>:</b></u><br><br>There are a few known use cases (based on my own uses, and that of a few friends).<br> <br><ul><li>RSS Feed Reader does not allow authenticated feeds (quickest way to get the "home" feed - an example Google Reader)</li><li>Twitter is blocked from the location, but you still wish to obtain the feed data through a web based reader</li> <li>You are not a Twitter member, but wish to follow someone else's friends (lurkers)</li></ul>I am sure there are other cases this tool may be useful, leave your own uses in the comments if you'd like.<br><br><br> <u><b>Project Description:</b></u><br><br>twitter2rss will obtain all friends of a specified twitter account, and then create an OPML feed list. The feed list will contain all of the obtained friend's twitter RSS feeds, which can then be imported into any standard feed reader.<br><br><u><b>Project Links:</b></u><br><br>Project Page: <a href="http://twitter2rss.sf.net">http://twitter2rss.sf.net</a> (Just the default Source Forge Project Page)<br>Summary Page <a href="http://sourceforge.net/projects/twitter2rss/">http://sourceforge.net/projects/twitter2rss/</a> (This is more then likely the one you want)<br> Downloads: <a href="http://sourceforge.net/projects/twitter2rss/files/">http://sourceforge.net/projects/twitter2rss/files/</a><br><br><u><b>Project SVN:</b></u><br><br><code>svn co <a href="https://twitter2rss.svn.sourceforge.net/svnroot/twitter2rss">https://twitter2rss.svn.sourceforge.net/svnroot/twitter2rss</a> twitter2rss<font style="font-family: arial,helvetica,sans-serif;" size="2"> - Check out: <a href="http://sourceforge.net/projects/twitter2rss/develop">http://sourceforge.net/projects/twitter2rss/develop</a></font></code><br> <br>Enjoy,<br>Justin<br> <div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com2tag:blogger.com,1999:blog-3512081261306095299.post-47999396853970028552009-10-17T00:40:00.001-04:002009-10-17T00:41:11.752-04:00As The Calendar Turns: A Brief Review of the 2009 Fiscal Year on the Information Highway<u><b>Wow...</b></u><br />
<br />
Has it truly been over a year since my last blog post? I know I am certainly not the most frequent (or even semi-frequent) blogger on the Internet, but could it really have been that long ago that I posted about twitter changes and talked about the amazing <i>mobility</i> I have with my Blackberry? I guess it has indeed been a year or so since those posts were made. Perhaps we should change all of that...start this fiscal year fresh with a post. Of course, when you have been quiiet for a year (even though I've been active and vocal in plenty of other Internet outlets), where do you really start? How about a blog post about what has changed in the past year?<br />
<br />
You don't often get to read a post about the dramatic changes in the past year-mainly because people keep you current with frequent content, and partially because people are too busy to stop and count the bits. But when you do pause for a moment and look back, it seems like just yesterday that CNN and Ashton Kutcher were fighting for the title of first user to have one-million Twitter followers and Opera was joining Twitter (with thousands of soccer moms following). What about all the great malware of this past fiscal year? Are you still cleaning Conficker off your systems? It feels like just yesterday we were coming out of one of the most high-tech elections of all time. Time surely flies, so lets take a look at the highlights.<br />
<br />
<u><b>Twitter</b></u><br />
<br />
I feel like Twitter receives too much coverage; yet, it may actually be the most promising and popular communication tool. It really wouldn't be accurate to exclude the accomplishments of Twitter in such a post. Going "main stream" is the dream of <i>most</i> Internet start-ups. Not many complete such a task and certainly most do not have major news network coverage. However, Twitter received such success late last year-with many news-breaking events. It seemed that every time the news networks dropped the ball with a story, Twitter was right there to catch the opportunity. And the people noticed - as did the media. Spotting a prime opportunityl, they shortly jumped on the bandwagon thereafter, as well.<br />
<br />
Moreover, the number of Twitter users continued to climb rapidly. From housewives to teenage celebrities, everyone was joining Twitter. Luckily for us avid geeks, the <i>twittersphere</i> is averaging itself out. But it is still nice to acknowledge the great success that Twitter has come into...we should all take a moment and congratulate Twitter again for such a wonderful <i>Web 2.0</i> story, and a wonderful product.<br />
<div class="im"><br />
<br />
Now if I never read another post, comment, tweet, or article about Twitter, I'd be content.<br />
<br />
<u><b>Legal & Cyber Command<br />
<br />
</b></u><br />
</div>It was not too long ago that every time I changed the channel, I'd see another <i>Air Force</i> cyber command commercial. That all was laid to rest when a national <i>Cyber Command</i> was forged. This command will oversee the nation's information security infrastructure. Along with this institution 's creation came a large amount of concern - both over network neutrality and national privacy. While very little questions have been answered, it is fair to remind everyone that the entire project is still very much in the developmental stage. One thing is for sure, our government is taking the security situation seriously. Let's help facilitate such actions in any way that we, as the community, can!<br />
<br />
Don't forget about the interesting <i>Cyber Securtiy Act of 2009</i>, though, which interestingly gives the President the power to "shut down" the Internet. We haven't heard much about this recently. Maybe we should review the progress?<br />
<br />
<u><b>Conficker</b></u><br />
<br />
Every once in a while, a large hype is cultivated around a security issue. More often than not, this issue is far from the most pressing. Many times, other larger issues will even coincide, time- wise, with this publicly-hyped threat. Enter Conficker. The April 1st malware of the year. It seems that as of late, each new year brings a new malware (vapor-malware) that makes a run with a destruction date of April 1st. Time after time, the mass media runs with such a half-cocked story. Conficker is really no different. The malware did little harm overall. Of course, the security community took the opportunity to further educate the general public.<br />
