Archive for May, 2010

Language and Security

Wednesday, May 19th, 2010

Every time I mention using language in security folks assume I’m talking about social engineering. Social engineering has historically been things like calling the front desk of an organization claiming that you’re, say, a new fedex delivery driver and you need to be let into their shipping/receiving department, so you ask who you need to talk to for that to happen.

Language can be used for a lot more than simply convincing a part time employee to let you have more access than you should somewhere – Language can be used to full on exploit “memory corruption” in the mind. The use of the right language is powerful enough to overwrite peoples memories if even temporarily.

Below I’ve linked some information pertinent to the techniques employed when language is the tool used to achieve things like memory corruption, buffer overflows, execution of arbitrary code – except on people. In particular, pay attention to the cognitive biases – see if you think any of them apply to you :)

Then combine the cognitive biases with things like NLP anchoring and subliminal suggestion and you quickly end up with a recipe for gaining someones trust, convincing them to give you access somewhere or to something, or telling you secrets – all without having to don a fedex uniform and pretend you’re someone else. You can even have someone give you their phone and car keys – willingly.

Language is a very very powerful tool and put in the hands of information security professionals (or attackers) it becomes even more weaponized.

Apologies for the videos that wont embed – if you click through you can view them on their youtube page.


Cognitive Biases – A Visual Study Guide by the Royal Society of Account Planning


Tags: , , , , , , , , , , ,
Posted in insight, training | 2 Comments »

HTC Incredible: A hackers (Whitehat) perspective

Monday, May 10th, 2010

I just picked up one of these things. In the 3 days I’ve had it I’ve probably convinced 15 people to move to it from their iPhones, or jump to it as their next phone on verizon. Expect this to be more or less a hackers review.

htc incredible review, Dan Tentler

This is the charted battery usage over approximately 3 days. I learned very quickly that when you go to meetups and parties and pass around a brand new phone that very few people have everybody wants to try the same stuff on it over and over again – so the thing gets quite a workout and gets handed back to you with %20 battery left.

I’m using this app to monitor the battery and produce the data for the graph. So far it works out well – except when its not running it simply doesn’t record data, so the datapoints on the bottom of the chart make the graph look a little interesting. I’ve numbered some interesting behavior on the chart:

  1. I recorded the Lost Abbey brewery tour for ~25 minutes. It consumed approximately %25 of the battery life
  2. It took 3 hours and 45 minutes to charge from roughly %35 battery life to full.
  3. in 40 minutes of usage I went from %80 battery to roughly %35
  4. Leaving the phone overnight to cycle the battery
  5. Disregard – You can see at the bottom of the chart the time jumps from ~09oo hours to ~1800 hours in one step.
  6. I’d argue ‘standard’ daily usage
  7. a good solid charge via my macbook
  8. more standard usage

First impressions: This thing is *FAST*. I mean *FAST*. Clocked at 1ghz its very impressive. My G1 would chug and choke when opening the gallery as it tried to thumbnail all the pictures. I suspect the built-in 8 gig storage may have something to do with its I/O performance as I’m guessing the onboard flash is going to behave more quickly than an sdcard. One of the first things I love thinking about is ‘can this thing run nmap/metasploit/JtR/aircrack/etc’. As far as its ability to do that – I have every confidence that the thing could take the pepsi challenge should it arise – however I’ve almost immediately noticed I have to charge this thing 2x a day if I want to use it in any lengthy amount of time. I havent actually had it DIE on me yet, but it’ll get down to %20 or so battery before I start fiddling trying to find the charger.

Its fast, and very very capable. The camera beats the pants off the G1 camera hands down and this is a very appreciated breath of fresh air after having my G1. Only drawback is that it really does consume a lot of juice. I read in the forums that some users have been able to use batteries from other phones in the incredible successfully and extend their battery lives that way.

Interested in hacking the thing? We still don’t have root on it. What does having root mean? Tethering, overclocking, the possibility of all the wonderful linux-based tools we’re used to (nmap, metasploit, etc) and more.

Here are the forums if you want to throw your hat in the ring to get root and help the community expand the functionality of this phone.

Tags: , , , , , , , ,
Posted in insight, review, technology | No Comments »