Chrome Extension for gpg in Gmail

Last month we released an alpha version of cr-gpg. This is a simple Chrome extension to enable gpg functionality in gmail (or Apps for Domains). (If you don't know what gpg is, you should first read this and this.)

Installation :






You can grab the extension from [here] and a double click should install it , after the install is completed you should see the image above if you navigate to chrome://extensions :

Options :


Once you have installed the plugin, there are 2 required configuration options:
1) Directory with gpg binary
2) Temp folder path (writable by the browser)

(cr-gpg simply calls out to the gpg installation on your machine. Option [1] therefore is asking where it can find the gpg executable, and Option [2] is looking for a scratch directory to do its work). (We make some effort to ensure that the temp directory is well maintained). You should be able to click "Use Default" on most installations.

The "Encrypt to self" option is fairly self explanatory. If i encrypt (and send) an email to you, the encrypted email will be in my sent-items. I would be unable to read this mail though (since it has been encrypted with your public key, not mines). If you would like to be able to read the mails as well, then simply select this option (and enter your email address in the next field: "Encrypt to self Email Address")

Now click "Save" to save these options. (cr-gpg will do some basic sanity checking on your options). You can return to these options through the extensions window or by clicking the lock icon added to your browser chrome

Convenience Functions :




The other convenience functions enabled through the lock icon allow you to do simple gpg key management, encrypt and sign blocks of text.

Embedded Functions :




When typing an email in GMail, we should now see an additional link: "Encrypt Message"
(If we have the recipients public key,) simply clicking this should encrypt the mail to the recipient as seen below.



When you receive an encrypted email, simply click on "Decrypt Message".



Decrypting an email requires access to your private key (which is usually password protected.) Enter the password, Click "OK" and you should be good to go..



Give it a try [here], and let us know if you have bugs [here], comments, complaints or suggestions..

BlackHat according to Twitter

For the first time in a decade I didn't attend BlackHat USA in Las Vegas. I learned that South Africa in August is much colder than i recalled, but also had the chance to observe the conference from through a twitter-lense.

It seemed as if there was more talk about parties, than content so I decided to grab all the tweets i could (#blackhat through the twitter search API) to do some simple grouping*.

Whats clear straight off is that my intuition was wrong. Although party talk makes up a significant percent of all tweets, tweets about "talks & training" clearly dominate. (This possibly means that i need to start following a better class of hax0r)

A quick explanation of the grouping (which was done pretty coarsely):
  • Talks & Training : Tweets related to a talk (or training session)
  • Misc : (General catch-all for tweets about coffee / *)
  • Spam : People who stole the hashtag to push traffic to their own site (used by quite a few big name vendors to draw traffic to their reports *cough* shady rat *cough*
  • Pimpage : Speakers / Vendors / People shamelessly self promoting
  • Vegas/Parties/Social : This are the typical "Vegas Baby!" tweets
  • Bluehat Prize : This are tweets about the Microsoft Bluehat prize
  • Not There : Tweets from people who wish they were at BlackHat
  • Recruitment : erm.. recruitment related
  • Pwnies : pwnies related tweets
  • BoothBabes : the kerfuffle over McAfees use of booth babes
  • anonymous,antisec,lulzsec : Tweets about Anon doing BlackHat
Since we have this data, we can extract some other (arb) pieces of information like:
Most commonly used words in tweets about "talks & training"

(this is a quick (cheap) way for us to see which talks /speakers dominated the twittersphere)

It also (kinda) interestingly allows us to list the top tweeters by volume (with 1318 individual tweeters in total):
  • 36 @TechJournalist
  • 32 @wireheadlance
  • 30 @chriseng
  • 25 @jadedsecurity
  • 23 @IOActive
  • 21 @Llana
  • 18 @click_finders
  • 18 @cindyv
  • 18 @bdognet
  • 18 @InsiderThreats
Finally (because we couldn't help but add another pie graph,) we can check the most popular twitter clients used to create this traffic:

(Its worth noting that we only grabbed data for the #blackhat hashtag. This is in part because it was most obvious, and in part because we were afraid to grab the results of #barcon)

You should follow me on twitter: here

* We made use of the python twitter module. You can download a python pickle object here, which is a dictionary of all tweets snagged.


ShoulderPad Slashdotted! (and two clarifications)

(because we can't have enough posts with exclamation marks in them)

Our previous post (and research) seemed to go by pretty silently initially and then suddenly was everywhere. Andy Greenberg wrote a piece over at Forbes which really does deserve special mention. Tech journalists so often sensationalize security stories that many security researchers are quite afraid to even talk them. I certainly was, but his piece was fair, balanced and covered all the interesting points. +1 to him.

The Forbes post was copied almost verbatim by a ton of other "news" sites on the 'net, but we beamed with some measure of geek pride at making the front page of Slashdot (and for featuring on the front page of Hacker News, The Unofficial Apple Weblog and HackADay).

Two Clarifications:
  1. A surprising number of people reacted to the work (on slashdot, or other forums) with: "FAKE! The iPad Keyboard is not black!". One thread even went into detail about how this meant that the video is doctored (while others opined that the keyboard was on a non standard jailbroken iPad and therefore invalid). The video taken is on a standard iOS5 iPad and is exactly the same as the 4.X iPad (once complex passwords have been enabled).
  2. The folks at Politecnico di Milano did some previous work in this field, using computer vision to detect keyboards (on mobile devices) which magnify the alphabets on key-press. Their excellent paper covers their technique and impressive results. (One of the authors commented on several sites that covered the ShoulderPad post about their version working "without needing blue color detection" and also made the mistake of initially assuming our keyboard was non-standard. (Their attack targeted the normal keyboard whilst mines aimed at the Password keyboard).
I've published a few papers and done a few talks, so it's slightly strange for a weekend bit of hackery to have hit such headlines (but it was fun seeing it all over the tubes at any rate).


On-screen Keyboards Considered Harmful

(aka: Shoulder Surfing: There's an App for that!)

We rarely talk about it these days, but shoulder surfing is a pretty old (but reliable) attack. This is why most password prompts are masked. Many modern mobiles (and tablets) however will highlight keys pressed on the keyboard making old style shoulder surfing attacks trivial (and reasonably automatable) again.

In an effort to (help) bring back the 90's we decided to do some fiddling and built a quick app(on top of the awesome OpenCV framework) to automate shoulder surfing against iPads.
(You can read more about it [here], download a short pdf on it [here] or just watch the youtube video below (but we think the pdf is more fun!))








There are a few more videos (available after the break)

Simple Graphs with Arbor.js

We recently released a tool at http://cc.thinkst.com to capture and collect infosec conference details. We commented on it [here]. One of the cooler components of it, is the ability to view the relationships between speakers/researchers who have collaborated. This post is a quick introduction to the library we used to build our graphs, with enough info to get you up and running in minutes.

ThinkstScapes (Quarter One Recap)

In February this year we launched ThinkstScapes as a Security Intelligence subscription service. It was originally aimed chiefly at adding context & clarity to newly published research and conference proceedings. The subscription also catered for periodic updates and commentary via "Ad Hoc" updates. We just wrapped Quarter-1, so figured a quick round-up of Q1 would make sense.

Interestingly the adhoc updates turned out to be quite popular with customers (forcing us to pay far more attention to them) and in 3 months we ended up distributing four of them. Our next Ad Hoc is currently in the oven, so should be hitting customer inboxes soon.
Subscribers so far have received:

  • HBGary, Anonymous & Lessons for the Rest of Us

  • PWN2OWN - What it Means to You

  • ComodoGate, SSL & Iran

  • Verizon DBIR-2011 & You

  • Quarter-1: Research & Conference Round Up


It's been well received (and at just $8k per year we think it's awesome value). If you are interested in the service, drop me an email (haroon@thinkst.com) and I'll send through some of previous issues.

Cyberwar, Stuxnet and people in Glass Houses

I wrote a piece for Al Jazeera on cyber-war, asymmetry and the recent news around possible military reprisal for cyber attacks. You can read the full piece [online here.]

iTried Update (oops)

*oops* We forgot to mention that we updated iTried in the App Store. (iTried is the tiny app that takes a photograph on your Mac whenever the screensaver is disturbed).
The new version will allow you to post the pic to twitter whenever it takes one (or whenever it can) which gives you 2 cute possibilities:
  • The ability to remotely see who has been at your Mac
  • The all important ability to track you own haircut over time ;>
Check it out on the [App Store]

(ComputerSecurity) Conference Collecting

We wanted to quickly announce the availability of http://cc.thinkst.com (a resource in need of it's own domain & a better name.)