<br />
While the infection didn't cause the end of the Internet as some would have hoped (or as others would have had you believe), it is quite interesting to note that even as recently as two weeks ago, there are still over 250 <i>million</i> active infections. It begs the question: are <i>hyped</i> threats spread further through <i>haphazard</i> searches? Furthermore, are they funded increasingly by the adversaries due to their popularity? Or are they simply more visible? These are some questions that the community really needs to ponder - as there will be plenty more to come on April 1st...or so we all hope.<br />
<br />
<u><b>SMB2</b></u><br />
<br />
Certainly every time you check your RSS feed, you read about another vulnerability. With the popularity of products, Microsoft is on the top of the offenders list. (We could discuss the reasons indefinitely and ad nauseaum, so lets just skip them for now). However, not nearly as many are as profitable as the previous RPC/SMB related vulnerabilities. They are a gem amongst the rough - depending upon your perspective. This year brought us another such novelty: the SMB2 vulnerability.<br />
<br />
One of the most fascinating components of this vulnerability lies not in the vulnerability itself, but instead, the timeline. The vulnerability was originally released simply as a <i>denial of service</i>. Some people in the industry proported that the vulnerability was further exploitable to control execution; others strongly opposed. Microsoft released a statement indicating it was <i>ONLY</i> a denial of service. The interesting story was really going on in the background, within the <i>"underground"</i> communities, where exploit code could be found that controlled execution - prompting this vulnerability to the <i>remotely exploitable code execution</i> category. To add more fear to the atmosphere, it took over nine days before a private security company released information that they had developed a <i>proof of concept</i> that allowed remote code execution. Only after these facts surfaced did Microsoft confirm the true risk of this vulnerability. For the pentesters out there, this is one more trick we can keep up our sleeves,. For those system administrators, don't forget to patch your new installs.<br />
<br />
<u><b>Wave</b></u><br />
<br />
It is almost unfair for me to mention this when attempting to review the <i>past</i>. But bare in mind, we first heard of this new Google initiative in the previous year. It seems that the party is really just starting with this one, and it may be too early to really review the progress. However, there are some eerie similarities to past Google projects. Take <i>Gmail</i> as an example. The project was also released as a closed-invitation beta. Hype grew...and you had people literally buying invitations. I am unsure how far the hype will spread with Google Wave, but certainly the potential is there.<br />
<br />
People are outright <i>begging</i> for invitations. It seems everyone is talking about the new <i>collaboration</i> tool, but almost no one has an account. The number of original invitations was proportedly to number somewhere around 100,000. I doubt that people will openly sell or buy invitations (it is certainly against the terms of service), but that is certainly not stopping the malware authors, spammers, and other Internet delinquents from jumping on the bandwagon. I am making a prediction: I expect us to see more in this arena in the near future. This will most certainly translate into a future blog post...it just depends upon how far the rabbit hole deepens.<br />
<br />
<u><b>Phones, Gadgets, and Toys<br />
<br />
</b></u>Apple, RIM, and Google have really taken the world by storm (no RIM pun intended) with the mobile phone market. More electronic gadgets have been produced than we can even afford. It seems that the average consumer is becoming more and more technically savvy, and more and more technology centric. I would be remiss if I didn't include some of the outstanding leaps and bounds that the electronic markets have achieved. The mobile world continues to become more integrated into the cyber world. Only time will tell how far this path will lead. Yet no matter which devices or companies you cherish, just remember: with collaboration comes great outcomes. Enter some great electronic collaborations. More and more manufacturers and technology companies are teaming together to bring us even more power and resources in a mobile world.<br />
<br />
<b><u>Collaboration<br />
<br />
</u></b>This brings me to my last point: collaboration. Each year it seems that the technology communities unify more and more-helping to facilitate more opportunities. Out of all of the great events and achievements of this past fiscal year, this, in my opinion, is the most profound. More open standards are created and more collaboration is bred. Hopefully, we can see this methodology continue to grow.<br />
<br />
<u><b>Open Ending<br />
</b></u><br />
No fears...I purposely kept this post brief and open-ended. I wanted to lightly highlight <i>some</i> of the key events in (fiscal year) 2009. I certainly didn't cover every event...not even the major ones. But hopefully, this will remind you of some of the prominent issues and events we endured. While the fiscal year is over, the calendar year is still ticking. I hope to review some of these events and components again in the future and see some of the end results. Please allow this post to remind you to take a pause every now and again, to look back and reflect on the stepping stones that have brought us to this point. It is something that many of us take for granted. Comments are always welcome. I hope we can spark some interesting conversation about the past events and project some lessons learned into the future.<br />
<br />
Always,<br />
Justin M. Wray<div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0tag:blogger.com,1999:blog-3512081261306095299.post-69433413324430484022008-09-19T05:15:00.000-04:002008-09-19T05:15:26.624-04:00Twitter: Changes AfootCheck out the new twitter design, looking great. This was my number-one complaint about twitter over the other micro-blogging services. It felt too myspace-ish, all that has changed.<br /><br /><a href="http://blog.twitter.com/2008/09/changes-afoot.html">Twitter Blog: Changes Afoot</a><div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0tag:blogger.com,1999:blog-3512081261306095299.post-70906574484451944612008-09-08T00:30:00.005-04:002008-09-08T01:31:12.840-04:00Mobility, Part TwoIn my previous article I spoke about <a href="http://justinwray.blogspot.com/2008/08/mobility.html">Mobility</a>. Having the ability to move freely and still have access to all of your data and services. More specifically I focused on Mobile devices and interfaces to our normally Desktop centric world. This time I will skim the surface of another form of Mobility: The Cloud.<br /><br />Having the ability to go from one location/workstation to another, while still having access to your data, is an important hurdle to jump. Many business tackle this issue with "roaming profiles" and other shared resources. But what do you at home do when sharing a profile between, home, work, friends, and the library isn't an option? I'd assume you use an Application Service Provider.<br /><br /><a href="http://en.wikipedia.org/wiki/Application_service_provider">Application Service Providers</a> aren't any new concept, and Google is far from the first Company in invest time, money, and resources into the idea.<br /><br />From Wikipedia: "In terms of their common goal of enabling customers to outsource specific computer applications so they can focus on their core competencies, ASPs may be regarded as the indirect descendants of the service bureaus of the 1960s and 1970s. In turn, those bureaus were trying to fulfill the vision of computing as a utility, which was first proposed by John McCarthy in a speech at MIT in 1961."<br /><br />The idea is simple, you register for a service/application that is provided online. All of your information/data is stored on the providers servers. When you need to access the service/data you simple visit the website, and login, no matter your location.<br /><br />I personally rely on cloud-based services as much as I rely on mobile applications. I have almost all of my email in Google's Gmail (either directly or through <a href="http://mail.google.com/support/bin/answer.py?answer=56283&topic=13271">POP support or forwarding</a>). I use the Google Calendar on a daily bases to help keep me on track, and update others of my whereabouts (when needed). Google Reader is a dream-come-true - one of the best readers available. Even this blog is an example of a Cloud based service I use. My list could continue, just as I am sure yours could. Even social-networks are a form of cloud computing.<br /><br />I can easily go from my laptop at the airport, to the desktop at my house and never miss an article, re-read an email, or forget about an appointment. But better yet, when I am in an unfamiliar place (the library, public system, friends house) I still have access to the very same data, in the very same interface. Everything just works, no matter where you go.<br /><br />The release of Google Chrome shows how important the concept is to Google. They are now developing a browser that works better with web-based applications. Mozilla has also taken a stab at this technology with <a href="http://labs.mozilla.com/2007/10/prism/">WebRunner/Prism</a>. Adobe has been working in the arena with <a href="http://www.adobe.com/products/air/">Adobe Air</a>.<br /><br />As systems progress and we continue to see items that are mobile-centric (like the netbooks, iPhones, etc) this technology will progress. We will continue to move our storage off our of system hard-drives and into data centers.<br /><br />I encourage everyone to try out some ASPs, and write back with your favorites.<div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com1tag:blogger.com,1999:blog-3512081261306095299.post-72893733529738191412008-09-06T11:54:00.002-04:002008-09-06T11:57:46.652-04:00AdSenseSome of you may have noticed a PSA (Public Service Announcement) Ad on the side of the blog, as well as a large amount of space under each post. Both of these should be filled with normal AdSense ads. However, do to some account issue they were not (lost the PIN, etc).<br /><br />I have corrected all of the account issues, so you should start to see Ads soon. The ads are used simply to fund the webserver etc. I've never made even enough to do that, so in no way am I making a profit.<br /><br />Look forward to some good articles soon. They are on the way.<div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0tag:blogger.com,1999:blog-3512081261306095299.post-6778695363599378672008-08-29T19:13:00.001-04:002008-08-29T19:23:56.932-04:00Still BloggingEvening,<p>I wanted to let everyone know I am still blogging! In fact I have two articles that I am in the process of developing and performing further research. I hope to have them published soon (in the next few days).<p>Sent via BlackBerry<div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0tag:blogger.com,1999:blog-3512081261306095299.post-11298598650935615492008-08-29T04:04:00.002-04:002008-08-29T05:52:31.406-04:00MobilityNo, not the commercial about powered-scooters, but the ability to roam freely and still have access to all of your data. Mobility has become a growing trend, more and more websites focus heavily on mobile interfaces and applications, to ensure their user-base has access to the services provided, no matter their location.<br /><br />I thought it would be fitting to type this blog entry on my Blackberry, the irony would have been warranted. However, due to still owning a 8700c, I do not have the ability to spell-check my emails (and I am a horrid speller). Although with the ability to post blog entries via email (through blogger), I most certainly could have done so.<br /><br />A few years ago there was a big movement to enable websites to be compatible on cell-phones and develop mobile related applications. I will not lie, I was a non-believer. I didn't see the average person (even technical savvy ones) using their phone to browse the web.<br /><br />Download speeds were horrible, and the content layout (on a tiny screen) almost unbearable. Combine these issues with high data prices, I saw the technology going no where fast! But then something interesting happened, smart phones became common ground.<br /><br />No longer did you see only business executives and rich kids running around the streets with a "smart phones". These devices commonly tote QWERTY (Full) keyboards and a larger screen. The sole purpose of the device is to provide more features then just a "phone".<br /><br />Now you had a small computer in your pocket. Replacing the old <span class="blsp-spelling-error" id="SPELLING_ERROR_0">PDA</span> with something that makes phone calls as well. You were walking around with a contact list, calendar, phone, and more, on one device. But best of all you had a web-browser.