Thinkst Blog

Last month we released an alpha version of cr-gpg . This is a simple Chrome extension to enable gpg functionality in gmail (or Apps for Domains). (If you don't know what gpg is, you should first read this and this .) Installation : You can grab the extension from [ here ] and a double click should install it , after the install is completed you should see the image above if you navigate to chrome://extensions : Options : Once you have installed the plugin, there are 2 required configuration options: 1) Directory with gpg binary 2) Temp folder path (writable by the browser) (cr-gpg simply calls out to the gpg installation on your machine. Option [1] therefore is asking where it can find the gpg executable, and Option [2] is looking for a scratch directory to do its work). (We make some effort to ensure that the temp directory is well maintained). You should be able to click "Use Default" on most installations. The "Encrypt to self" option is fairly self explana...

For the first time in a decade I didn't attend BlackHat USA in Las Vegas. I learned that South Africa in August is much colder than i recalled, but also had the chance to observe the conference from through a twitter-lense. It seemed as if there was more talk about parties, than content so I decided to grab all the tweets i could (#blackhat through the twitter search API) to do some simple grouping*. Whats clear straight off is that my intuition was wrong. Although party talk makes up a significant percent of all tweets, tweets about "talks & training" clearly dominate. (This possibly means that i need to start following a better class of hax0r) A quick explanation of the grouping (which was done pretty coarsely): Talks & Training : Tweets related to a talk (or training session) Misc : (General catch-all for tweets about coffee / *) Spam : People who stole the hashtag to push traffic to their own site (used by quite a few big name vendors to draw traffic to their ...

(because we can't have enough posts with exclamation marks in them) Our previous post (and research ) seemed to go by pretty silently initially and then suddenly was everywhere. Andy Greenberg wrote a piece over at Forbes which really does deserve special mention. Tech journalists so often sensationalize security stories that many security researchers are quite afraid to even talk them. I certainly was, but his piece was fair, balanced and covered all the interesting points. +1 to him. The Forbes post was copied almost verbatim by a ton of other " news " sites on the 'net, but we beamed with some measure of geek pride at making the front page of Slashdot (and for featuring on the front page of Hacker News , The Unofficial Apple Weblog and HackADay ). Two Clarifications: A surprising number of people reacted to the work (on slashdot, or other forums) with: " FAKE ! The iPad Keyboard is not black!". One thread even went into detail about how this meant th...

(aka: Shoulder Surfing: There's an App for that!) We rarely talk about it these days, but shoulder surfing is a pretty old (but reliable) attack. This is why most password prompts are masked. Many modern mobiles (and tablets) however will highlight keys pressed on the keyboard making old style shoulder surfing attacks trivial (and reasonably automatable) again. In an effort to (help) bring back the 90's we decided to do some fiddling and built a quick app(on top of the awesome OpenCV framework) to automate shoulder surfing against iPads. (You can read more about it [ here ], download a short pdf on it [ here ] or just watch the youtube video below (but we think the pdf is more fun!)) There are a few more videos (available after the break) This was an early version of shoulderPad. We assumed we had won by simply locating the blue key-presses. One of the previewers asked: "Are you deliberately moving your fingers out of the way?" We decided to answer by quickly typing A...

We recently released a tool at http://cc.thinkst.com to capture and collect infosec conference details. We commented on it [ here ]. One of the cooler components of it, is the ability to view the relationships between speakers/researchers who have collaborated. This post is a quick introduction to the library we used to build our graphs, with enough info to get you up and running in minutes. As I mentioned, we use ArborJS library which is a a graph visualization library using web workers and the popular jQuery . The API is really well documented [ here ] but like most people, I learn best by example (and there are precious few of these). Hopefully this post will fill that niche, and by the end of it you should have a basic understanding of how to use arbor.js in your project. Our Aim: We will be building a simple contrived example as seen in the image above. Project setup : Create a new html page and include script references to the following libraries (Download them from the links...

In February this year we launched ThinkstScapes as a Security Intelligence subscription service. It was originally aimed chiefly at adding context & clarity to newly published research and conference proceedings . The subscription also catered for periodic updates and commentary via "Ad Hoc" updates. We just wrapped Quarter-1, so figured a quick round-up of Q1 would make sense. Interestingly the adhoc updates turned out to be quite popular with customers (forcing us to pay far more attention to them) and in 3 months we ended up distributing four of them. Our next Ad Hoc is currently in the oven, so should be hitting customer inboxes soon. Subscribers so far have received: HBGary, Anonymous & Lessons for the Rest of Us PWN2OWN - What it Means to You ComodoGate, SSL & Iran Verizon DBIR-2011 & You Quarter-1: Research & Conference Round Up It's been well received (and at just $8k per year we think it's awesome value). If you are interested in th...

