A Virginia DEF CON community
As a reminder, anyone who wants one of these should bring $15 to the December 16 meeting. You’re welcome to assemble them with the group during the meeting, or take it home and do it later. It’s a pretty easy assembly, just five wires to solder to the Wemos and the LED assembly, and then apply some code to make it do its magic.
So I happened upon an auction for a collection of HP All-In-One PCs. I’ve always thought they were great general purpose solutions for classroom, lab, specific location browser use. Not what any PC fetishist would want, but fine for group use or general use purposes.
The price was right, so I picked them up, not knowing the complete specs, with only pictures and a “tested and working” claim attached to them.
I fired the first one up during the November meeting the other night. It booted into Windows, with an enterprise login screen for a medical group — brilliant, they sold medical PCs without wiping the hard drives. Mucked around with the BIOS settings so that I could boot Ubuntu to determine the specs of the machine without opening it up, found out it had bitlocker, which didn’t like me mucking with BIOS settings.
Tried to install Kali via Fog, something was busted in my Fog installation, so I just installed Ubuntu from a USB. It turns out they have an i5 4590s quad-core in them, along with 8GB RAM and a 500GD HDD. 4x USB 3.0 ports, 2x USB 2.0 ports. Gigabit ethernet and Wifi built-in. Not too shabby, glad I picked up this auction.
So the other night, I fixed Fog (firewalld was blocking TFTP), and deployed Kali. Updated and re-captured the image so that the future builds would be more up-to-date, then imaged the second unit this morning. Imaging a new unit just takes two minutes when connected via Gig-E.
Late last night I noticed one showed a CD in the drive. Popped the tray, and what do I find but a CD, labeled by a medical services vendor, with the attached label on it.
The file on the CD was a PDF file. The file name was the patient’s full name in last, first middle format.
It took just a minute or to to create a file with every possible date for the last century, seconds to normalize the password hash so that security tools could use it, and then just seconds to run a brute force tool against the hash using the wordlist I created. Within just a few minutes of discovering the CD, I was able to view a patient’s FULL MEDICAL HISTORY.
Some lessons here:
1) DON’T leave sensitive media in PCs that are going up for auction or to be “destroyed.” Never trust that process to someone else. Remove ALL media — USB, CD, hard drives, etc. Wipe/destroy them separately.
2) DON’T put a label on something telling whoever has possession of it the exact format of a password — it really narrows things down and makes it much easier for us to “guess” it.
3) DON’T make the filename the person’s full name.
4) DON’T use DOB as a password field. It’s absolutely not complex enough. Make it a long password and hand that piece of paper to them separately, or make it available in your highly-secured medical portal.
The LED Marquee 3d-printed parts are finished! They should be here by the end of the week, and who knows, maybe the Shenzhen parts will be here by then too!
Ready for the group build?
Our November meeting is tomorrow evening Monday 11/18. Show up as early as six if you want. We’ll be in the basement again, it’s so much more comfortable than the library. Registration on the dc540.org website, remember, not on Meetup.
I will try to put some lighting in the side and back yards to make the path easier to navigate now that it’s getting darker earlier. I promise you won’t get murdered here, this is a nice neighborhood.
BYOB if you’re picky. There’s still some Durian candy left over.
As expected, the LED marquee group build stuff won’t be here in time for tomorrow’s meeting, but really should be here in time for the December meeting.
If there’s something you want to say, learn, try or do during the meeting, speak up. I’m just a facilitator, not a leader. 🙂
My kink is fringe culture, always has been. What’s yours? Bring something for show and tell.
LOL, first they annouce the pricing change, NOBODY is accepting that. So they tried to walk it back, saying it was meant to be a “test” for “select groups.”
Riiiiiiiiiiiight….
Now they’re messing with the employees.
Anyone who knows me knows I’m a bit of a phone fetishist. I was about sixteen when I first involved myself with phreaking, switch-hook dialing and fun stuff like that. I worked at an answering service manning a large vintage analog switchboard.
So I greatly enjoyed coming across this article when researching Loudoun County history.
loudounhistory.org-The-Development-of-the-Telephone-in-Loudoun-County
I’ve been staring at this tab that I’ve left open on my browser for days now. Do I really need another project? I mean you guys don’t know half the projects I’ve got going on already.
I try to push it out of my mind, each time there’s a new amazing project on the table, but my FOMO kicks in, and tells me, “BUT I NEED IT!”
I really don’t.
I didn’t need the VIC-20.
I didn’t need Project GoCube.
I didn’t need the Project MF Blue Box.
I didn’t need the Altairduino or the PiDP8/i.
Nor do I need this. BUT I NEED IT!
Thanks to 801Labs @_bashNinja for a wonderful holiday gift idea.
I’d love to do this at the November meeting, but I sincerely don’t believe the parts will be here in time. 801Labs announced they are doing this project as a December group build, and they are offering the kits for $10. I thought I’d play along and do it through our group as well.
I couldn’t justify sourcing enough to get the price QUITE that low. I can do them for $15/each. If there’s enough interest.prepayment I’ll order more. Like 801, this is a group build in person, I’m not doing shipping for these.
So if anyone wants to participate in the group build for these, I should have all the parts in time for the December meeting. Any leftovers will be held for future meeting attendees.
It’s a simple but elegant LED marquee display in a 3d-printed case using a Wemos D1 mini Wifi IOT module and a 4-in-1 dot matrix LED module. I ordered them in white PLA and red LEDs, just like the photo. By default it will display time, bitcoin price, random advice, weather, maybe a few other configurable things, but once you get it in place, you can likely make it do display anything you want. I was thinking it might be fun to add in a display when someone logs into the DC540 Citadel BBS.
Getting the Altair-duino working was such a rush that I’ve decided to hang onto the momentum and get the PiDP8/I going next.
So I’m finally getting around to digging into the cDc book, which I preordered and was looking forward to.
I’ve only completed the first few chapters, but reading this book is like reading my own story. Trafficking in MCI numbers, hoarding esoteric text files, running multiple BBSes over the years. Close calls, and learning from the mistakes of others. Familiar names.
I feel like it’s time to release a set of text files about MY history, and see what comes out of the woodwork.
They’ll be on the citadel. There is no better place for them. If it takes five years for the right people to find them, then so be it.
I might drop some knowledge on different techniques that might be used to carve a successful career on your own from a disadvantaged position.