Full Report
Last month saw the inaugural SensePost hackathon happen in our new offices in Brooklyn, South Africa. It was the first time the entire company would be in the same room, let alone the same continent, together and away from the pressures of daily work constraints. The idea was simple: weeks before the date, we sent out emails to everyone in the company (not just the tech teams but everyone) to think about ideas, tools, approaches or new business lines that they felt would make us even better at what we did.
Analysis Summary
# Main Topic
SensePost's inaugural company hackathon held in Brooklyn, South Africa, focused on generating new ideas, tools, approaches, and business lines to improve company operations and capabilities. **Note:** This report details internal innovation projects and security research conducted during the event, not a traditional external threat intelligence summary involving threat actors or compromises.
## Key Points
- The event brought the entire company together for 48 hours to foster innovation outside daily work constraints.
- Ideas solicited covered internal process streamlining, custom tooling development, security research, and corporate social responsibility.
- A key outcome was validating that non-technical staff can generate valuable, meaningful technical and business ideas.
- Several projects moved into development post-event, signaling a commitment to implementing the outcomes.
## Threat Actors
- Not applicable. The content describes internal company innovation projects and security research activities, not external threat actors or campaigns.
## TTPs
The report details several internal development and research activities, framed as security projects:
- **Magstripe Hacking/Analysis:** Attempting to read, clone, and exploit weaknesses in office parking access control magstripes. Researchers noted unusual track arrangements potentially causing reading interference.
- **AV VirusTotal Project:** Developing an internal simulation to test custom payloads against multiple public anti-virus (AV) engines simultaneously, bypassing direct submission to VirusTotal.
- **SensePost SMS Gateway App Development:** Implementing SMS functionality using Kannel interface with a GSM dongle on an Ubuntu server, creating a web API for internal OTP delivery and client password transmission.
## Affected Systems
The projects focused on testing/developing solutions for:
- Internal expense, travel, and leave processes (SensePost World App).
- Internal communication infrastructure (IRC Bot for Twitter clone integration, SMS, location tracking via XMPP/Gtalk/Skype).
- Physical security access control (Magstripe reader implementation for parking).
- Endpoint security platforms (Testing custom payloads against AV engines).
## Mitigations
Mitigations described are primarily focused on internal process improvement or defensive architecture for the developed solutions:
- **SMS Gateway Security:** Planned use of SMS for OTP passwords via a central number, suggesting a potential multi-factor authentication improvement internally or for clients.
- **Code Visibility:** Development occurred openly during the hackathon, suggesting internal peer review, though formal mitigation steps are not detailed.
## Conclusion
The SensePost Hackathon served as a successful internal vehicle for driving innovation across technical and non-technical domains. While one project involved direct security research into magstripe technologies and AV detection testing, the report serves as an insight into internal corporate development rather than summarizing an external cyber threat. The resulting innovations are expected to positively impact SensePost's internal operations and offensive security approaches.