CC is a simple application that aims to give us a single point where one can search and browse infosec conference talks and materials*.

Quick Overview
One of the cool things about having all of this data in a central db is that we are just as easily able to search by topic (http://cc.thinkst.com/searchMore/foo/) as we are by speaker (http://cc.thinkst.com/searchMore/halvar/)
Finding a speaker we are interested in, allows us to see all the talks (we know about) he has given (http://cc.thinkst.com/speaker/Flake/Halvar/)
And also allows us to get a good overview of his public research timeline (http://cc.thinkst.com/speaker/Flake/Halvar/timeline/)



One of the "funner" things is the ability to see who the speaker has previously (publicly) collaborated with (http://cc.thinkst.com/speaker/Flake/Halvar/links)



This allows you to go from topic, to speaker to birds of a feather. Where the info is available, we can easily go from halvar to zynamics to "who else from zynamics has spoken (and on what?)"



With quality input data, and solid pointers to the original content, we would be able to move more easily towards a much needed infosec siteseer of sorts (and there's a wealth of interesting meta information just waiting to be examined).

All projects like this start with good intentions and their utility tapers off as the members stop updating it (and we are all probably slightly poorer for it). The good news is that this doesn't have to happen here. We approached a handful of conferences already who have agreed to climb aboard. They get an uber simple upload form, and a csv'ish template. Before (or just after) a conference, they upload speakers.csv and CC will add/index/process it. CC will still link to the original content on their sites (so CC becomes a good way for people to make their /archives more useful.)

(So far we have only spoken to BlackHat, SysScan, BruCon, Hack in the Box & ZaCon )

Check out the site. if you see broken data, use the form to submit a patch. If you run a conference or know people who do, please kick us their details, we would love to talk to them...

* We initially built cc with a whole bunch of scraping (which would account for it's occasional spulling-errers, but feedback and conference organizer involvement is changing that.)

Interview with the Infosec Institute

The folks over at the Infosec Network have recently started doing interviews with security researchers. They have interviewed some real rock stars so far ([Charlie Miller], [HD Moore], [Joanna Rutkowska], [David Litchfield], [Matthieu Suiche], [Dan Kaminsky], and [Jeremiah Grossman] ) so i was pretty flattered when they asked me..

My interview is up [here] complete with dodgy photo and embarrassingly bad answers..

Nothing (really) new under the Sun - Verizon Breach Report..

The Verizon RISK Team has once again released their annual Data Breach Investigations Report. [Grab it Here]

Once more, the report makes for interesting reading and this year the discussion point is bound to be the marked decline noted in compromised records (From 361 million in 2008, to 144 million in 2009, to 4 million in 2010).

We will kick off a ThinkstScapes adhoc update to customers analyzing the report, but thought one of the interesting points to note was the similarity between 2010 and 2011 recommendations.



A quick point for point comparison shows that the 2011 recommendations are an almost perfect superset of the 2010 recommendations. The prognosis then? more of the same + a little bit more?

What Anonymous taught us about Cyber War

I wrote a piece on Cyber War, and what the recent HBGary breach teaches us about the current landscape. While I still feel bad for anyone who has their mail spool exposed to the world, the HBGary mails give us an interesting insight into a part of the world seldom seen by all. Check it out [here]

Our Upcoming Security Apocalypse!

(This Post was written for ITWeb for the Upcoming ITWeb Security Conference)

A security guy talking about impending doom. How rare! Except I'm not talking about the next Botnet, virus or nuclear reactor destroying worm, I'm talking about the crisis of confidence that’s heading our way, and the fact that we seem completely oblivious to its arrival. We (in the field) have been building a house of cards, and some day really soon it's going to come down around us.

10 years ago, the Infosec industry was in its infancy and we complained bitterly about the lack of management buy-in while we struggled to justify our existence in the corporate hierarchy.

