Web Scraping Hotel Prices for Fun and Savings

Introduction

During the process of planning a vacation, I came across a nice hotel I wanted to stay at. When looking at some possible dates, I noticed the nightly rate would fluctuate dramatically. This made me question if I was going to wind up paying way more just because I wanted to stay at the hotel on a certain day.

Then I considered the alternative - maybe I could scrape the prices every day to find the cheapest nightly rate. Sounded like a job for Python, BeautifulSoup, and some whiskey.

Read More

SANS Holiday Challenge 2014 - Writeup

Introduction

Back in December, SANS released another installment of their annual holiday challenge. I enjoyed taking on the 2012 challenge, so I was excited to see what SANS had in store this year. This year’s challenge didn’t disappoint with a nice mix of basic network recon, web application hacking, and some forensics. This post will detail how I found each required “secret” to solve the challenge.

I’d like to extend a personal thanks for all the hard work SANS puts in to putting on this challenge every year.

Read More

Author image Jordan Wright

Why Deleting Sensitive Information from Github Doesn't Save You

So you accidentally committed a password or API key to Github. Ouch.

“No problem!”, you think, “I’ll just follow Github’s helpful information on how to delete sensitive information and I’ll be fine!”

Just today, I saw a great article detailing one developer’s experience with committing sensitive information to Github. Unfortunately, this article missed the main point. In this post, I’m going to show exactly how hackers instantly harvest information committed to public Github repositories, and why deleting this information doesn’t solve the problem.

Read More

Author image Jordan Wright on #github,

What InfoSec Learned in 2014

Busy year.

It seems as though each year brings more and more events that throw our industry into the forefront of attention - and they’re never good. At the same time, it’s key to remember that these events allow us to learn and evolve as an industry. Let’s take a look at some of the key things we as an infosec industry can learn from 2014:

Read More

Author image Jordan Wright on #infosec,

What Happens if Tor Directory Authorities are Seized?

Introduction

The Tor Project has announced that they have received threats about possible upcoming attempts to disable the Tor network through the seizure of Directory Authority (DA) servers. While we don’t know the legitimacy behind these threats, it’s worth looking at the role DA’s play in the Tor network, showing what effects their seizure could have on the Tor network.*

Read More

Author image Jordan Wright on #tor,

Chrome Tracks Every Key Typed into the Omnibox

> Friendly Reminder: Browser makers may track every key you type in the URL bar

Introduction

Technologies like Google Chrome’s Omnibox makes searching easier. However, these quick search suggestions come at a price. This post is a friendly reminder that you may want to consider turning off predictive search to protect your privacy.

Read More

My (Probably Boring) Research Papers on Security

Introduction

I’ve always been a proponent and contributor of open-source projects and information. I strongly believe that information and knowledge should be shared as much and as freely as possible - progress happens this way.

As such, I’ve decided to “open-source”, if you will, the academic essays I wrote regarding information security and software development my last couple of semesters at Texas Tech. It’s my hope that people find these useful, either by provoking thought and discussion or simply by serving as material to help people fall asleep a little easier.

Please bear in mind some of these papers were written the night before in a short time-span.

Read More

Creating Tor Hidden Services with Python

Introduction

Tor is often used to protect the anonymity of someone who is trying to connect to a service. However, it is also possible to use Tor to protect the anonymity of a service provider via hidden services. These services, operating under the .onion TLD, allow publishers to anonymously create and host content viewable only by other Tor users.

The Tor project has instructions on how to create hidden services, but this can be a manual and arduous process if you want to setup multiple services. This post will show how we can use the fantastic stem Python library to automatically create and host a Tor hidden service.

Read More

Decompiling Android Apps the Easy Way

Introduction

Mobile applications are often viewed as black-box applications. However, these applications often suffer from the same (or similar) vulnerabilities as their web application counterparts.

In a previous post, I showed how we can perform dynamic analysis on iPhone applications by intercepting the inbound/outbound traffic with the Burp proxy. In this post, we’ll explore static analysis of Android apps by looing at a couple of online tools that make decompiling apps into equivalent Java and Smali code trivial.

Read More

Reverse Engineering the We Heart It API

Introduction

A while back, I came across the article from the The Washington Post describing We Heart It, a social network claiming over 30 million users. If you haven’t seen it, We Heart It (from here on out abbreviated as WHI) is a social network which encourages people to post and share photos and images of things that inspire them.

Having such a large user-base, I was interested in seeing what kind of API the site offered developers. However, I was disappointed when I found out that the API was closed to “partners”, and even this is not a full REST API, but rather a simple button developers can place on their website to allow users to interact with WHI.

With this being the case, I decided to take a look at the Android and iPhone apps using both static and dynamic analysis in an experiment to see if I could reverse engineer the API used on the backend. Here are the results.

Read More