Bonjour & Secure! 10 Tips For Safer Travel

In a few days I’ll be on my way to France for about two weeks with my
girlfriend, and as I’m putting a few things together I thought this would be a great time to share some of the steps I take to protect myself while traveling.

There have been many great articles written in depth about securing your devices such as April Wright’s series, and the @thegrugq has great advice here. I highly recommend reading through these if you are looking for more in depth technical advice.

Know Your Risk

My goal is to not create an exhaustive list of how to protect your devices, but to share my approach to it as a regular traveller for fun and work. The majority of the time I’m on the road is for work, which means I need to balance accomplishing work with client confidentiality.

Overall my biggest concern is everyday criminal activity. Outright theft of my phone or laptop. This is always forefront on my mind whether I’m traveling internationally, walking around my home town, or commuting around Boston. I generally take the same precautions no matter where I am.

Some people may be concerned with their electronic devices being searched by border patrol, however, that is not one of my primary concerns. If you are someone with a legitimate concern about this, or other nation state adversaries, this isn’t the post for you. Instead, go follow the @thegrugq and read everything he’s written on the subject.

With that said, here are the top 10 things I do to increase my security for

1. Don’t Bring It

If you don’t need it don’t bring it. Done. This is not only a mantra for minimalist travel, but also good security practice. If you don’t need to have client documents with you, don’t. These types of documents should be routinely wiped from your devices.

2. Backup Everything

I operate under the assumption that at any time, I may have my phone or laptop stolen or that it might get broken. Hard drives will fail and even though you’ve dropped your phone numerous times without anything bad happening, there’s always that one time. Regular travel is not just hard on people, it’s also hard on computers. Backup everything.

Phone – Every time I plug it in to my computer it performs an encrypted local backup protected by a randomly generated passphrase. I backup my laptop and desktop locally using Time Machine to an external storage in case of a hard disk failure or a system update goes awry.

Laptop – When traveling for work, I create a Time Machine backup on an external drive that I bring with me. I’ve only used it it once while at a client location, but it saved the day when my laptop wouldn’t boot.

3. Encrypt Everything

Ensure that your phone is protected with a strong passphrase. Not a pin, fingerprint lock, or Face ID. If you need help setting up a passcode, instructions can be found here for iPhone.

Encrypt your laptops. Using full disk encryption is a definite, as if someone steals your laptop, they will be unable to just remove the hard drive and pull data off of it. Instructions for enabling this using Apple’s FileVault can be found here.

4. Bring Printouts and Photocopies

Bring a quality color copy of your passport. Embassies may have an easier time dealing with a color copy. You should also keep a copy in each bag that you are bringing (i.e. your backpack, and each piece of checked baggage).

I would also recommend bringing printouts of any hotel information or other travel documents that might be handy. When traveling to non-english speaking areas, its also useful to keep this information on hand to show drivers where the address is to ease any communication issues.

Add to this any important numbers along with an emergency contact just in case something happens to you.

This may sound like overkill, but if you need them, having these printouts on hand can turn what might be a vacation ruining event into a minor problem.

5. Use VPNs

I recommend keeping your phone in airplane mode when not in use. However, when you do need to connect to a wireless network make sure the network requires a password to join and use a VPN. I’m currently using Private Internet Access for a VPN provider and have been for a couple of years now without any issue. I use a VPN on my laptop as well as my phone.

6. Credit Cards and ATMs

Be very cautious using ATMs. Credit card skimming is a major source of financial loss these days and skimmers are more sophisticated and harder to spot than ever before. If possible, only use ATMs in secure areas, such as inside banks to limit your risk and also try and use only credit cards that have travel protection. Do your best to only run transactions as credit so you are not entering your pin into a sketchy card machine at that corner convenience store.

Don’t forget to call your credit card companies to let them know you are traveling.

7. Disable Services

For both my laptop and phone, I disable Bluetooth, AirPlay, and disable wireless unless I need to use it. In most cases, I also keep my phone in Airplane mode.

It’s also a good idea to clear your devices of any previously joined Wireless networks to prevent your phone or laptop from trying to automatically join these.

8. Security Enhanced Accessories

I am a fan of minimalist travel and haven’t checked a bag in years. If possible try to limit to one backpack or one carry on.

Credit Cards – I keep all of these in a RFID blocking wallet when not in use along with my passport. For my credit cards I am currently using the Ridge Wallet and for my passport I’ve been using one I picked up from Target.