<br /><br />All of the <span class="blsp-spelling-error" id="SPELLING_ERROR_1">WAP</span> enabled websites were easily accessible on a easy to use device, where ever you would go. At this point I jumped on the "band-wagon". I purchased a Blackberry. To be honest, my addition to the (sometimes referred to <span class="blsp-spelling-error" id="SPELLING_ERROR_2">CrackBerry</span>) device, has only grown stronger as time <span class="blsp-spelling-corrected" id="SPELLING_ERROR_3">progresses</span>.<br /><br />I original used the device <span class="blsp-spelling-corrected" id="SPELLING_ERROR_4">solely</span> for email and appointments. Having the ability to keep in touch with clients, family, and friends was always helpful. But I also had an entire archive of my data. Anytime I would need to look something up, or recall a conversation, a quick search and I had the email.<br /><br />From there I installed amazing apps such as, Opera Mini, Google Maps, <span class="blsp-spelling-error" id="SPELLING_ERROR_5">TwitterBerry</span>, Beyond411 and plenty more. I truly live a mobile life.<br /><br />I spend the majority of my life away from the desk, and therefore away from the desktop. That is precisely the reason I own a "desktop-replacement" (overly powerful/slightly heave laptop). But when I am driving down the highway, booting my laptop and catching some <span class="blsp-spelling-error" id="SPELLING_ERROR_6">WiFi</span> isn't an option. Luckily I have the mobile market to turn to and trust.<br /><br />With the release of the iPhone and the anticipated release of the Android platform, the experience is only getting better. More and more applications are released, and more and more services are being <span class="blsp-spelling-corrected" id="SPELLING_ERROR_7">available</span> each day.<br /><br />If you <span class="blsp-spelling-corrected" id="SPELLING_ERROR_8">haven't</span> taken the plunge into the mobile market, now is the time to do so. The desktop computer will never be replaced, but in five years, you will most <span class="blsp-spelling-corrected" id="SPELLING_ERROR_9">definitely</span> have everything you need, in your pocket/hand.<div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0tag:blogger.com,1999:blog-3512081261306095299.post-20123767542326859952008-08-29T03:33:00.002-04:002008-08-29T03:38:20.045-04:00Audio. Video. Data. AWIS.Wanted to inform everyone of a new project I am working on.<br /><br />You may have read a tweet of mine, noticed a news article, or spotted a forum post, but for now the details are staying secretive.<br /><br />I posted a nice teaser on the project homepage: <a href="http://www.projectawis.com">Project <span class="blsp-spelling-error" id="SPELLING_ERROR_0">AWIS</span></a><br /><br />Stay tuned for more information as we get closer to a "release" date.<div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0tag:blogger.com,1999:blog-3512081261306095299.post-80042986431218461962008-08-28T05:45:00.009-04:002008-08-28T06:32:34.204-04:00XP AntiVirus 2008 Fun...NotMany of you have more then likely heard about the newest wave of malware, XP AntiVirus 2008, 2009, or the other list of names they are toting now. For those of you who have, skip below to the "story", for the rest, continue, and I'll briefly describe the newest trendy threat.<br /><br /><span style="font-weight: bold;">Threat:</span><br /><br />Over the past few months large-scale web-defacement sprees have been compromising legitimate (popular) websites and injecting a whole slew of malicious code. Big-name sites once compromised, would deliver malware directly to the unsuspecting users who visited the site. With trust on the malware distributors side, many users would ignore the typical security precautions.<br /><br />As this practice became more wide-spread the malware became a bit more "realistic" and "authentic" looking. The attacks turned from the typical "mysterious" files being pushed to the system, to an elaborate social-engineering workshop.<br /><br />New malware is being developed that looks and functions much like real software. The first to hit the circuits was XP AntiVirus. The malware looks and functions exactly like real Anti Virus software, however in the background it is stealing all of your personal information (passwords, financial information, etc, etc).<br /><br />Users would visit a legitamet (and trusted) website, which would inform them that "XP" had released an update to their AV product. Knowing they were on a popular, trusted site, they would then click "Ok", download the software and become infected.<br /><br />Screenshots:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6qG5zy5s2_jc1NX8j4B0iKwGnNrFfquPY9PituPV-CbdaXG234fYtUgJY3TQPkp8I8uurPR1NNy2PvEwIYTgAIz540SZQsFHKpoGlrEYJKlIQBhlsz_u_nwsb_gS-b9txCL7uwVuVIo4/s1600-h/antivirus_pro_2008.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6qG5zy5s2_jc1NX8j4B0iKwGnNrFfquPY9PituPV-CbdaXG234fYtUgJY3TQPkp8I8uurPR1NNy2PvEwIYTgAIz540SZQsFHKpoGlrEYJKlIQBhlsz_u_nwsb_gS-b9txCL7uwVuVIo4/s1600-h/antivirus_pro_2008.png" alt="" border="0" /></a><br /><br /><span style="font-weight: bold;">The Background:</span><br /><br />My mother owns a number of computers, ranging from personal servers (that I have setup) to a few laptops. She runs Linux on everything, not by choice, simply because I force her to. I don't mean to sound harsh about it, but Linux doesn't suffer from half of the problems Windows does. And that is even more true with someone like your mother (who is more then likely not computer savvy).<br /><br />However, I lied a bit, she does own and use one Windows-based laptop. Only one, every other component runs Linux (even the router). She refuses to give up this system, at all costs. Mainly due to a few very Linux-unfriendly websites and my lack of time to help get them working.<br /><br />Of course this one Windows system is the one I receive the most "calls" about. Nothing is every working correctly, and every time I touch the thing there is another piece of spyware.<br /><br />So after this last "rebuild" of the system I locked things down really well. To the point she was annoyed at the lack of usability. Unfortunately I made the mistake of locking the system down from external "unwanted" penetration. I didn't put much protection in place from the user. I assumed all of the "awareness" would work, and the system would stay in a fairly clean state.