2018
05.16

Have you ever wanted to know how to get a job as a hacker? I get asked this all the time and I’m happy to help.

Yesterday I got up really early (4.30am New York time) to give an interview/presentation with Shubs at Hackers Helping Hackers (H3) to help the next generation of security professionals land their first job.

H3 have rapidly garnered a reputation in Australia as an infosec charity and I’m happy to help out with their webinar series.

2017
09.26

Cyber-Baddie and the golden mask episode 3

In part 3, Cyber-baddie takes us on a reconnaissance mission to the museum. It is here that he first stands before the golden mask.

Although Cyber-baddie is a fully fledged cyber-criminal, his toolkit for this mission is made up of what any tourist might carry ā€” just an iPhone and a Nikon camera.

Actually it’s not just a Nikon camera. It is the Nikon P900. Famous for it’s superzoom and in a regular camera casing at an affordable price. The lens is powerful enough to see the moon moving while standing on earth. This enables a casual photographer to rival a paparazzi’s telephoto lens.

Photography and reconnaissance have a long and interesting history that I will avoid discussing. However, readers might recall that in 2014, Starbug from the German Chaos Computer Club photographed a high resolution fingerprint of the German defence minister, to raise awareness about the risks of biometric security. This is interesting but not something that Cyber-baddie is planning to use in the upcoming episodes.

This episode features security aspects of keys, velvet ropes, motion detectors, alarm keypads, and Wi-Fi networks. These areas are introduced but not yet explored in any depth.

The alarm panel is branded with Sweetwell, a fictional brand that makes inferior copies of Honeywell products. The alarm keypad is missing a protective coating of the silicon rubber keypad, that over time leads to the appearance of a “wear pattern”. This coating is referred to by the alarm industry as abrasion resistance.

Astute readers with suspiciously cunning minds may be able to guess how Cyber-baddie will exploit the knowledge gained from these photos in the next instalment.

2017
03.21

Cyber-Baddie and the golden mask episode 2

The second installment of Cyber-Baddie and the Golden Mask introduces the practice of open-source intelligence gathering, also called OSINT. OSINT is gathering information from publicly available sources. Unlike other types of intelligence gathering, which conjures up images of cold war spies peeking over newspapers, OSINT is easy, unrestricted, and is commonly practiced by journalists and businesses.

Before the web, OSINT mainly consisted of searching for information in traditional media. This included TV and radio broadcasts, newspaper articles, newsletters, books, academic publications, government publications, and even company brochures. In a pre-Internet story, Cyber-baddie would be off to the library for research, then visit the city archives to get floor plans. Now information sources for OSINT are mostly online.

Cyber-Baddie’s first step towards stealing the golden mask is to perform rudimentary OSINT. This involves finding information about the museum and it’s staff online. A series of panels show him browsing the web with Google search, the museum’s website, Wikipedia, Google Earth, Google Maps, Twitter, LinkedIn, Facebook, and finally the museum newsletter.

A few hours of searching informs Cyber-baddie of the physical layout of the museum grounds and the staff who work there. This includes a layout of the building and grounds, maps of surrounding roads, names of staff, their roles, and even personal details about what staff “like” on Facebook. My intention is not to accurately represent an exhaustive OSINT methodology, but instead to show how accessible and effective this can be. OSINT can be a non-technical way to gather information that can be performed by anyone.

Creating this episode was more complicated than anticipated. I needed a convincing aerial image of the museum with Google Earth. To do this, I needed to find a real museum that resembled the museum drawing from the first episode. After searching photos of museums around the world, I discovered Yorkshire Museum in York, England. Opened in 1830, and designed with the Greek Revival architectural style, it had the four doric columns I was looking for. The match was so close that I suspect the original graphic from Pixton was based on the Yorkshire museum.

If I chose to use Yorkshire museum as a stage, the story would be firmly planted in the United Kingdom, with all the inherent continuity restrictions. After careful consideration, I decided not to set the story at the Yorkshire museum stage, and instead to use an unnamed museum that is nominally set in North America.

I included two seemingly innocuous details. One is a simple privacy hack that was made famous by Mark Zuckerberg. Another is a nod to an unsolved crime. Hanging on Cyber-Baddie’s wall is the missing Vincent Van Gogh painting, Poppy Flowers. This painting has a value of about $50 million and hasn’t been seen since it was stolen from Cairo’s Mohamed Mahmoud Khalil Museum in 2010.

