I recently needed to go on holiday, and was staying in a hotel with WiFi. Out of an abundance of paranoia, I decided to try setup a “router” that could sit between my devices and the hotel network.
Requires a USB wifi NIC in addition because the Pi has only one wireless interface.
I don't know why they needed to name a travel router this, but whatever.
EFF’s Street-Level Surveillance project shines a light on the surveillance technologies that law enforcement agencies routinely deploy in our communities. These resources are designed for advocacy organizations, journalists, defense attorneys, policymakers, and members of the public who often are not getting the straight story from police representatives or the vendors marketing this equipment.
Whether it’s phone-based location tracking, ubiquitous video recording, biometric data collection, or police access to people’s smart devices, law enforcement agencies follow closely behind their counterparts in the military and intelligence services in acquiring privacy-invasive technologies and getting access to consumer data. Just as analog surveillance historically has been used as a tool for oppression, we must understand the threat posed by emerging technologies to successfully defend civil liberties and civil rights in the digital age.
Imports vulnerability data from your continual monitoring and scanning infrastructure and does all the legwork of documenting, finding references, mapping to CVEs, and so forth.
Faraday aggregates and normalizes the data you load, allowing exploring it into different visualizations that are useful to managers and analysts alike.
Uses Postgres as its back-end.
This is a playground (and dump) of stuff I made, modified, researched, or found for the Flipper Zero.
There's a lot of everything in here, from customized apps, BadUSB scripts, hardware specs for modders, GPIO interface shenanagains and interface pinouts, hardware troubleshooting, sound and music stuff, and sub-GHz captures and dissections for just about everything. It's an impressive collection.
Hummusec's port of Samy's magspoof software to the Flipper Zero firmware platform.
This is for anyone who seeks to enhance their digital hygiene and security in light of anticipated or existing threats, but it is especially designed for women, Black, indigenous, and people of color, trans people, and everyone else whose existing oppressions are made worse by digital violence. It details best security practices for social media, email, online gaming, website hosting, and protecting privacy of personal information online, as well as the documentation and reporting of harassment, and caring for yourself emotionally during an online attack. You don’t need any specialized knowledge to use this guide – just basic computer and internet skills.
The authors of the guide have all been targets of cyber attacks ourselves; we’ve written the guide we needed when the attacks on us began. We’re all based in the USA, but we’ve done our best to make it useful no matter where you live.
Threat Modeling is the process of building and analyzing representations of a system to highlight concerns about security characteristics.
Threat Modeling is a pro-active and iterative approach for identifying security issues and reducing risk. The output of a threat modeling exercise is a list of threats - or even better - risks, that further inform decisions in the continued operation of the system. This process can be performed prior to any code written or infrastructure deployed. This makes it very efficient in identifying potential threats, vulnerabilities and risks.
Large data-hungry corporations dominate the digital world but with little, or no respect for your privacy. Migrating to open-source applications with a strong emphasis on security will help stop corporations, governments, and hackers from logging, storing or selling your personal data.
Yopass is a project for sharing secrets in a quick and secure manner*. The sole purpose of Yopass is to minimize the amount of passwords floating around in ticket management systems, Slack messages and emails. The message is encrypted/decrypted locally in the browser and then sent to yopass without the decryption key which is only visible once during encryption, yopass then returns a one-time URL with specified expiry date.
There is no perfect way of sharing secrets online and there is a trade off in every implementation. Yopass is designed to be as simple and "dumb" as possible without compromising on security. There's no mapping between the generated UUID and the user that submitted the encrypted message. It's always best send all the context except password over another channel.
Messages can only be viewed once. Message can self-destruct automatically. No accounts or registration is required.
Has CLI functionality built in.
Uses memcached or redis as its back-end.
Public instance: https://yopass.se/
CORS (Cross-Origin Resource Sharing) is hard. It's hard because it's part of how browsers fetch stuff, and that's a set of behaviours that started with the very first web browser over thirty years ago. Since then, it's been a constant source of development; adding features, improving defaults, and papering over past mistakes without breaking too much of the web.
Anyway, I figured I'd write down pretty much everything I know about CORS, and to make things interactive, I built an exciting new app.
A password manager/generator that takes a master password, a URL, a username, and optionally a serial number (for when you have to change passwords) and (re)generates the password for you. Requires no database or third party storage - the right password is always generated for you. Desktop versions, browser plugins, and a cli tool.