<br /><br />Don't misunderstand, there were security applications, that prompted her when malice actions may be present (even if she was the one who started them), but lets face it, everyone clicks "Allow" anyway.<br /><br /><span style="font-weight: bold;">The Problem:</span><br /><br />I was partially correct, the "awareness" did work, she herself did not infect her system with anything. But my brother did.<br /><br />She was out of the house, and he "snuck" onto the system (which just-so-happened to be mistakenly unlocked). He downloaded the XPAV software to his PSP (Portable Playstation) and then transferred it to the laptop. He then installed the application (or should we now call it malware). Allowed all web-updates and downloads of further trojans. And then denied the entire thing.<br /><br /><span style="font-weight: bold;">The Solution:</span><br /><br />This malware is changing everyday, and each infection is different. The malware downloads a number of additional malice components, and most is undetectable by current signatures.<br /><br />So a complete re-install of Windows, and a lot of yelling was in order.<br /><br /><span style="font-weight: bold;">The Lesson:</span><br /><br />Of course you have heard this before, and I can assure you, you will hear it again. The user is always the weakest link, and no matter how secure the system is, you have to educate the users. And protect yourself against them.<br /><br />Also, don't just educate the primary user, stress the issues to anyone who may come in contact the system.<br /><br />Oh - and lock your screen when you walk away.<br /><br />More information of the malware can be found: <a href="http://malwaredatabase.net/blog/index.php/2008/07/26/new-antivirus-xp-2008-video/">here</a>, <a href="http://blog.trendmicro.com/fake-antivirus-trojans-ramping-up/">here</a>, or <a href="http://ddanchev.blogspot.com/2008/08/diverse-portfolio-of-fake-security.html">here</a>.<div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0tag:blogger.com,1999:blog-3512081261306095299.post-71707759539777469862008-08-28T02:45:00.002-04:002008-08-28T02:51:19.261-04:00Back...Again..Maybe?Hello (yet again),<br /><br />Well you can't say that I didn't warn you! And we all know that past actions predict future actions. You should have known the whole "blogging" thing wasn't going to work.<br /><br />Yet, here I am sitting behind the keyboard, writing another post. I miss the "idea" of blogging, not the actual process. It truly isn't that I do not like blogging, because I do. I just can't seems to remember (or better yet fit the time into my day). But, I am going to work on that.<br /><br />As of recent I have found the time to fit <a href="http://www.twitter.com/wrayjustin">Twitter</a> into my life. If I can post tweets, I can certainly post a few blurbs on a blog, right?<br /><br />So expect some posts soon, or don't -- either way I am back for a bit...<div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0tag:blogger.com,1999:blog-3512081261306095299.post-36116413887922349612008-03-03T00:57:00.003-05:002008-03-03T07:19:12.937-05:00Capture the Flag: Towson and CCBC - Just for funSaturday, March 1st, from 9:30am to around 4:00pm (EST) both the Community College of Baltimore County and Towson University participated in a Capture the Flag event. Although a winner was announced the event was just for fun, and an attempt to gear students up for the upcoming <span class="style1">Collegiate Cyber Defense Competition, and by upcoming, I mean next weekend. But more on the competition later...<br /><br />The event was hosted by Towson, setup in complete by <a href="http://pages.towson.edu/moleary/">Dr. Michael O'Leary</a> team-mates mixed amongst each others. This allowed for the entire events to be . The event was run much like a typical capture the flag, with each group attempting to both defend their own systems, while attacking the other group. The groups were derived from a "dodge-ball" style pick, leaving the CCBC and Towson teammates mixed amongst each other. Causing the entire event to be rather layed back, taking the secrecy and pressure off the majority of the students.<br /><br />I was selected as one of the team-captains and was able to pick a rather good team. But overall I had rather little interaction with anyone on my team - this was done on purpose and part of a well thought-out strategy. I work on the offensive-side almost exclusively, only answering questions for the defensive counter-parts on my team. I was the only one running offense for our team. I'll do my best to describe the event after the jump, keep in mind though, I did little defensively.<br /><br /><span style="font-weight: bold;">The Setup:</span> Each group had five or six students, and was allowed a "team name." Each group had an identical setup, excluding the system host names and the IP addresses. The systems included a mixture of Windows and Suse installations, with a varying degree of patch levels. In addition to the unknown "base-line" security, each system was pre-configured with a handful of holes.<br /><br /><span style="font-weight: bold;">The Injects:</span> Much like the CCDC, this event would not be complete without "business injects." I have a feeling this type of caveat will be all to common in CTF events world-wide with time. Although I did no defense, I did over hear a few of the injects, seems they ranged from, Determine the IP address of every web server to setting up a fully functionally syslog server with every system logging.<br /><br /><span style="font-weight: bold;">The </span>Scoring<span style="font-weight: bold;">:</span> Scoring was based on both offense and defense. A team who successfully found a security hole (one of the ones placed on the system at the start of the event) gained points. If they secured the same vulnerability, they scored. And (my part) if they exploited the vulnerability against the other team, they yet again scored. In addition, any exploitation resulted in some points, and becoming administrator/root, resulted in a higher point reward. As well as thwarting an intrusion, netted some points. One more score vector that I thought was a good add was something Dr Leary called "style." Anytime you did something "out-of-the-box," clever or just plain 1337, your team found its self a few points further.