Clothes – I prefer to travel with clothes that have extra security features, like hidden pockets. This can add a bit of extra security against pickpockets, but I like that, for the most part, I don’t have to worry about items falling out of my pockets on the plane, taxi, or train. Two of my favorite companies in this area are Rohan and Bluffworks. I am almost always wearing a piece of Bluffworks clothing.

Backpacks – I currently use a Brainbag from Tom Bihn, but I’ve heard great things about the PacSafe backpacks. These bags are built with steel threading and RFID protection. I’m planning on picking up one of their 25L bags soon.

9. Be Vigilant

Heavily trafficked areas are prime spots for thieves. It’s not always in a dark alley or in bad parts of town. Pickpockets love crowded places.

Keep your bag in front of you when standing on a train or bus. It’s also helpful to have chest or waist straps on, as it can make it more difficult for someone to take your bag and run. Criminals will go after easy targets. Don’t be one of them. Phones are easy targets as they are much easier to convert to cash than other items you will probably have on you. They are also incredibly easy for thieves to steal.

Getting robbed happens to experienced travelers too. It’s not always a mugging. Thieves can easily cut through most backpacks.

10. Don’t Use Public Charging Spots

USB cables provide power as well as data. When you plug your phone into a USB port to charge, it is possible that someone may be able to access information from your phone if they have tampered with the USB charging station. I would recommend only charging from a power outlet, using a portable charger, or a device like the SyncStop.

Be wary of using internet cafes and other places that provide free wifi, charging services, or public computers.

One last thing, don’t forget to check the state department website for travel warnings and other country specific travel information.

Why Mentor?

Whether it has been in an official capacity or just as part of a job that I have been in, I’ve always found myself teaching others and doing what I have been able to do to make others successful.

However, it has only been in recent months that I have decided to start mentoring someone officially and it has been going quite well, although we both have a lot of ideas on how to improve the process.

What is a Mentor?

The word Mentor comes from Homer’s Odyssey and is the name of the teacher that Odysseus leaves his son with while he goes off to fight in the Trojan War. In time, the word Mentor evolved to refer to a teacher, friend, or trusted advisor.

A Mentor is someone that can not only help teach a particular subject, but can also impart real world knowledge and experiences in whatever area they are assuming the mentor role in. It’s the difference between learning the ropes in an academic setting with professors and learning it on the job with someone that has been doing it for years. While both have their places, the type of education and experience gained is different.

A Mentor can impart not only the technical knowledge needed to be successful, but also provide guidance on topics that aren’t routinely discussed or don’t have simple answers, such as career development and real world practices.

Why Mentor?

Mentoring can provide both the Mentor and Mentee with an incredibly valuable experience that is not possible elsewhere. Teaching is an effective way of cementing one’s own knowledge on the subject, but often times we only teach a particular student for a short amount of time. Either in a workshop, a college course, or teaching something on the fly in a job setting.

The relationship between a Mentor and Mentee will often involve into a real long term and close friendship. This has been at least true to those who have served as my Mentors, some going on ten or more years now.

This results in an incredibly deep, satisfying, and rewarding relationship for both parties involved.

The Mentor and Mentee Relationship

The relationship between a Mentor and Mentee (or Apprentice, Padawan, Protégé , etc.), can take on many forms and dynamics. I may only talk to my own Mentors once every few months or weekly. All of my relationships with them are very unstructured where I may only reach out if I have a specific question or need advice.

When I am acting in the role of a Mentor, I prefer a bit more structure. I prefer to instruct and guide those I Mentor and have a plan around how that is accomplished.

My Mentee and I often meet weekly or at the very least bi-weekly as schedules allow for about an hour or so. We use Google Hangouts so we can share our screens and see and talk to each other. We also frequently communicate throughout the week on Semaphore.

What do I hope to get out Mentoring others?

I chose to jump in and Mentor as an acquaintance was asking if someone would be interested and I jumped at the opportunity. Working in application security it is hard to find people that are able to hit the ground running or knowledgable in the needed areas such as performing vulnerability assessments, threat modeling, or code review.

It can be extremely difficult to find someone that not only understands how applications are developed, but also understands the common vulnerabilities and how these vulnerabilities manifest in various technology stacks. The ability to write code to accomplish some tasks is also, in my opinion, a necessity.

That being the case, I found that as we brought people onto the teams that I was a part of, they often needed some help getting up to speed in some areas, so I would always offer to help tutor or guide them.