No notepad feature, so no storing your 2fa recovery codes there.
Github: https://github.com/lesspass/lesspass
The number of IMSI-catchers (rogue cell towers) has been steadily increasing in use by hackers and governments around the world. Rogue cell towers, which can be as small as your home router, pose a large security risk to anyone with a phone. If in range, your phone will automatically connect to the rogue tower with no indication to you that anything has happened. At that point, your information passes through the rogue tower and can leak sensitive information about you and your device. Currently, there are no easy ways to protect your phone from connecting to a rogue tower (aside from some Android apps which are phone specific and require root access).
This project demonstrates how you can create a rogue cell tower detector using a Raspberry Pi and a SIM 900 module. The detector can identify rogue towers and triangulate their location. The demonstration uses a SIM 900 GSM module to fingerprint each cell tower and determine the signal strength of each tower relative to the detector.
Tools, scripts and tips useful during Penetration Testing engagements.
The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
The CSRC provides a searchable database of resources on the topic of counter-surveillance, with a focus on targeted surveillance against people who have things to hide. We want to help anarchists and other rebels acquire a practical understanding of the surveillance threats they may face in their struggles and in their lives. We prefer resources written by friends and understandable without prior technical knowledge.
A curated checklist of tips to protect your digital security and privacy.
A smart solution to the problem of passwords. Cloverleaf generates passwords on demand, using the name of the app you're making a password for and a master password to derive a passcode. Enter those two things and you don't need to store the passcode because you can re-generate it whenever you want.
Can be installed as a native app and used offline.
Github: https://github.com/cloverleaf/web
The HTTP response headers that this site analyses provide huge levels of protection and it's important that sites deploy them. Hopefully, by providing an easy mechanism to assess them, and further information on how to deploy missing headers, we can drive up the usage of security based headers across the web.
Script that will detect if a stranger is trying to use your laptop or if a stranger/authorized driver is trying to drive your car. This script will detect the face, and send you an email if new user is not identified.
Repository containing useful links for all things Physical Security.
A curated list of awesome guides, tools, and other resources related to the security and compromise of locks, safes, and keys.
chasquid is an SMTP (email) server with a focus on simplicity, security, and ease of operation.
It sends and receives email as a typical MTA (for example, can be used instead of Postfix or Exim), and it is designed mainly for individuals and small groups.
It's written in Go, and is open source under the Apache license 2.0.
A wireless auditing tool implemented as a shell script that uses other tools to do the job.
A site that documents the practice of letterlocking - cleverly folding, cutting, and sealing letters in the 17th century for tamper evidence and security.
Ultimate Internet of Things/Industrial Control Systems reconnaissance tool.
Requires an API key for SHODAN.
Teaching the server tech you need for development and production. Eliminating the frustration of server configuration. Databases, configuration management, containers, proxies, security, PHP, and much more.
With their small size and ubiquitous use, we’ve become quite accostomed to commercial home-monitoring camera systems — so much so that they tend to fade into their settings, even when prominently placed up front and center. It’s an extension of camera-equipped-everything maneuvering us to take the constant recording of our lives for granted.
A curated list of resources for learning about vehicle security and car hacking.
A page that talks about passive and active sonar sensors. Security uses, especially the seismics. Links to other books and DoD video footage. I think this would be useful for training as well as surveillance applications.
Github repo for the MIT RFID ring kit. Includes greyprints for fabbing your own rings.
The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography. As an example of the effect OpenBSD has, the popular OpenSSH software comes from OpenBSD.
Daniel J. Berstein's homepage. There are tools and code galore here - check it out!
A utility which can be used to recover the passphrase for a PGP or GnuPG key.
Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing encryption, authentication, deniability and perfect forward secrecy.
An impressive collection of research papers, exploits, and utilities.
A framework used by penetration testers for building custom exploits for infiltrating systems. Written in Ruby. Comes with a large library of payloads and other nifty and fascinating tools. It's worth learning to use if you're serious about penetration testing or exploit development. Also, the cutting edge of attack technologies winds up coming out of the Metasploit project.
Proof of concept utilities for raw 802.11 injection.
A daemon that runs on a *nix machine that simulates a network of other systems (of many different operating systems) for the purposes of catching and monitoring intruders.