Like any other HackerCon there are good and bad things, so I will jump right into the interesting stuff.  The start of the conference was a little slow taking less of an attacker security approach, which I prefer.  In any event around midafternoon was a talk called “Wipe the Drive!!! Techniques for Malware Persistence”.    Mark Baggett and Jake Williams discussed some amazing techniques used by attackers.  I mean things that even memory forensics don’t catch.  They were discussing persistence tactics like:

  1. You remove malware and later your computer scans for a wireless access point as a part of normal activity and that scan releases the malware again.
  2. Your remove malware and later you plug in a standard clean USB key.  At this point the trigger of the key being plugged in releases the malware and infects the system.

Again their entire suggestion on the talk was to suggest wiping the drive is again the only safe way to possibly remove malware and to think otherwise might be foolish.

Day 2 and More

On the second day I ended up attending a few different sessions.  There was a talk on running a CTF that went through some of the tactics but mostly explained the amount of time it takes to setup and run a CTF.  Several of the other talks I went to were less than technical in my opinion and I felt everything could be Googled in about the same time I was in the presentation.  There was one exception, Carson Zimmerman packed the room (seriously no sitting space) with his talk on “Ten Strategies of World Class Computer Security Incident Response Team”.  I came in late, but what I saw was good.

ShmooganographyOther activities at the Con were always entertaining.  The Lockpick village always provides a good time filler in-between sessions.  I enjoyed spending some time handing out a few Hacker&Agent card decks to  kids.  Also, there was plenty of hacker and security speak in the evenings at the hotel bar.  Otherwise if you like games there were some contests on the Xbox or I would suggest testing your skills by taking a stab at Shmooganography. If you get a chance and get into the 2014 conference its worth at least taking a look.  Below is a preview of the 2013 contest.

Again overall a good Con, but I think some of the talks need to be more technical and in-depth next year.


Over the past three weeks an ongoing LinkedIn thread titled “Shall we trust our employees or not?” has continued to be a hot topic of debate. There simply appears to be no agreement among all the contributors.  Trust is relative.  You can always trust an employee or an organization, but the key is to what extent. You can also always trust that particular characteristics or actions will be repeated by each entity.  For example, some employees will always keep a secret while others will always tell at least one other person.  Therefore, you can trust one person to keep a secret and you can also trust the other person to tell your secret.  Simply put its a matter of behavior and action over time that should be used to build the trust model.

When referring to trust among organizations Section 2.6.1 Establishing Trust Among Organizations in NIST SP800-39 provides the best explanation.

Parties enter into trust relationships based on mission and business needs. Trust among parties typically exists along a continuum with varying degrees of trust achieved based on a number of factors. Organizations can still share information and obtain information technology services even if their trust relationship falls short of complete trust. The degree of trust required for organizations to establish partnerships can vary widely based on many factors including the organizations involved and the specifics of the situation (e.g., the missions, goals, and objectives of the potential partners, the criticality/sensitivity of activities involved in the partnership, the risk tolerance of the organizations participating in the partnership, and the historical relationship among the participants). Finally, the degree of trust among entities is not a static quality but can vary over time as circumstances change.


What to buy and why?  What pick set is required?

Before you start Lockpicking what type of set and locks should you get.   Is an 18 pick set or an 8 pick set better?  After traveling to several different Lockpick villages and engaging in research about different types of locks there are a few things to understand.

I recently co-wrote up a blog that was posted on Open Security Research: Getting Started with Lockpicking about this topic. 

Check it out!

Almost one week after the hurricane Sandy disaster and this is the scene within at least a 50 mile radius north of Manhattan.  New Jersey which was hit harder is probably much worse considering gas rationing is now in effect.

December 2007 Posting

On December 19th, of 2007 InfoSecAlways posted a blog article on Disaster Recovery Alternate Site Distances.   In that posting was sited the recommended distance in preparing for a hurricane.  The external study suggested an 85 mile radius.  InfoSecAlways suggested increasing that distance to 210 miles.  If Sandy was only a category 1 hurricane and the Tri-state area is affected as far north as Bridgeport CT the 85 mile is absolutely not acceptable.  Even gas is hard to get within that 85 mile radius.