2017
03.13

Cyber-baddie and the golden mask episode 1

While travelling through India this last December with my wife, I carried a notebook in my day bag. I found it in the gift-shop of Gandhi’s historical home in Ahmedabad. The pages are yellow just like a legal pad. Yellow pages are said to stimulate the intellect and contrast well with black ink while avoiding glare, but that may just be hogwash. Regardless, I was feeling inspired. While travelling by car, I jotted down at least a dozen story concepts about cyber security. To begin with, the story concepts were all related to questions I had recently fielded from conversations with non-technical people. Mostly young people in their twenties, they wanted to know all about how Facebook accounts are stolen, how celebrity photo leaks occur, and how they can secure their phones. I found myself repeating my answers, and repeatedly describing the distinctions between hacking someone’s phone, hacking someone’s iCloud account, and hacking iCloud itself.

Why should I tackle this with a comic? There are many books about computer security but no one seems to be reading them. An oft-cited statistic, “One third of high school graduates never read another book for the rest of their lives”, is from a 2003 survey by The Jenkins Group. They also say “42 percent of college graduates never read another book after college”. These stats might not be accurate, but we already know which way the wind is blowing. Making a comic sounded like fun and people might actually read it too!

People learn from stories. Our TV, movies, and games have for the most part been filled with cyber security falsehoods. Cyber security plot devices are popular, but without technically accurate portrayal, people are left confused and unable to navigate technology securely. Stories help people form mental models, and almost all the stories about cyber security have been wrong.

There are some exceptions. Mr. Robot is a popular TV series, where producers collaborated with industry experts to ensure technical accuracy. This led to a show that both normal people and security experts could enjoy. While the technical details were accurate, this accuracy does not extend to the fanciful storyline or character psychology. These elements reflect more the socio-technical nightmares of our collective subconscious more than the equally terrifying but banal insecure reality we inhabit. Mr. Robot may be holding up a mirror to our reality, but it’s a cracked mirror showing a distorted view.

My primary goal is to imbue the reader with security concepts. Although the reader may not come away having waded in any technical depth, they may come away with a security mindset. If they look a little more critically at the world around them then I will have succeeded. I haven’t restricted myself to purely technical security applied to computers, networks, and phones. Cyber security bleeds further into our physical reality every year, and so I have decided to set the majority of this story in the offline world.

Episode one introduces our anti-hero and he immediately begins to plan a museum heist. The use of this well-trodden trope relies on associated concepts that make the story writing simpler, enabling me to focus on security education. This episode introduces the user to infrared light, as used for night vision. The concept of rekeying locks is also mentioned, but I am leaving a further explanation of how locks work for later.

Our protagonist is an anti-hero and a cyber criminal. He is named “Cyber-baddie” as an homage to the two-dimensional duality of comic book heroes and villains. He wears a mask at all times, both as a visual gag and as a reference to stock photos of cyber criminals. However, with a mask, he is unable to express the full range of emotion. This was unintentional and I’m as yet undecided on whether this was a mistake.

I want to keep readers entertained while avoiding technical jargon or too many numbers. Stephen Hawkings, was once told by his publisher that sales would halve for each equation included in ‘A Brief History of Time’, the book that made physics accessible to everyone. I kept this in mind when deciding that the size of the waves of different colours of light didn’t need to be included in the electromagnetic spectrum graphic. Knowing that 550 nanometers is green doesn’t mean anything tangible to the reader. In fact, the term “Electromagentic Spectrum” is exactly the kind of jargon I want to avoid.

Although I rally against over-simplification at the end of the first episode, I had to work hard to decide what to simplify, and how to simplify without losing important details. I had more difficulties with what to leave out than finding content to include. The history of infrared and night vision includes Nazis with heavy night vision backpacks code-named “Vampir”. This is very cool but I couldn’t easily include it in this story, at least not in this episode.

Check back later for the next episode which will introduce the Nikon Coolpix P900. I haven’t committed to any schedule for this project, I’m just having some fun. By the way, this comic was made using Pixton. It’s one of those great platforms that gives 80% of the result for 20% of the effort. The graphic of the surveillance camera is from Aha-Soft.com and gratefully used with permission.

2016
11.05

Here is the presentation everyone has been asking me for. “Getting hired as a pentester” gives students practical steps to bridge the vast, cavernous gap between formal education and penetration testing in a professional security consulting role.

I gave this presentation at the sold out Cyber Security Career Kick Start #CyberSecKickStart event at RMIT University. Thanks to Ricki Burke and Rebecca Kingsford for hosting this.

Read or download the slide deck for Getting hired in a penetration testing role here.

It was an honour to be speaking alongside such industry luminaries. The line up was Craig Horne, Abbas Kudrati, Craig Searle, Andrew Horton (myself), and Nathaniel Wakelam.

2016
06.11

Take a look at the new Vulnerability Search. It is a Google Custom Search configured to search over 20 of the top vulnerability, advisory, and exploit databases. This was setup to save time when penetration testing and offers an alternative to separately searching Exploit-DB, CVE Details, etc.

