Low-Cost Rain Gauge Looks for Floods

We’ve seen a lot of uses for the now-ubiquitous ESP chip, including a numerous wilderness-monitoring devices.

Pluvi.on stands out with some attractive solutions and a simple design.

A lot of outdoor projects involve some sort of stock weather-resistance enclosure, but this project has a custom-designed acrylic box. About 4 inches across, the gauge uses a seesaw-like bucket to measure rain—a funnel, built into the enclosure, sends water into the gauge which records each time the bucket mechanism tilts, thereby recording the intensity of the rain. A NodeMCU packing an ESP8266 WiFi SoC sends the data to the cloud, helping predict the possibility of a flood in the area.

[Diogo Tolezano] and [Pedro Godoy] developed Pluvi.on as part of a Red Bull Basement hacker residency in Sao Pãolo, Brazil. Interested in building your own Pluvi.on? They have building steps up on Instructables.

More ESP projects abound on Hackday, including this ESP mini robot, a data-logging hamster wheel, and an ESP32 information display.

Filed under: green hacks http://ift.tt/2wfG2G2 http://ift.tt/2aM8QhC


“Borrow” Payment Cards with NFC Proxy Hardware

Contactless payments are growing in popularity. Often the term will bring to mind the ability to pay by holding your phone over a reader, but the system can also use NFC tags embedded in credit cards, ID card, passports, and the like. NFC is a reasonably secure method of validating payments as it employs encryption and the functional distance between client and reader is in the tens of centimeters, and often much less. [Haoqi Shan] and the Unicorn team have reduced the security of the distance component by using a hardware proxy to relay NFC interactions over longer distances.

The talk, give on Sunday at DEF CON, outlined some incredibly simple hardware: an NFC antenna connected to a PN7462AU, an NRF24L01 wireless transceiver, and some power regulation. The exploit works by using a pair of these hardware modules. A master interfaces with the NFC reader, and a slave reads the card. The scenario goes something like this: a victim NFC card is placed near the slave hardware. The master hardware is placed over a payment kiosk as if making a normal payment. As the payment kiosk reader begins the process to read an NFC card, all of the communications between it and the actual card are forwarded over the 24L01 wireless connection.

The demo video during the talk showed a fast-food purchase made on the Apple Pay network while the card was still at a table out in the dining area (resting on the slave hardware module). The card used was a QuickPass contactless payment card from China UnionPay. According to a 2016 press release from the company, over two billion of these cards had been issued at the time. With that kind of adoption rate there is a huge incentive to find and patch any vulnerabilities in the system.

The hardware components in this build aren’t really anything special. We’ve seen these Nordic wireless modules used in numerous projects over they years, and the NXP chip is just NFC build around an ARM core. The leaps that tie this together are the speed-ups to make it work. NFC has tight timing and a delay between the master and slave would invalidate the handshake and subsequent interactions. The Unicorn team found some speedups by ensuring the chip was waking from suspend mode (150 µS) and not a deeper sleep. Furthermore, [Haoqi] mentioned they are only transmitting “I/S/R Block Data” and not the entirety of the interaction to save on time transmitting over the 24L01 wireless link. He didn’t expand on that so if you have details about what those blocks actually consist of please let us know in the comments below.

To the card reader, the emulated payment card is valid and the payment goes through. But one caveat to the system is that [Haoqi] was unable to alter the UID of the emulator — it doesn’t spoof the UID of the payment card being exploited. Current readers don’t check the UID and this could be one possible defense against this exploit. But to be honest, since you need close physical proximity of the master to the reader and the slave to the payment card simultaneously, we don’t see mayhem in the future. It’s more likely that we’ll see hacker cred when someone builds a long-range link that lets you leave your NFC cards at home and take one emulator with you for wireless door access or contactless payments in a single device. If you want to get working on this, check out the talk slides for program flow and some sourcecode hints.