Application security involves a cross section of knowledge that we need more of in the Information Security community and is a role that a lot of companies are struggling to fill and I think it is our responsibility to ensure that we are creating and maturing those that will be needed to fill these ranks and one day replace us.

I hope to continue to work at growing my own skills and knowledge in Information Security but also as a Mentor. I want to challenge not only my Mentee but myself as well and build a successful practice doing this where I can share what I have learned with others in the hope they will pick up the torch and start Mentorships of their own.

DerbyCon V: Unity

At this moment I am sitting at the airport waiting for my plane to Louisville, KY where in a few days DerbyCon V will be starting.  Wednesday and Thursday of this week I will be in Chris Hadnagy’s Advanced OSINT training course with DerbyCon kicking off Friday.

I didn’t post anything regarding DEF CON this year as I had planned to do as I was completely distracted by personal matters that came up and didn’t feel much like writing or doing much else.

For the most part all of that is in the past, and thankfully, better.

I’m looking forward to this years DerbyCon more than any other as not only do I get to see all of my friends, but will have a chance to take training myself for once and just focus on learning for a couple of days.

I’ll be attending the Hacker Family Dinner and DerpyCon on Thursday night and will be at BourbonCon on Friday night.

Hope to see you all around.

Inclusiveness at Conferences

Earlier this morning a conversation started on Twitter about the family vibes at cons and feeling left out and whether someone belongs or not. I just wanted to point out a few things based on my own experience at various cons over the last few years.

It is important to remember that whenever you have a large enough group, cliques will form. Despite the best intentions of any con organizer, it can be hard, if not impossible, to keep the open vibe at a con. There is a lot of talk about “family” and everyone is always welcome etc. That’s great and despite what you may think of using the term family to reference this, it is important for those of us who are more outgoing to make sure we provide an opportunity for those who want to participate, but for whatever reason, don’t seem like they can.

I’m a decently outgoing person. Sometimes I am also reserved and would prefer to sit quietly by myself. It doesn’t mean that I don’t want to take part in discussions or hanging out with others, but right now I’m not into it and that’s fine (and no, nothing is wrong :).

At some point, I’m going to want to join in the fun.

For example, my first Derbycon was a few years ago. After a long day, the board games had started coming out and my acquaintances and friends that I knew had gone to bed or were off doing other things. I was wandering around the con hotel by myself and saw a group of people playing Cards Against Humanity. I had never played before and was standing there watching. At this point, someone asked if I wanted to join.
I said yes and had a great time playing.

Now the above could have gone differently and if I had not asked, and I had really wanted to play, I may have felt rather left out. And I know at this point some people will just say “well if you really wanted to play, you would have just said so”, and that means that you really don’t understand the problem. Sometimes, some people, for a lot of reasons, can’t ask. However, that simple gesture is what I am talking about. I could have said no that I didn’t want to play, but it was the gesture and the opportunity that matters.

I am also guilty of leaving people out. A moment last year at DEFCON 22 sticks out and I still feel a bit bad about the situation. My partner and I were tired and wanted to talk about a couple of things alone. We were also hungry and were waiting in line for one of the restaurants at the Rio and we just happen to come up to be seated at the same time as a younger attendee had been there. This person was eating alone and had struck up a conversation with us and had asked us if we wanted to eat together. Now on most occasions we would have said yes and welcomed the addition and the chance to talk to some one just getting into the scene. We kind of blew this person off and after eating I tried to find the person but couldn’t. This kind of bummed me out as our conversation could have waited until after eating. It was important but could have waited.

I also wanted to touch on the use of the word family. While I’m not a member of any inner circles at these cons, I am grateful for the friends that I have made over the years from these events. Growing up I didn’t have a close family. Just the opposite. I had few friends, but we were very close. I have made friends over the last couple of years that I feel closer to than my own brothers and sisters. Not everyone grew up in a cherished family where everyone went on picnics and family outings. I was just as likely to get smacked or thrown against a wall.

Just remember that at the end of the day, any con is only as good as the attendees. No policy or enforcement is ever going to fix that. We all need to remember to be good people, fix mistakes and make sure we do our best to make everyone feel welcome. It needs to also be understood that everyone is different and some places or cons just aren’t for some people and any attempt to make everyone happy is futile.

Thoughts on the Forever Lock

The Forever Lock was introduced back in April by LockMan28 as an “unpickable lock”. It quickly picked up a lot of steam being featured on Digg, The Telegraph, Business Insider and other places.