I wrote a piece for Al Jazeera on cyber-war, asymmetry and the recent news around possible military reprisal for cyber attacks. You can read the full piece [ online here. ]

*oops* We forgot to mention that we updated iTried in the App Store. (iTried is the tiny app that takes a photograph on your Mac whenever the screensaver is disturbed). The new version will allow you to post the pic to twitter whenever it takes one (or whenever it can) which gives you 2 cute possibilities: The ability to remotely see who has been at your Mac The all important ability to track you own haircut over time ;> Check it out on the [ App Store ]

We wanted to quickly announce the availability of http://cc.thinkst.com ( a resource in need of it's own domain & a better name .) CC is a simple application that aims to give us a single point where one can search and browse infosec conference talks and materials*. Quick Overview One of the cool things about having all of this data in a central db is that we are just as easily able to search by topic ( http://cc.thinkst.com/searchMore/foo/ ) as we are by speaker ( http://cc.thinkst.com/searchMore/halvar/ ) Finding a speaker we are interested in, allows us to see all the talks (we know about) he has given ( http://cc.thinkst.com/speaker/Flake/Halvar/ ) And also allows us to get a good overview of his public research timeline ( http://cc.thinkst.com/speaker/Flake/Halvar/timeline/ ) One of the "funner" things is the ability to see who the speaker has previously (publicly) collaborated with ( http://cc.thinkst.com/speaker/Flake/Halvar/links ) This allows you to go from ...

The folks over at the Infosec Network have recently started doing interviews with security researchers. They have interviewed some real rock stars so far ([ Charlie Miller ], [ HD Moore ], [ Joanna Rutkowska ], [ David Litchfield ], [ Matthieu Suiche ], [ Dan Kaminsky ], and [ Jeremiah Grossman ] ) so i was pretty flattered when they asked me.. My interview is up [ here ] complete with dodgy photo and embarrassingly bad answers..

The Verizon RISK Team has once again released their annual Data Breach Investigations Report. [ Grab it Here ] Once more, the report makes for interesting reading and this year the discussion point is bound to be the marked decline noted in compromised records (From 361 million in 2008, to 144 million in 2009, to 4 million in 2010). We will kick off a ThinkstScapes adhoc update to customers analyzing the report, but thought one of the interesting points to note was the similarity between 2010 and 2011 recommendations. A quick point for point comparison shows that the 2011 recommendations are an almost perfect superset of the 2010 recommendations. The prognosis then? more of the same + a little bit more?

I wrote a piece on Cyber War, and what the recent HBGary breach teaches us about the current landscape. While I still feel bad for anyone who has their mail spool exposed to the world, the HBGary mails give us an interesting insight into a part of the world seldom seen by all. Check it out [ here ]

(This Post was written for ITWeb for the Upcoming ITWeb Security Conference) A security guy talking about impending doom. How rare! Except I'm not talking about the next Botnet, virus or nuclear reactor destroying worm, I'm talking about the crisis of confidence that’s heading our way, and the fact that we seem completely oblivious to its arrival. We (in the field) have been building a house of cards, and some day really soon it's going to come down around us. 10 years ago, the Infosec industry was in its infancy and we complained bitterly about the lack of management buy-in while we struggled to justify our existence in the corporate hierarchy. In the mid 90's we started getting taken seriously. Firewalls and security policies became a part of the corporate lexicon and security teams grew in size. For a while it seemed like the game had equalized, our efforts matched the threats of the day, but the threats of the day were pranksters and kids. We cried "Mission Ac...

The guys over at the Eurotrash Information Security Podcast had me on last week. We discussed HBGary, Thinkst, ZaCon and a bunch of other stuff.. It was pretty enjoyable (although i tried listening to myself and think its a lucky thing i dont do this too often). You can grab it [ here ]

A quick note to Welcome Jameel Haffejee ( email ) to Thinkst. Some of you might remember him as "the guy who did the Power Shell talk at Zacon2" .. (The talk was cool, but (in truth) I remember him as the guy that sponsored the coffee!) Jameel has signed up as a Developer and future world-denter, so you should be reading more of him here soon.. Hello World!

In the movie Sneakers, there is a defining moment when Robert Redford rearranges Scrabble tiles to figure out that 'SETEC ASTRONOMY' is actually an anagram. With this in mind, I give you: SETEC CONFER MOAN (Yo!) ( Click for full size ) I'm not saying that InfoSec Conferences are bad (although many a battered liver would disagree), but what i am saying is that we don't seem to be improving our security posture at the same rate as we seem to be growing our conferences. Something is not right here. Now some people have argued that this is because conferences favor "breakers" over "builders", but I personally think that this is a red herring. If a builder with half a brain watches an interesting talk on breaking, he will no doubt start pondering useful defensive techniques. I think the problem instead is simply one of too much information. The buildup to every major conference these days includes press releases and tantalizing tweets promising Cyber Ar...

On January 6th, Apple launched their Mac App Store. Pundits have taken pretty polarizing views on the store, with some hailing it as a boon to indie developers (since they can (trivially) publish to a world stage without worrying about credit card transactions) while others say that this is yet another way for Apple to exert big brother type control. I think it's a healthy dose of both. As I mentioned in the past, Apple does have an amazing ability to create markets (and in the process, value) where there previously were none. Sure there were app developers before the iPhone App Store, but the question is: " How many smart phone apps did you buy before you got your iPhone? ". I had several smart phones before my iPhone, but never bought an app for any of them. Of course this does put Apple in an enviable position, with identities, credit cards and eyeballs of millions of customers. A little while back I released iTried , a simple utility that uses the built-in iSight came...