Filed under: cons, wireless hacks http://ift.tt/2vnhTRF http://ift.tt/2aM8QhC

CookieCatcher – Tool to assist in the exploitation of XSS

CookieCatcher is an open source application which was created to assist in the exploitation of XSS (Cross Site Scripting) vulnerabilities within web applications to steal user session IDs (aka Session Hijacking). The use of this application is purely educational and should not be used without proper permission from the target application.
For more information on XSS visit the following link: http://ift.tt/MiRF7O
For more information on Session Hijacking visit the following link: http://ift.tt/2vZQemX

Prebuilt payloads to steal cookie data

Just copy and paste payload into a XSS vulnerability

Will send email notification when new cookies are stolen

Will attempt to refresh cookies every 3 minutes to avoid inactivity timeouts

Provides full HTTP requests to hijack sessions through a proxy (BuRP, etc)

Will attempt to load a preview when viewing the cookie data


Basic AJAX Attack

HTTPONLY evasion for Apache CVE-20120053

More to come

CookieCatcher is built for a LAMP stack running the following:

PHP 5.x.x



Lynx & crontab


Download the source from github git clone http://ift.tt/2higKo0 or use the ZIP file and extract it on your server.

Setup the directory as a virtualhost in Apache (I won’t go over these details, however, you may ask me via email or you can use google.)

Create a database for the application and load the SETUP.sql file.

Setup a cron job as shown in the SETUP.cron file.

A live demo of the application can be viewed at http://m19.us. Small domain names are recommended to cut down on the character space needed for the payloads.

@disk0nn3ct – Author danny.chrastil@gmail.com
Download CookieCatcher

http://ift.tt/2vcoXjl http://ift.tt/2aM8QhC

[Segurança] Criptografia do Acre

Baseado na história do jovem do Acre que sumiu e deixou vários textos escritos de forma criptografada, alguns tipógrafos criaram uma fonte em homenagem à criptografia do Manual do Escoteiro Mirim, batizada de “Tipografia aCReMisT”. Após baixar e instalar a fonte “Tipografia aCReMisT”, que é grátis, qualquer um pode escrever seus próprios textos criptografados! Quando surgiu a história do http://ift.tt/2f2LsRj http://ift.tt/2aM8QhC

Dispositivos conectados: Como mitigar os riscos que trazem às empresas?

O Crypto ID conversou com o arquiteto de soluções da CYLK Technologing, Leandro Alencar sobre a identificação

Leandro Alencar

dos dispositivos conectados. Como ter segurança sobre a identidade de seus reais usuários.

Crypto ID: Como funciona o relatório de visibilidade de dispositivos conectados?

Leandro Alencar: Inicialmente tratamos as informações de todos os dispositivos conectados à rede, sejam eles dispositivos tradicionais, BYOD ou IoT. Logo após o processo de discover (trabalho de mapeamento de todos os dispositivos), classificamos cada um desses dispositivos e os incluímos em um ambiente específico (VLAN), para garantir maior segurança com a segmentação de rede efetiva e para poder controlar e identificar se cada um deles está se comportando como esperado. Por exemplo, verificamos se uma câmera CFTV comporta-se mesmo como uma câmera, com base em um fingerprint do dispositivo.

Crypto ID: Quais os benefícios de identificar todos os dispositivos e o que contém os relatórios?

Leandro Alencar: Apresenta visibilidade de ameaças que antes não estavam mapeadas, classifica potenciais acessos não autorizados, identifica dispositivos contendo riscos, controla e mitiga ameaças antes de tornar-se uma. Ao identificar 100% dos dispositivos conectados à rede, agrega-se mais segurança e controle do ambiente. Com isso, é possível proteger os pontos cegos das empresas, que normalmente são as principais portas de entrada dos cyber criminosos.

Crypto ID: Quais são os dispositivos conectados a nossa rede, que geralmente não são facilmente identificados?

Leandro Alencar: Os dispositivos conectados à uma rede que não costumam ser facilmente identificados são os dispositivos BYOD (smartphones, smartwatches, tablets) e dispositivos IoT (CFTV, TV inteligentes, dispositivos médicos e até mesmo uma geladeira ou ar condicionado conectados à internet).