I never paid it much attention until I was out drinking with a friend and he brought it up. Whenever I hear something is unpick-able, unbreakable, or any other un-something marketing term, I only roll my eyes. With my involvement in TOOOL, I have had the opportunity to see quite a few amazing openings and attacks. When I see something new I have to refrain from  getting all excited about what the attacks will possibly look like.

While I keep hoping that it will be an amazing technique, something magical, the reality is that most of these fall to  some of the same old time honored methods.

So it is the case with the Forever Lock.

My first impressions on the Forever Lock were “wtf?” followed by a “oh dear god why?”

To me it is a complete usability nightmare. I couldn’t imagine fiddling with that mechanical condom after work when I just  want to get on my bike and ride. I’m not a fan of adding complexity to what should be simple every day objects. Especially when the complexity offers no real benefit and gets in the user’s way.

So onto the attacks!

First up is a video by evva3ks in which he demonstrates a bump key attack. Bumping is a simple concept that takes advantage of Newton’s Third Law. I’m not going to explain it here but the Lock Wiki has a good write up.
This is a great attack as if you can successfully make a bump key you can easily open other locks using the same bump key without modification. This is a particularly devastating attack in my opinion since with practice it can be done quickly and once made does not require additional equipment.

Next up is a series of videos posted by Deviant Ollam in which
he demonstrates attacking the Not Quite So Forever Lock, through a
foil impressioning attack. If you are not familiar with Impressioning attacks, he does a great job of demonstrating the process here against a different kind of dimple lock and here against the Forever Lock.

Deviant also points out that the lock has poor tolerances in this video. Many locks suffer from this. Machining is expensive and one of the primary differences between cheaper (i.e. less secure) locks and higher security locks
is how tight the tolerances are. The Forever Lock also suffers from this making it possible to potentially open the lock with an unmodified key that shouldn’t. This also has implications for normal wear and tear, especially something that is designed for frequent outdoor use and is going to be jostled around. I can only imagine how the lock will function after a year.

In Information Security, we often need to learn how malicious actors work, the tools they use, the methodology they use as well as their mindset, before we can even hope to defend against them.

There is an ever growing library of knowledge out there on attacking locks. If you are designing a lock please, step back, take a look at the different attacks that are a Google search away and ask yourself how you could apply these attacks to your lock.

The same for locks and physical security in general. Otherwise, we are doomed to keep repeating past mistakes.

Book Review: Gray Hat Python

I really liked this book. If you are new to fuzzing, exploit development or Immunity Debugger or IDA Pro this book will be worth  your time to check out. But, if you are already familiar with these topics, this book would be too introductory for you  and I would probably skip it.

This book covers quite a bit of ground in its 181 pages. From debuggers, and fuzzers to emulation, each topic is introduced  well enough that you will have good base knowledge to continue on from where the book ends.

In the first chapter, we get a Python refresher. I say refresher as this book does not attempt to teach you Python.  While none of the Python in the book is particularly difficult, if you don’t have a grasp of programming in general
then I would highly recommend learning Python first. If you do know Python, this first section definitely shouldn’t  be skipped as it also introduces the ctypes library which is used extensively throughout the rest of the book.

The next three chapters in the book focus on debuggers. They cover a bit of debugger design, including as how to write a Windows debugger from scratch all in Python. Different types of breakpoints are introduced and you learn how each works at a low level. The book then introduces the PyDbg framework and finishes the debugger chapters by introducing the
popular Immunity Debugger, which has Python scripting capabilities.

Moving on through the next few chapters, the book introduces us to function hooking and code injection. Both topics are given great explanations with plenty of code examples and uses, such as file hiding and backdoors. These two chapters also serve as a starting point for the following few chapters, introducing us to Fuzzing. Like the previous chapters, Justin Seitz walks us through creation of a fuzzer from scratch, before introducing us to the Sulley fuzzing framework. He then walks us through the construction of a simple network fuzzer to fuzz an FTP service. Our education in fuzzing ends with using the Immunity driverlib to fuzz a Windows driver.

Read My Review on Amazon
Review My Review on Goodreads

Boston CodeCamp 21

Earlier today, I presented at Boston Code Camp 21 on Hacking Your Own Website. In the presentation, I took the audience through a demonstration of my approach to using BurpSuite to enumerate a website and to find potential exploitation points. I also briefly went into some of the other functionality that Burp offers such as the Intruder and Repeater tools. I also briefly demonstrated the scanner. My thought was that they would most likely be using the free version for a bit before purchasing a license (if at all), so I wanted to make sure I got enough of the other functionality in there.

