A Brief Update To The Original Post on ZKSoftware ZEM500 Authentication Bypass
First things first, I am now on a sabbatical, pursuing alternate avenues for pleasure, not profit... I am semi-retired from security on my own terms... ;)
Username & Password for the device was "root:solokey" in 2013...
I
believe that in addition to getting root, you could play with firmware,
packets and the device's OS (busybox) if you are inclined to explore
every filetype including elf, bat and sh files for getting a better
understanding. You could ALSO use tftp / ftp, ssh or
telnet to upload and download files (for reverse engineering the elf
files). Firmware for the device comes in gzip or tgz (tarred-gzip)
format.
I am NOT very sure or updated on the vulnerability as such. It may have
been reported and fixed by now (I saw THIS in 2013) - I could be wrong,
too... Since some vendors don't fix the vulnerabilities quickly.
Good luck playing with the device!
Cheers,
Kish
Wednesday, October 19, 2016
Sunday, March 27, 2016
Why I hate security "experts" (and "trainers")
Why I hate security "experts" (and "trainers")
Cheers!
Disclaimer: This is a pure rant, with no proper grammar, editing & politically (IN)correct logic... I am known to be politically incorrect, but 110% technically astute. I did NOT write this post to please you... You acknowledge that by reading this you will NOT judge the author of this post and Lucideus reputation as a security / service provider :D
Okay, this post was never meant to be written, but hey, every now and then you get a random love letter (e-mail spam) from _some_ company (read: lucideus)
I never wanted to see this page, being a semi-retired professional, hxxp://www.lucideus.com/security_technology_training.html
Then again when you claim to provide security training using funny jargon words like ATOM (Awareness, Technology, Operations, Management?) - you need to integrate that in to your website and company's security model. You should always practice what you preach, or stop preaching (read: selling snake oil), or be like Bill Clinton, [Telling people] "I am full of shit, I sell snake oil and bullshit" but be honest about it!
Your site is plagued with open ports, ranging from ssh to ftp, and what not! Your site has multiple network, web application (vulns like XSS, CSRF and SQL Injection) and server vulnerabilities, yet you claim to teach Web Application Security, IT Infrastructure Security and Cyber Security, apart from Incident Response which I very much doubt you'd be capable of performing; having a badly developed website which can be pwned by anyone with basic skills in under 40 minutes.
Your site is plagued with open ports, ranging from ssh to ftp, and what not! Your site has multiple network, web application (vulns like XSS, CSRF and SQL Injection) and server vulnerabilities, yet you claim to teach Web Application Security, IT Infrastructure Security and Cyber Security, apart from Incident Response which I very much doubt you'd be capable of performing; having a badly developed website which can be pwned by anyone with basic skills in under 40 minutes.
The worst part about this whole training page is "so-called" trainers using the words VA (Vulnerability Assessment) and PT (Pen Testing) in the same line / like a single word. This is the last time, I'll put up with this bullshit. If you can't differentiate between two different process maps in a security assessment, how the hell do you expect people to trust you? Take up your course? Are people so badly educated that they fall for a badly coded website running Apache?
The least you can do as a security trainer, you have to put your money where your mouth is?! Or atleast don't claim to be a security "expert" / "trainer" who trains people on a regular basis. I won't be surprised, if those 60,000 students from 200 plus organizations, come looking for a refund... haha! ;))
Secure your organization first, then start providing security services and training, be orderly in your business operations. So here's another organization, that can NOT secure themselves, but claim to provide security education, sound like a classic case of Catch-22? Fuel for your brain, haha! :D
Reminds of one meme where vijay kant asks manmohan singh for his "bonafide cetripicate signature" for his "practical ejam dumaaro", ofcourse, he said "bleaaase sir" hahaha! :))
And please spam wisely next time, okay?
Secure your organization first, then start providing security services and training, be orderly in your business operations. So here's another organization, that can NOT secure themselves, but claim to provide security education, sound like a classic case of Catch-22? Fuel for your brain, haha! :D
Reminds of one meme where vijay kant asks manmohan singh for his "bonafide cetripicate signature" for his "practical ejam dumaaro", ofcourse, he said "bleaaase sir" hahaha! :))
And please spam wisely next time, okay?
Cheers!
Labels:
Assessment,
Consulting,
Experts,
Hackers,
Hacking,
Management,
Professionals,
Risk,
Security,
Trainers
Sunday, January 31, 2016
Thank You
Many of my friends and well wishers have been wondering what happened to me and have gotten in touch from time to time in the last year and a half! Thank You! I am alive and well!
>> Originally drafted in December, 2014 <<
I am going to take a long break, an indefinite break from security to pursue alternate avenues and take on new challenges in life. I'd like to take this opportunity to thank my clients, my beloved hard disks, 3 am creativity, caffeine, my laptops, my motorcycle and my first few computers for putting up with me...
On a side note: My love / hate for WhatsApp as always, continues... So when WhatsApp upgrades you to "Life time" validity? Ask yourself what's going on? Free the app? Free that chat?
( HINT: Read free application co. will sell, resell, use your information as means for revenue with multiple companies / corporations / stakeholders )
With two methods to happily hack whatsapp and multiple methods to hack a mobile phone. Think twice before you type 'stuff' on your chat window. Better to be safe than sorry with all those nude selfies floating on the WWW (world's wild web)...
You can still reach me by writing an e-mail... but, you knew that already... haha! ;))
Cheers,
Kish
Subscribe to:
Posts (Atom)