Crypto ID: Quais cuidados necessários em nossa rede, com o avanço da Internet das Coisas (IoT)?

Leandro Alencar: Com o avanço da Internet das Coisas, há cada vez mais dispositivos que não podemos controlar, impossibilitando que sejam executados procedimentos básicos de segurança, como a aplicação de patches ou a instalação de antivírus. Estes dispositivos “invisíveis” são, portanto, alvos fáceis para cybercriminosos, que os utilizam como porta de entrada ou como vetores para ataques mais complexos.

Crypto ID: Como funciona a conectividade dos dispositivos dentro de uma empresa?

Leandro Alencar: Normalmente, para se conectar um dispositivo tradicional ao ambiente de uma empresa, ele recebe um endereço IP válido para a rede interna, sem nenhum tipo de verificação dos softwares que estão instalados ou atualizações de sistema operacional. A situação é mais complexa quando se trata de um dispositivo IoT ou BYOD, já que eles não suportam a instalação de softwares de antivírus nem daqueles que fazem a validação dos serviços que eles estão rodando, Com isso, em muitos casos, o gerenciamento desses dispositivos acaba sendo negligenciado.

O post Dispositivos conectados: Como mitigar os riscos que trazem às empresas? apareceu primeiro em CRYPTOID.

http://ift.tt/2weXhY2 http://ift.tt/2aM8QhC

These Twenty Wheels, Wings, and Walkers Won $1000 In The Hackaday Prize

Today, we’re excited to announce the winners of the Wheels, Wings, and Walkers portion of The Hackaday Prize. We were looking for the next generation of robots, drones, machines that make machines move, and hackers who now know far too much about inverse kinematics. The results were spectacular.

Hackaday is currently hosting the greatest hardware competition on Earth. We’re giving away thousands of dollars to hardware creators to build the next great thing. Last week, we wrapped up the third of five challenges. It was all about showing a design to Build Something That Matters. Hundreds entered and began their quest to build a device to change the world.

There are still two more challenges in The Hackaday Prize. If you’re working on Assistive Technologies, the time is now, with this portion of the Prize ending September 4th. After that, Anything Goes. The Anything Goes challenge is the catch-all, and we’re looking for the best projects, full stop.

The winners of the Wheels, Wings, and Walkers challenge are, in no particular order:

Wheels, Wings, and Walkers Hackaday Prize Finalists:

Archelon ROV

Open Source Underwater Glider

rDUINOScope Boiana

ALICE: Robotic Exoskeleton



RoadRunner – Powered Running Stroller

Ultra Servo

Bloodhound: Autonomous Radiolocation Drone

Assistive Exoskeleton Arm (ExoArm)

6-Axis Micro Manipulator

n3m0 the autonomous boat



EVPR: Electric Variable Pitch Rotor

NAVI – Hey, Listen!




Pablo Odysseus

All Fantastic Projects

The entries in this round of the Hackaday Prize are exactly what we’re looking for in the Wheels, Wings, and Walkers challenge. There were ships and submarines, projects that use drones in novel ways, interesting flying platforms, projects that are destined for the next generation of open robotics, and projects that just barely move very precisely. The one project on Hackaday.io that most appeals to our reptilian brain — a lawnmower powered quadcopter / decapitron — is getting an upgrade with wireless variable pitch rotors.

Entry is Still Open for the 2017 Hackaday Prize

The Assistive Technologies challenge runs until September 4th, after which we’ll select 20 projects to win $1000 and move onto the finals of The Hackaday Prize. From there, one project will be awarded the grand prize of $50,000 and five other top finalists will receive prizes ranging from $30,000 to $5,000.

The HackadayPrize2017 is Sponsored by:

Filed under: Hackaday Columns, The Hackaday Prize http://ift.tt/2udtcGX http://ift.tt/2aM8QhC