Month: August 2020

WP Woocommerce Vs Shopify

Author wefightforsecurityPosted on August 21, 2020September 6, 2020Categories Uncategorized

WordPress Woocommerce plugin is supposed to turn WordPress originally designed as a blogging platform in to an e-commerce store while shopify is an e-commerce platform. What is the difference between Woocommerce and shopify?

The first difference is the simplicity shopify has comparatively woocommerce is extremely complex and not easy to use. With woo, you’re responsible for setting up the payment settings, and then deal with settings that are cumbersome and clunky to use.

Shopify themes work with shopify by default. WordPress themes aren’t all designed for woo by default, but when they are you are fighting to make the theme and woocommerce function together in the way they’re supposed too.

The cons is that shopify has a fee for their smallest version for $29 a month, so why would you pay all that money?

How much do you pay for WordPress Hosting?

If you’re paying more than $29 a month for WordPress hosting, then then we would recommend switching over to shopify, if you only have ten unique items for sale, variants of the item, like different colors or sizes are currently unlimited.

We will continue updating this with feedback, this is based off our experiences and customers experiences.

How To Solve The 200 Point Biohacking village CTF question

Author wefightforsecurityPosted on August 13, 2020September 3, 2020Categories cyber security, data breach

The story around the question was long with hundreds of paths of thought to go down as the story was so well written it explained everything that happened in the hospital down to the sticky notes on the computer and what was written on them. If it was shorter it could’ve been a fictional ode memoir, an ode memoir is only written with things from your senses, that you can explain factually.

The question simply was “What are you going to do to make it through the long night? We need some creative, specific ideas we can share with others. There are no wrong answers.”

A vague question, indeed, but then it caught my eye that the answer had to be 100 characters long that it is tweet worthy. This has to be something the hospital can tweet out, that embraces confidence in their users that everything is fine.

I knew I was on to something, so I re-read the story and focused on what would solve the problem, not all the paths on how the problem could’ve been created. I came to an answer, an answer I tell clients all the time and that we say all the time in our business. So to not ruin the fun of it all, I won’t tell you what answer that is, but the CTF is really just testing your common information security logic in this scenario. It took max ten minutes and was a lot of fun. I then answered a bunch of acronyms plus the hundred points from the other write-up. That’s how I got 355 points in just a few hours as I joined towards the very end of the CTF. It was fun and I look towards joining the biohacking villages next CTF.

We hope you’ve enjoyed these write-ups and apologize that they can’t be more clear. If you enjoy them, please subscribe to our mailing list, which that pop up will ask you to do. We have a lot more research coming out, since bitfi just sent their newer devices to us after we published a bitfi exploit on Twitter in their older version.

Defcon 28 tridium 95 CTF Biohack-village write-up

Author wefightforsecurityPosted on August 12, 2020September 6, 2020Categories Uncategorized

At defcon 28 our founder entered the bio-hacking village CTF testing devices. A CTF is testing real life programs or in this case medical devices where the people who set it up put in what is usually text, that we call a flag we have to find and then report. The team with the most points gets a big prize.

The biohacking village, uses real medical devices that we then get to check out and find the problems in. In the scenario I am discussing, we were given a log from a tridium 95, which we then then we have to find the problem in it and the flag and submit it. Think of it like an extremely complex puzzle, that is a ton of fun.

For the more technically advanced, we were given a pcap from the tridium 95 that is using the bacnet protocol. The protocol specifically was bacnet-apdu, the apdu stands for Application Layer Protocol Data Units.

pcap in wireshark from bio-hacking village defcon 28

As you can see this is just two machines, one claiming to be a dell seeing what device is using an internal IP address and the other is a MAC address, which stands for Media Access Control. A Media Access control is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment, or in other words a way to basically give a device it’s own unique fingerprint for that system.

I, of course was very interested in the bacnet protocol and went through the packets, and it wasn’t until I saw a packet that had a message in it that said something to the effect that “you’re still looking for the flag aren’t you?”, I knew I missed something. So, I went back up and reviewed the packets prior to that message and discovered there was communications between a honeywell and a device called a tridium 95. I then did some googling to find out what the tridium 95 does. From there I read what packets would be sending that type of code. That’s how I found the flag. I am not sharing what the flag looked like, but I will say what you think the flag is, isn’t in fact the accurate thing to submit.

What tools did you use?

Just wireshark, a tool to analyze pcaps with.