One item that was not discussed in the previous blog article was gasoline.  For the past 4 days now this is the same picture everywhere at least 50 miles north of Manhattan.  This station in particular has had a gas tank delivery every day for the past 3 days.  Each night the station runs out of gas late in the evening.  In New Jersey and Staten Island there are stories about gas being siphoned from tanks and generators being stolen.  The situation appears to get worse daily and the lines even longer.

A gasoline crisis affects both individuals and corporations.  Employees will not show up to work out of fear of theft or running out of gas.  This is especially true if they have power issues that require a generator.  Individuals will be forced to deal with personal items and work becomes secondary.   If a business operates as a supply chain, taxi, or delivery organization, which is dependent on transportation, it may be very difficult to operate due to lack of gas or increased traffic as a result of lines.

What to do?

Unfortunately gas is an absolute requirement for both individuals and corporations to operate effectively.  Individuals should know several different items that can help in the event of a disaster.

Siphoning gas is difficult on most new cars.  These cars contain a siphon screen that prevents hoses from going into the tank.  In dire situations removing the fuel filter allows access to the gas.  Remember lawn mowers and other house hold items may have gas if needed.

Generators and gas tanks will get stolen.  Staying is a disaster zone is not recommended even within a few days after the disaster.  Wait at the alternate location for several days until power is restored, supply chains can provide food, and any other immediate crisis has been resolved.

On the other hand corporations will need to provide an alternate means of connectivity for office and technology based jobs.  Use a good mobile provider that can bring a generator to the corporate office or enable the business to connect at a remote location.  Organizations like Agility Recovery are experts at providing these services and other mobile solutions.

Corporations that require gasoline to operate the business should have conducted the proper analysis and considered the supply of gasoline a mission critical process.  As a result these businesses must purchase a series of large tanks and should consider owning their own gas stations with back up supply chains in place.  These gas supply tanks and stations must be protected with the proper physical security mechanisms such as anti-siphon devices on tanks and secure fencing perimeters around the gas stations.

Recommended Distance

Gas is a critical resource and the effects during a hurricane can be substantial since it is required for heat, food, transportation, and much more.  Based on hurricane Sandy the distance required to provide a solid gasoline supply chain is around a 100 mile radius from the center point of the storm.  Both employees and corporations need to consider the type of disaster and its radius.  The radius should be considered for all resources and the supply chain for those resources.  Otherwise things may come to a halt when there is no gas left to buy at the station.


My first time at Pumpcon and it was quiet educational and fun.  Nothing like being with a small group of smart people drinking and talking about computers.  Considering this is an invite only group I have to thank the speaker that allowed me to come along.  Overall there were two talks that really got my attention.  These were from the two Brads.  There was another presentation also by Travis Goodspeed.

The First Brad

This was an entertaining and informative talk on Blueray hacking.  It appears most new Samsung devices all use the same underlying OS.  This includes the TVs.  Brad went into good detail about how he soldered wires to the different debug connectors on the board to monitor the electricity with a volt meter and logic analyzer.  He took us through his epic adventure of being denied console access through just about every approach.  Eventually all this research had lead him to an approach where he was able to setup a telnet listener and obtain console root access to the device.   I’m sure there will be a blog with more detail on this eventually at Open Security Research.  For now one of the biggest nuggets of information he supplied was to check out SamyGo before doing any Samsung hacking.

 The Second Brad

The BacNet Attack Framework talk was interesting.  This typically goes a little outside of the realm of this blogs core topic of information security, but it’s very important because of the significance around ICS and SCADA equipment.  Brad went through some discussions about BackNet listening and suggested a good portion of the items he is studying all talk on UDP.  Based on my understanding it appears many of the items he is discussing really could be mitigated with unidirectional firewalls or other known protection mechanisms. 

 What Else?

The rest of the Con was spent with drinking and talking about sexual harassment images in presentations.  It was in regards to whether or not certain images should be shown at conferences now since there are more and more women attending.  I think eventually the best response to this was “let’s just end this discussion and talk about computer shit”.

