ICMP and Fishy Publications

February 16, 2025 - 14 mins read

Recently I took a class where we had to read a cybersecurity related paper, understand it and then give a presentation on it. The one assigned to me was called “Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP Redirects”. Diving into it, I was quite surprised about its findings. The researchers describe how they uncover a new MITM attack that can evade the security mechanisms in Wi-Fi networks by spoofing the legitimate AP to send a forged ICMP redirect message to a victim supplicant and thus allow attackers to stealthily hijack the traffic from the victim supplicant without deploying any bogus AP.

Sandevistan

October 14, 2024 - 6 mins read

Challenge files Context It was a day or two after the European Cybersecurity Competition (ECSC) had just finished. Most good and active players across all top teams were busy spending their last hours in Turin or were already traveling back home. This also meant only a handful of teams and players were be playing bluewater CTF 2024 which motivated us to also play as Organizers and get collect some CTFTime points.

Dicounts by Design 3: Same-same different day

February 17, 2024 - 2 mins read

writeup
web

Having now stumbled upon two diferent fortune wheel marketing services (Sleeknote and Poptin) suffering from the same underlying issue on two different climbing related sites, I recently noticed that the first site, that fell into my radar with this problem, had finally substituted their coupon code raffle service with a new one called Wheelio. Being now a self-proclaimed expert in detecting these issues, I was curious to see if the new service had the same problem.

Discounts by Design 2: Revenge of the Lottery Wheel

November 7, 2023 - 3 mins read

writeup
web

Preface Barely a month had passed since I first discovered the Sleeknote spin-to-win wheel of fortune bug when I stumbled on another fortune wheel under similar circumstances as last time. Another climbing Youtuber and professional climber Stefano Ghisolfi did a sponsored segment at the end of his video where he called people to navigate to Lattice Training’s site to potentially win an ‘Ultimate Training Bundle’. Naturally I was again curious of the prize and immediately upon seeing that the draw was using a fortune wheel my interests were peaked even more.

Discounts by Design: Rigging an online raffle

October 2, 2023 - 5 mins read

writeup
web

Premise Recently, a popular Youtuber and a professional climber Magnus Midtbø started his brand of bouldering apparel and accessories called Rungne. Because of a collaboration with another climbing YouTuber, a raffle was organized on the site and the prize pool contained different merchandise discount codes, a free shipping code, and most valuable of all, a 500$ gift card. You’d only need to input your name and email, and spin the wheel of fortune.

Making a Crypto Challenge

September 30, 2023 - 5 mins read

Planning I was asked by a friend to make a cryptography CTF challenge for her partner, who’s an entusiastic CTF player, as an anniversary present. I know that he’s not an expert in crypto, so I had to keep it simple. Good thing I’m also not that versed in the subject. The flag in the challenge was supposed to be a plane ticket for a vacation. My initial thoughts were: