Free: You get what you pay for!

I was traveling this past week and being the security nerd I am noticed this screen from across the room.

Above it was a sign that said, "Free Internet- Print your boarding pass for FREE!"

The infected computer was in a hotel lobby.  People were using it printing their traveling documents.

This got me thinking (a dangerous pastime)...

  • If you wanted to "upgrade" you seat or prepay a bag, you entered your credit card number.
  • If you looked up via your FF# you entered a password (and use the same password everywhere.)
  • Some print their email which has their travel documents stored safely in their inbox (which is where they email your password when your forget it at your banks website)
  • At the very least, now an attacker can pivot through this machine and wreck havoc on the internal (and wireless) network.  MiTM attacks galore.
  • This PC was in an unsecured area where anyone could walk up to it (or walk away with it).  The people at the front desk did not have a visual on it.


Oh yah, this PC was also in downtown Washington DC! 


Ubertooth in a VM on a Win7x64 host

All of us with a first round Ubertooth One learned quickly that if you want to play with it, you need to boot directly into BT5 or use OSX (which was what most of the development occurred on.)

If you tried to use your Ubertooth inside a VM on a Windows host, you went for a ride on the fail bus.

The issue was in the firmware, bluetooth_rxtx in the r238 release.  There was a line that was commented out.

I flashed my Ubertooth to r314 after reading the release notes.  I booted up my Windows 64 bit host and launched a BT5 VM using Workstation.  Plugged in my Ubertooth and ......................






Password Patterns 123

My computer has a NVidia Quadro 2000M video card.

I am not a gamer, but I know that one can use a GPU to crack passwords.  I decided to play with oclHashcat.  This is an awesome tool which uses your GPU to crack hashes.  I obtained some hashes online and I loaded up my dictionary and added some rules for mangling and let the cat do its thing.  After a short time, I had quite a large sample set of passwords. 

 Passwords are interesting.  Users are encouraged to use complexity.  Uppercase, Numbers, Special Characters.  Cracking passwords is an interesting science.  Everyone at Derbycon knows my thoughts on password cracking.

User behavior makes password cracking a mix between art and science.  Looking at my list, I noticed a large percentage contain numbers. The research of the ROCKYOU password list  says that numbers were at the end of 64% of the passwords.  This makes sense as we are trained to make "complex" passwords often requiring that digit. 

Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords


Using excel, I created a function that would pull the last character of the password.


I created a table that would count the number of times a character appeared in the list.


Looking for only numbers, I identified the top 3 numbers a password would end with.

3, 4, and 1 found themselves in the top 3.

If your passwords have the following patterns below, you are not being clever.  The password abc123 was #10 in the top 10 passwords from ROCKYOU.




Human beings are creatures of pattern.  Don't let your passwords be.  Choose a really good password and if possible, add 2 factor. 

Just don't select "correcthorsebatterystable" as your password.  It is in my dictionary.





As many of us progress through our career, we are going to have to engage in public speaking. 

For many people, this can be one of the scariest things. 

At this year's Blackhat and DEFCON, there were many speakers I really wanted to hear.  I waited for 1 hour to get into their talk.  About 5 minutes later, I walked out because they were stuttering and saying the word "um" too much.  It was a disapointment. 

There is a solution.  Toastmasters.  Some of us have great ideas but can't communicate them effective or get nervous.  I used to be one of those people.  After being involved in Toastmasters, I overcame my fear of public speaking and filled out some CFP.  When I spoke at Derbycon, I was lucky enough to have a Toastmaster provide awesome feedback and help my further improvement.  That is what Toastmasters is about.  Helping people by shared learning (Kind of like Derbycon!).

Since 1924, more than 4 million people around the world have become more confident speakers and leaders because of their participation in Toastmasters.

Toastmasters International is a world leader in communication and leadership development. Today,  membership is 270,000 strong. These members improve their speaking and leadership skills by attending one of the 13,000 clubs that make up our global network of meeting locations.

Membership in Toastmasters is one of the greatest investments you can make in yourself. At $36 every six months, it is also one of the most cost-effective skill-building tools available anywhere.

You don't have to join to goto a meeting.  I went for 2 months before I joined.  I have been a member for 2 years since.


#DerbyCon Recap

When I first hear about DerbyCon, the tag line was a new type of Con.  It was.  Those who had the pleasure of attending have been singing its praise all weekend.  All the videos and material will be available online (well most of it...hehe) so I am not going to recap that.  I have a recording of the music at Woodstock.  Listening to it on my ipod isn't the experience of being there.  This is my attempt to explain what happened in Louisville over that weekend.  

The #DerbyCon family (and I chose the word family very carefully) took their favorite parts of all of the cons they experienced and put them into one.  The idea of it seems simple.  Keep the good, toss the bad.  The #DerbyCon family hit a home run on this for one simple reason.  They made it a community event.  The result was the embracement by the community.  Everyone was so honored to be a part of this event.  I know I am.  

I want to say thank you to everyone who woke up to join us at 9am on Sunday.  When you see that many people, you get a loss of words.  The irony of this happening before you give a talk is not lost on me.  A big thanks to @coryglenn as well.  For those who missed it, Cory was plucked from the audience for a password cracking demo.  His password was cracked (16 character complex password).  I did catch up with him afterwards to thank him and set him up with a signed copy of the Metasploit: The Pentester's Guide (Dave signed it.  Not me!).  This was his first InfoSec Con.  He has lots of good ideas and I expect to see him as a speaker soon.    

Highlights for me were:  

  • Seeing old friends and making new ones
  • Picking up my badge:  It was fast and easy like Armitage and in the spirit of Fast-Track, it was finished in under 3 minutes.  
  • I didn't have to wait 1 hour for a talk that ended up meh.
  • Day 1 had a pause in it from 4-6.  This was key and I hope it is repeated.  Nap Time!  
  • MS-08-067 birthday party.  This was organized by Mubix and was awesome.  Con + Cake = Win
  • The local hackerspace, LVL1.  If you are in the area, check them out.  They provided southern hospitality at its finest.  They also shared some great ideas for us to take home.  SHAMELESS PLUG: South FL hackers join the broward hackerspace google groups.
  • Late night chicken and impromptu late night snack and learn
  • Missing a talk and finding that person and asking if he would repeat it for me.  (He did)
  • Pubcrawls
  • PwnieExpress
  • Hackers For Charity raising $13617
  • GDE being paged to gate B13

My favorite comment of the weekend is below:  

RT @dookie2000ca: Best part of #DerbyCon was meeting people I've admired for years and being treated like a peer by them.


To say that DerbyCon has challenged my preconceptions about the InfoSec community and the Con Experience is a gross understatement. They have rocked me to my core. This is a community that has truly amazing ideas, second only to the amazing people who are involved.

Most importantly, DerbyCon was fun!  Even though the weather was cold (I am from Florida... it was cold), the people's hearts kept the experience warm.  At several times, I forgot I was at a security conference.  I felt more like a family reunion.  The phrase I heard the most was "Thank You!"  Organizers, Speakers, Attendees; everyone was saying thank you to everyone. 

The crew set out to make DerbyCon a place you can call home.  Be it ever so humble, there is nothing like it.