Who are you, Where are you, What are your habits?  It’s no secret these days that your entire life is tracked one way or another, especially if you live in the US.  Your bank knows how much you pay for electricity, what foods you eat, and where you buy gas.  The search engines and social media sites know what you are looking for, what you like, and what your friends like.  And if you were not aware, those photos posted all over the internet provide detail about where you are at a particular time.

Forensic evidence analysis of logs and metadata provide the authorities and criminals everything they need to know.  Look at the CBS local news article from earlier this year that is linked below.  It explains how a suspected member of Anonymous sent a photo to the FBI, which ultimately led to an arrest.

What about your kid’s photos?  Look at this example posted by the FBI in 2011.

Masquerading IP addresses, eliminating log traces, scrubbing tags, and hiding metadata, these are all key skills every hacker or concerned parent must understand.  These skills are not new to those in the hacker community. EXIF news postings have been around for years, however with all the new avenues of media and mobile devices anyone can be caught off guard.  Therefore, caution leaving unknown tracks and understand what your kids may be posting online.

In terms of EXIF there are tools such as Pixelgarde that can change or remove geo tags on your Android and IOS devices.

Also most mobile phones have features to disable the GPS tracking, but sometimes these features are also used for tracking stolen devices.

Hacker Shirt Design

Posted: September 27, 2012 in Hackers&Agents

Need some cool gifts for the holidays?  Check out the Hacker shirt design.

Hacker Shirt

Is something you would like to see available for purchase before the end of the year?

If so please go to the Hackers&Agents facebook page and like it.  I’m going to have several shirts made up based on the number of likes.

My last post I was trying to see if someone had examples mapped to the book “The Psychology of Persuasion”.  Appears I jumped in too quick with my first article because after a few hours of research on the topic I came across the social engineering framework.

This site does not really have a lot of examples but there are several sections like the “Influence Others” that directly map to the book framework.  There is still a good deal of expansion that can be done on this subject so I’m glad the community has a solid foundation they are using for a framework.

What is it that allows someone to be manipulated into giving you something?

At the brain tank conference the other weekend I watched a presentation called “Evolutionary Bias in Social Engineering: An Anthropologist’s Perspective”.  Unfortunately this wasn’t what I was expecting.  Randy, the presenter, spent a large amount of time explaining that ultimately humans all strive for one thing, sex.  Interesting enough but after 20 minutes I got the point and didn’t hear anything about social engineering anyone into having sex yet.  Near the end he started to get into more interesting content.  He put 5 words on the table about persuasion, which is basically why social engineering works.   Unfortunately it was just a perspective talk and didn’t really go into social engineering detail.  In any event those 5 words were very similar to some I read in a book previously.

The Book

In management you tend to read many books.  One I read several years ago was called “Influence: The Psychology of Persuasion”.   A great read on why people say yes and how to defend yourself against a persuasive person.

Those 5 words in Randy’s presentation almost mapped directly to the fundamental principals in this book.


From the book!

  1. Consistency
  2. Reciprocation
  3. Social Proof
  4. Authority
  5. Liking
  6. Scarcity

Unfortunately he didn’t give social engineering examples, which would have been great for each of the 5 topics.   I mean that would really be a good presentation. 

We all know “Liking” works great.  If you just make friends with someone during smoke breaks or say hi to the security guard that person will always let you do or get more than you should. 

Reciprocation also works great for phone calls as a phased social engineering tactic.  Call up someone acting as a vendor or part of IT and offer to fix their computer.  If they have a problem, try and figure it out and fix it.  Call back a few days later they will help you and provide information.

In any case I would love to hear if anyone has done any further analysis related to influence and social engineering as explained above.

The first annual Brain Tank conference – Small but effective!

There are good and bad things about small Hacker cons.  The good was that you have time to talk and figure things out with other people much more effectively than some of the larger conferences.  The bad is that larger conferences tend to have many items for purchase to help you improve your skills.  These items were not available at the Brain Tank con.  Overall the mix between Hacker/Maker proved interesting and informative for the presentations that I watched.  It was also good for those of us looking to get in more experience in the Lockpick Village hosted by Toool.  However, if you were looking for additional picks or tension wrenches this was not the place.

Overall the event had about 150 people and was a good time helping gain more experience.  This event surely will grow over time and eventually have to relocate to a bigger space than that provided by