<br /><br /><span style="font-weight: bold;">The Recon: </span>I approached the days event much like a blind pen-test. I truly only knew a few things walking-in-the-door, and only a few more things were explained before we started. At the beginning of the event I knew the following:<br /></span><ul><li>I had two "attack boxes" with BackTrack (version 2) installed</li><li>I was on the same addresses space as the other team (although that was all I knew)</li><li>The systems had Windows or Linux installed</li><li>No physically devices (printers, routers, etc) were involved</li><li>I couldn't attack core network resources (class equipments; servers, hosts, etc)</li><li>One of my team-mates had a "magically" piece of paper that contained all of our "system" hostnames, usernames, passwords, and OS.</li></ul>But other then the above, I didn't know much. Not even the addresses of the other team. I never did look at the "team packet" during the event, which contained some information about our setup. So right off of the bat, the first thing I did was scanned the entire class B subnet we were on. Knowing both teams resided within the same addresses space I needed to differentiate between our systems verses the other team. I asked my group to get the addresses of all of our systems.<br /><br /><span style="font-weight: bold;">The Attacks (10.0.1.23)</span>: Within the first ten minuets of the events I had already obtained administrative access to two systems, and had setup some ways to maintain access. The first system I attacked was a Windows 2000 system. Exploiting the <span style="font-style: italic;">lsass</span> vulnerability using metasploit, I obtained a reverse shell. With time on my side (knowing they had most likely not thoroughly check the system) I immediately added an account named "root" and added it to the "Domain Admins" group, followed by changing the administrator password. Next I looked around the system, and found a internal employee "phone directory" which I promptly moved to my system. This landed our team a good amount of points up front.<br /><br /><span style="font-weight: bold;">The Attacks (10.0.1.26):</span> This is a really good story, and a lot less technical. This was the second box I attacked within the first ten minuets. I more or less completed the same tasks as above on this system, which was also a Windows 2000 installation. The part worth mentioning however, was this was our teams system. Turns out, unbeknownced to me, one of our systems was having network issues at the start of the event, and they failed to give me this address. I completely "owned" one of my own systems. I then promptly reverted my changes back, and moved along.<br /><br /><span style="font-weight: bold;">The Attacks (10.0.1.24):</span> The system (Windows 2000) has VNC setup, with no password. I jumped on, changed the Administrator password, started to add a few users. And noticed Back Orifice was installed, so I started setting it up, but was promptly caught. Seems they made a mistake similar to mine. They VNC'ed into their own system, and thought they were in one of our systems. This accounted for the mouse moving. Dr O'Learly came to "score the breach" and informed them that they were on their system. Puzzled, they then fluttered to find out who was really on the system and setting up Back Orifice. Sitting on the box, they relized they were being attacked, and attempted to close my windows, which I just reopened. Then they attempted to shutdown the box, which I canceled, then they pulled the plug. Oh well, they still had to reset the password.<br /><br /><span style="font-weight: bold;">Guest SSH:</span> One of the injects was to setup SSH on every system with a guest account. This more or less meant game-over. I used this to leverage further access for the remainder of the event.<br /><br />(The rest of the attacks are not listed in any particular order. Nor are not the only attacks that were preformed, just the ones I have notes written for...)<br /><span class="style1"><br /><br /><span style="font-weight: bold;">The Attacks (10.0.1.38):</span> This was a Linux server, running http, ftp, and a few other services. The /etc/passwd file was set world-writable, so I changed the guest account to have a uid of 0, and changed the password. I then re-logged in, change the root password. Grabbed the shadow file, and began cracking the other user-account passwords. In attempt to maintain access I then grabbed a copy of the root ssh private key. For an added bonus, I changed the daemon account to uid 0. I trojaned su and ssh on the spot, with a quick bash script that would send me a copy of the password, I also redirected the root bash history to myself. I defaced the website, with something childish.<br /><br /><span style="font-weight: bold;">The Attacks (10.0.1.37):</span> Just defaced the website, world-readable, nothing special.<br /><br /><span style="font-weight: bold;">The Attacks (10.0.1.41):</span> This Linux server contained a ecommerce website. The database password was stored in a world-readable include file, giving me access to the database. I was then able to obtain customer information, including credit-card numbers (every time I say this people ask if they were real...um...yeah...no). I was also able to add myself as an administrator on the site. I then defaced the site (Changed all of the "Road-Runner" pictures to Bugs Bunny) and then for fun played around with some SQL injections.<br /><br /><span style="font-weight: bold;">The Attacks (10.0.1.42):</span> I swear this was a spitting image of the previous box, except it was a "bank" and contained bank information. And I deleted the bank instead of defacing it.<br /><br /><br /><span style="font-weight: bold;">Defacements:</span> Every time they reverted a site, I more or less changed it back. I erased key files (after "I" backed them up) and they then started to just leave comments, like "Stay Out". Or "You don't belong here". So I started leaving comments back like "Nor Do You", or "Nice Bank". The defacement became a ranting board between me and the other group, quite fun actually. One more note to add, I added a <span style="font-style: italic;">phpinfo()</span> to most of the sites, just for fun.<br /><br /><span style="font-weight: bold;">Fork Bombs:</span> Near the end of the event I became bored, and decided to just start messing with the systems. Deciding not to just <span style="font-style: italic;">rf -Rf /</span> I started to fork bomb every system.