For the demonstration I used the Drunk Admin Web Hacking Challenge
VMWare image as a target.

Demonstrations can eat up time so I wasn’t able to get through the entire challenge set. I was taking questions throughout so that slowed it down a bit, but I would rather answer questions than just get through the content and not have anyone coming away from the presentation learning anything.

I think it is important for security people to break out and present at (or just attend) conferences that are primarily focused on security. This makes us much more rounded individuals as well as allowing us to transfer knowledge to developers, managers and others who may not get to the security conferences or even better, disseminate proper advice and knowledge to those that may only be getting their security information through a vendor or what they read on some of the generalist news sites.

Overall I thought it went well and had a good time with it.

The Impress.js source of the presentation can be found at GitHub.

Attending HOPE X

It is official!

I will be attending HOPE X this July with the TOOOL gang.
Earlier this year I had thought about attending since it is in New York City and is an easy drive from where I live. However, I had decided not to since it can be difficult with child care and getting time etc., especially when I
will be on the road a good deal in August for Security BSidesLV and DEF CON.

However, the PWM-TOOOL chapter was asked if we could assist with the TOOOL setup and helping out in the Village during the conference, so how could I resist? It just so happened that all things just came together to make it easy for us to attend.

I have been a long time reader of 2600 and the 2600 meetings that I attended in Minneapolis when I was younger were influential in my choices that lead me to where I am today. I think I was about fourteen at my first 2600 meeting in the Mall of America food court and while I don’t really remember any of the people that were present, I do remember a lot of the conversations, arguments and interests.

Needless to say I am definitely looking forward to my first HOPE.

First System That I Coded On

The other day on Twitter, Jon Hudson asked the following question:

Well here is my first coding system, also an Atari 400:

It has definitely seen better days. It does however still work, but I do not have a television I can hook it up to at the moment. I was about eight years old when I was with my parents at a garage sale and picked this up. I remember it was just in a box with a bunch of books and games. Though this was not my first gaming system (I had a NES and Sega Genesis at this point), it was my first programmable system that I had ever had a chance to use in the comfort of my home. I occasionally was allowed to play on the Apple at school, but I went to a very small elementary school and it wasn’t like they  were going to allow me to just “mess” with their system (no one at the school really knew how to use it) as I had already gotten in trouble for that a couple of times.

All the way home I had my nose buried in one of the manuals that was in the box:

Above picture is not mine. I have long since lost it, but the picture is from Forever Geek

After reading through the first few pages on setup and the BASIC language, I started digging through the rest of the box tossing aside Pacman, Missile Command and Space Invaders, looking for the Atari BASIC cartridge and sure enough, it was there!

Little eight year old me was pretty happy. Those that don’t know me, this is not the jumping around happiness that most kids do, no, even though my cool exterior and
“rainbows are a lie!”, attitude, I was beaming with anticipation and joy.

This was the best thing I had ever found at a garage sale.

At this point in my life my family did not own a computer of any kind, so while I knew that people somewhere made games,  I had not had the opportunity to try it myself.

As soon as I got home I finished reading the manual. Sitting on my bed I read through the first few chapters and learned about the glorious PRINT command.

I could not wait to try it out, so I quickly disconnected my NES (who needs that now!) and hooked up my new system.  Everything went well and I was soon greeted with the magic words “READY”.

I worked through the first few chapters of the book, just copying what they were doing and had written various programs that spit out “Hello” and asked about your name and age and such.

After tediously typing these little bits of truth out (as who could really type on that keyboard)? I decided I was going to strike out on my own.

After sitting on my floor for what seemed like ages poking at keys on that thing, I had my first, entirely written by me, program. It was crude and basic and all it did was ask a couple of questions and depending on what was answered, it output different things.

I was excited and couldn’t wait to show it off. I immediately hollered for my mother to show her what I did and quickly walked her through it and told her what to enter.

After a few minutes of painstakingly entering in the answers to the questions, my mother gave me the greatest words of encouragement that you could give a newly made computer pro: “That’s nice dear”.

I guess she didn’t understand what was going on. I couldn’t fathom that she didn’t understand how cool this was and proceeded to try and explain, as best as I could, what she had just witnessed.

I couldn’t really express or articulate it at the time, but I knew my life had just changed forever.