It is configured to search:
CVE Details, Exploit-DB, CERT, MITRE, NIST, SecurityFocus, ExploitHub, PacketStorm, Secunia, Defcon, Blackhat, SecurityTube, Rapid7, Metasploit, WPVulnDB, osvdb.info, LWN vulnerabilities (Linux Weekly News), SensioLabs, Tenable (Nessus), Varutra MVD (Mobile Vulnerability Database), and VulnerabilityCenter.

Tips on Searching for Known Vulnerabilities

The process of finding known vulnerabilities typically involves identifying services, identifying the technologies in use, then searching for known issues. Identifying the complete tech-stack is not always easy.

This search engine will help as a first step and beyond that the following tips will help.

  • Check CVEDetails and test vulnerabilities that are listed for different versions.
  • Search ChangeLogs for security references
  • Look for silent patching. Search Change Logs for obscure descriptions of fixes, such as “input validation” or any change to SQL queries.
  • Note that not all known issues are assigned a CVE.
  • Note that not all known issues have been patched.

Penetration Testing vs Vulnerability Assessment

Some people say that an automated Vulnerability Assessment (VA) is the search for known vulnerabilities, whereas penetration testing is the search for unknown vulnerabilities. This paradigm is superficially true but naive because it ignores vulnerabilities that are known but not detected.

Reasons for vulnerabilities being “known but not detected” include:

  • No one has written a VA plugin to detect the vulnerability yet.
  • The vulnerability is difficult to detect in an automated way.
  • Vulnerabilities without a CVE are more often overlooked.
  • The vulnerability was published before full coverage in modern VA scanners.
  • The vulnerability is considered more of a configuration issue than a vulnerability.

Instead a vulnerability assessment is the search for known vulnerabilities that are well documented and penetration testing includes the search for known vulnerabilities beyond what a VA can offer.

2016
06.11

I have just added the following security blogs to the Security News page.

  • Kaspersky Lab’s Blog
  • Errata Security’s Blog
  • Juniper Network’s Blog

Kaspersky should be familiar to all and are possibly the best anti-virus company. Errata Security continually gets mentioned in the Security Blogger’s Network and has a good mix of entertaining and educational material. Juniper networks, the long time eater of Cisco’s lunch is also putting out some high quality material.

If your favourite security news source isn’t included, just contact me and I’ll consider it.

2012
04.03

I have barely used this blog at all and it’s time for some updates. Let me know if you actually read this blog…

Since January I have been living in Melbourne, Australia and working as a security consultant for Stratsec. I’m keen to hear from other infosec people in the area. Before that I was in Wellington, working for Security-Assessment.com, New Zealand’s coolest IT security consultancy.

So what’s new? Late last year I did a couple of presentations at Kiwicon V. The presentations are:

1) Abode Vulnerabilities. Learn how to bring hardware hacking closer to home by hacking New Zealand’s most popular garage doors. This project is powered by the Arduino, the opensource hardware platform that makes electronics more accessible.

2) Decrypting the Cloud. This is a cautionary tale about failed opsec, weak crypto and misplaced trust in the cloud. Take a guided tour through a treasure trove of cracked ciphertext booty including CCs, SQLis, 0days, password dumps, and more.

I haven’t published anything on this website about these projects yet. I’m considering making page for the Arudino Garage Door hacking if there’s sufficient interest.

2011
04.18
 _______ _____ _____                       __
|     __|   __|   __|.-----..-----..-----.|  |.-----..-----..----..---.-..-----.
|    |  |  |  |  |  ||  _  ||  _  ||  _  ||  ||  -__||__ --||  __||  _  ||     |
|_______|_____|_____||_____||_____||___  ||__||_____||_____||____||___._||__|__|
   G-G-Googlescan vo.4 (o4/2o1o)   |_____|          by urbanadventurer
------------.-------------------------------------------------------------------

Google scraper for automated searching. Returns URLs and hostnames

Homepage http://www.morningstarsecurity.com/research/gggooglescan
Download http://www.morningstarsecurity.com/downloads/gggooglescan-0.4.tar.gz
Version o.4, 18th April 2011
License GPLv3
Author urbanadventurer aka Andrew Horton from Security-Assessment.com

| Contents

2010
04.27

It’s time for the Christchurch ISIG (Information Security Interest Group) meeting again.

When: 6.45pm, Thursday the 29th of April (The last Thursday of the month)

Where: Upstairs in the couch area at the Canterbury Innovation Incubator, 200 Armagh St. The doors to the Canterbury Innovation Incubator will be locked. Press the doorbell inside the open roller doors or TXT 0272 646 959 for entry.

Speaker: Caleb Anderson will be presenting on social network security issues.

Sponsor: Nick FitzGerald of Computer Virus Consulting is sponsoring this month’s beer.

As usual, it’s a casual beer-friendly event.

For more information and the mailing list see NZISIG.