<br /><br /><span style="font-weight: bold;">Filling The Disk:</span> At the same time I was fork bombing the systems, I decided it would be fun to fill the hard-drives. So I wrote a few scripts that starting to fill the hard drive. At the end of the event, all of the Linux systems were between 80-90% filled. If we had a bit more time, they would have had a good amount of issues...<br /><br /><span style="font-weight: bold;">Syslog:</span> At the ten minuets to the end of the event, both teams successfully rooted each others syslog server.<br /><br /><span style="font-weight: bold;">The Winner:</span> Seems the best defense is a good offense. My team won, by a few hundred points.<br /><br />That about wraps up the events, drop any questions in the comments. Look for a post on the results of the competition, during and after next weekend. Also take a look at the Interesting News Feed.<br /></span><div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0tag:blogger.com,1999:blog-3512081261306095299.post-53417151070200655142008-03-01T04:08:00.007-05:002008-03-01T04:30:51.919-05:00Apple Sued Over iPhone Caller ID - Lawyer Taglines<span style="font-weight: bold;">The Article: </span><a href="http://www.engadget.com/2008/02/28/apple-sued-over-iphone-caller-id/">Apple Sued Over iPhone Caller ID</a><br /><br /><span style="font-weight: bold;">The Summary:</span> The Apple iPhone has a "two-line LCD" caller-id function, that [oh-my] tells you who is calling. Seems "Romek Figa" owns a patent for such a feature. Figa is attempting to have Apple pay damages and license the feature. Apple thus far is refusing thus the impending lawsuit. Seems other major phone companies have already abided by Figa's rules, but he hasn't chosen to go through the proper channels at Apple.<br /><br /><span style="font-weight: bold;">Comments:</span> I really want to take this article in an entierly diffrent direction, but before I do so, I'll comment on the article. I don't have the patent information in front of me, so I am skeptical to the entire idea someone whos a patent on such a wide-spread feature. But I've seen worse patents, (<a href="http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=/nEtahtml/search-adv.htm&r=9&p=1&f=G&l=50&d=ptxt&S1=Microsoft.ASNM.&OS=AN/Microsoft&RS=AN/Microsoft">the mouse?</a>). Eitherway I'll point you to this other article I added to my feed: <a href="http://techdirt.com/articles/20080228/003450379.shtml">Patents, Copyrights, Trademarsk, Oh My!</a><br /><br />Now, for the spin, and the true point of this post. If you look at the article you'll see an ever common tagline, although this one is funnier then most. "<em> Disclaimer: Nilay is a lawyer, but he's not your lawyer, and none of this is legal advice or analysis."</em> I laugh aloud everytime I read one of these. It reminds me of the "warning" on coffee (May Be Hot), or the cautions on strollers (Remove Child Before Closing). Are people really that dumb? Or wrose are they really that sue happy -- looking at the context of the article, I guess so. But do we now need to write a disclaimer each time we give our opinion based on a job title? Leave your thoughts in the comment section...<br /><br /><em>Disclaimer: Justin is a guy who is attempting to write a blog, but he doesn't write your blog. Anything within his blog should be consiered his own opinion and now yours. Unless it is your opinion too.</em><div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0tag:blogger.com,1999:blog-3512081261306095299.post-26063654550373463942008-02-27T03:02:00.003-05:002008-02-27T04:04:09.457-05:00The Laws of Full DisclosureI added a really interesting article (from Security Focus) to my Interesting News feed. If you are new to my Blog or News Feed, please check it out. I add stories/content I find interesting.<br /><br /><span style="font-weight: bold;">The Article</span>: <a href="http://www.securityfocus.com/columnists/466/"><span style="font-weight: bold;">The Laws of Full Disclosure</span></a><br /><br /><span style="font-weight: bold;">Summary</span>: A Security Focus contributor researches the legality of disclosing vulnerability information to the public in twelve European countries.<br /><ul><li><span style="font-style: italic;">Belgium</span> - Illegal with Conditions - Full Disclosure of vulnerability information is proved to have causes harm to the vendor, is proved to be written for the sole purpose of an intrusion (hacking), or is proved to have been a breach of a employment contract/non-disclosure agreement.</li><li><span style="font-style: italic;">Denmark</span> - Illegal with Conditions - If you are an employee or contractor for the software development company, vulnerabilities are considered "trade-secretes". Release details instructions to exploit the vulnerability can be considered "assisting in a crime." A competing software company would be fined for release such information.</li><li><span style="font-style: italic;">Finland</span> - Proof of Concept Illegal with Conditions - Concept code can only be prepared for a CERT.</li><li><span style="font-style: italic;">France</span> - Mostly Legal - Only illegal when you use the attack or share confidential/proprietary information.</li><li><span style="font-style: italic;">Germany</span> - Legal</li><li><span style="font-style: italic;">Greece</span> - Legal</li><li><span style="font-style: italic;">Hungary</span> - Legal with Conditions - If the information you release is incorrect you can be held liable for damages. It cannot violate patent of copyright clauses.</li><li><span style="font-style: italic;">Ireland</span> - No Laws - Having "tools" that can result in an intrusion could be a crime, but disclosing vulnerabilities is an uncharted area.</li><li><span style="font-style: italic;">Italy</span> - Legal with Conditions - You can not <span class="blsp-spelling-error" id="SPELLING_ERROR_0">decompile</span> code, unless working on interoperability.</li><li><span style="font-style: italic;">Poland</span> - Legal</li><li><span style="font-style: italic;">Romania</span> - Illegal with Conditions - If the information is used in an intrusion. In addition writing exploit code is illegal.</li><li><span style="font-style: italic;">UK</span> - Legal</li></ul>Four out of the twelve countries have laws that make it illegal to release vulnerability/security information. Three enforce constrictions on the disclosure. Leaving only four countries that allow disclosure (with the last country being neutral).<br /><br /><span style="font-weight: bold;">Comments</span>: This article causes me great concern. I find it absurd that in the year 2008, with the average person starting to think about security, that we would be limiting research. <span class="blsp-spelling-corrected" id="SPELLING_ERROR_1">Obviously</span> the only way to secure software is to test it, and then release the information you find. If they disallow people to disclose the information the vendor may never know about the issue, let alone fix it! If they do allow disclosure to the vendor but not the public, then you fall in the issue with vendors <span class="blsp-spelling-corrected" id="SPELLING_ERROR_2">ignoring</span> security concerns. Or worse the users never knowing <span class="blsp-spelling-corrected" id="SPELLING_ERROR_3">their</span> at risk. Reasonable Disclosure verse Full [Public] Disclosure have been a debate of the security community for all of time, and both have a time and place, but out right criminalizing disclosure and research is insane. I really hope these laws are reviewed.<br /><br />Leave your comments in the comment section, and if you feel so inclined (and live in one of these areas, contact your <span class="blsp-spelling-corrected" id="SPELLING_ERROR_4">government</span> and let them know your concerns).<div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0tag:blogger.com,1999:blog-3512081261306095299.post-55039993521676427362008-02-27T01:47:00.004-05:002008-02-27T02:25:03.790-05:00Google Reader and Intresting News<p> <b> Get all your news and blogs in one place with Google Reader</b><span style=""><img src="https://www.google.com/accounts/reader/screenshot_en.gif" height="206" width="365" /></span> </p> <span style=""> With Google Reader, keeping up with your favorite websites is as easy as checking your email. <table id="columns"> <tbody><tr> <td id="screenshot"> <br /></td> <td> <ul id="points"><li> <strong> Stay up to date </strong> Google Reader constantly checks your favorite news sites and blogs for new content. </li><li> <strong> Share with your friends </strong> Use Google Reader's built-in public page to easily share interesting items with your friends and family. </li><li> <strong> Use it anywhere, for free </strong> Google Reader is totally free and works in most modern browsers, without any software to install. </li></ul> <a href="http://www.google.com/intl/en/googlereader/tour.html" id="tour-link"> Take a tour »</a></td></tr></tbody></table></span><br /> I started using Google Reader over a week ago. I more of less grew <span class="blsp-spelling-corrected" id="SPELLING_ERROR_0">tired</span> of re-adding all of my "feeds" to each "<span class="blsp-spelling-error" id="SPELLING_ERROR_1">feedreader</span>" I sit in front of, or re-emailing myself my <span class="blsp-spelling-error" id="SPELLING_ERROR_2">OPML</span> file each time I make a change. An online reader seemed to be a happy solution to this problem. Allowing me to view all of my news feeds, no matter where I am (even on my Blackberry).<br /><br /> There are a handful of them out there, and in the past I have used a few others. But this was the first time I really made an honest attempt. And Google takes the cake (in my opinion). I highly suggest everyone checks it out.<br /><br />Here is a list of features I really enjoy:<br /><ul><li>Feed <span class="blsp-spelling-corrected" id="SPELLING_ERROR_3">Recommendation</span> (At first it was annoying, but as I started "staring" content, it became rather fun to look through the <span class="blsp-spelling-corrected" id="SPELLING_ERROR_4">recommendations</span></li><li>Feed Browsing (You don't even need the <span class="blsp-spelling-error" id="SPELLING_ERROR_5">RSS</span> URL, you just search for the feed by name, site, content, etc</li><li>Sharing and Staring (You mark content as stared much like emails in Gmail, this allows me to then share the content almost like <span class="blsp-spelling-error" id="SPELLING_ERROR_6">Digg</span> and other social news sites, the <span class="blsp-spelling-corrected" id="SPELLING_ERROR_7">difference</span> I control the content)</li><li>Friends (Allowing you to keep track of news your friends find <span class="blsp-spelling-corrected" id="SPELLING_ERROR_8">interesting</span> has really never been easier)</li><li>Trends (Structured <span class="blsp-spelling-corrected" id="SPELLING_ERROR_9">Analysis</span> of your News Reading and Feeding activities)</li><li>Offline Mode (Allowing you to view content, without updates/connectivity)<br /></li></ul><br /> I would also like everyone to check out my "<span class="blsp-spelling-corrected" id="SPELLING_ERROR_10">Interesting</span> News Feed" which provides news I find <span class="blsp-spelling-corrected" id="SPELLING_ERROR_11">interesting</span>. It is <span class="blsp-spelling-corrected" id="SPELLING_ERROR_12">published</span> through Google Reader and includes and <span class="blsp-spelling-error" id="SPELLING_ERROR_13">RSS</span> feed, <span class="blsp-spelling-corrected" id="SPELLING_ERROR_14">in case</span> you want to keep an eye on my findings. In addition, I'll publis blog posts about the really interesting news articles and pass along my two cents.<br /><br /><a href="https://www.google.com/reader/shared/user/12733250356068973250/state/com.google/starred?hl=en&hl=en&hl=en&hl=en"><span class="blsp-spelling-corrected" id="SPELLING_ERROR_15">Interesting</span> News</a> and <a href="http://www.google.com/reader/public/atom/user/12733250356068973250/state/com.google/starred">Feed</a><br /><br />Enjoy!<div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0tag:blogger.com,1999:blog-3512081261306095299.post-41302797787916308882008-02-27T01:18:00.002-05:002008-02-27T01:45:27.071-05:00Blogging - Yeah Right!Hello Universe...<br /><br />As I stated in my first post (which was published almost a year ago), I not very <span class="blsp-spelling-corrected" id="SPELLING_ERROR_0">consistent</span> with blogging.<br /><br />But, at least I keep trying! So here goes...<div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0tag:blogger.com,1999:blog-3512081261306095299.post-43684876775434541452007-07-30T13:42:00.000-04:002007-07-30T13:49:38.899-04:00First Post: BloggingHello world...<br /><br />My name is Justin Wray, and to be perfectly honest, I am not a blogger. Never have been, I mean, sure I have tried, but I can't muster up enough energy (or maybe content) to write a post. So, lets give it another try, shall we?<div class="blogger-post-footer">http://www.justinwray.com</div>Justin M. Wrayhttp://www.blogger.com/profile/01835073628749735977noreply@blogger.com0