In the mid 90's we started getting taken seriously. Firewalls and security policies became a part of the corporate lexicon and security teams grew in size. For a while it seemed like the game had equalized, our efforts matched the threats of the day, but the threats of the day were pranksters and kids. We cried "Mission Accomplished" too early.


The threats evolved and the attackers became professionals while we started getting used to corporate meetings, Aeron chairs and TPS reports.

We kept whining though. We need more budget! Management don't buy in! We were actually compiling our list of excuses for our complete and utter failure to achieve our objectives, and we have failed! Think it's not that bad? Here's a simple, sobering hypothetical I posed in a talk last year: imagine the highest value individual at your corporation. The guy who's computer (and the data assets it touches) you would do anything to protect. Can you honestly say you can stop a determined attacker from compromising him?

For the thousands your organization spends on security, you can't protect the one guy who is most valuable to you. Worse yet, would you even know if he was popped?

How ineffectual can we be? This problem compounds, because the company boards are now increasingly aware of the Infosec problem, but they are making the logical assumption that the teams of people they are paying, have the problem under control. They don't know that we don't have the answers yet, that many of us are resorting to hope as a strategy, hoping desperately that when the breach eventually happens, it won't happen on our watch.

We find ourselves now in a strange position. The boards pay our (sometimes huge) salaries and send us to conferences and even though we occasionally whine, they assume we have the matter in hand. They think the millions of dollars being spent worldwide on penetration tests and anti-virus means that we could at least protect the CFO. We know we can't but somehow, just never find the right opportunity to let them know.

The industry itself has become so incestuous, that we strongly resemble the investment banks just before the melt-down. Lots of money changing hands. Surface level checks and balances being executed by people with a strong disincentive to speak truth to power. Everything will hum along, until it won't!

Everyday that we do not suffer the critical attack of our nightmares, is an additional day that makes people think the attack is less likely. As Taleb points the scarcity of the Black Swan event does not alter the likelihood of it happening, it merely makes the result more shocking when it does.

The board is going to be asking: "Isn't that what we paid you guys to prevent?".

There’s going to be some feet shuffling, some finger pointing, and some heads will roll.. honestly, I think we are going to deserve it!

Eurotrash Security Podcast

The guys over at the Eurotrash Information Security Podcast had me on last week. We discussed HBGary, Thinkst, ZaCon and a bunch of other stuff..

It was pretty enjoyable (although i tried listening to myself and think its a lucky thing i dont do this too often). You can grab it [here]

A freshly etched MacBook Pro (Aka - Welcome Jameel!)



A quick note to Welcome Jameel Haffejee (email) to Thinkst.

Some of you might remember him as "the guy who did the Power Shell talk at Zacon2"..
(The talk was cool, but (in truth) I remember him as the guy that sponsored the coffee!)

Jameel has signed up as a Developer and future world-denter, so you should be reading more of him here soon.. Hello World!

Is the answer more InfoSec Conferences?

In the movie Sneakers, there is a defining moment when Robert Redford rearranges Scrabble tiles to figure out that 'SETEC ASTRONOMY' is actually an anagram.


With this in mind, I give you: SETEC CONFER MOAN (Yo!) (Click for full size)



I'm not saying that InfoSec Conferences are bad (although many a battered liver would disagree), but what i am saying is that we don't seem to be improving our security posture at the same rate as we seem to be growing our conferences. Something is not right here.

Now some people have argued that this is because conferences favor "breakers" over "builders", but I personally think that this is a red herring. If a builder with half a brain watches an interesting talk on breaking, he will no doubt start pondering useful defensive techniques. I think the problem instead is simply one of too much information. The buildup to every major conference these days includes press releases and tantalizing tweets promising Cyber Armageddon. Some talks come fully equipped with groupies and fans who seem uninterested in the technical content, but want to catch a glimpse of a security rockstar. It's all a lot of fun, but real-world value? Not so much..

This is not to say that those talks are bad, just that they may not be the ones that should be occupying your thoughts. What's missing from all this is context, and with more than half the year having some conference running somewhere in the world, all the information turns to noise.

We are hoping to help address this somewhat with ThinkstScapes.

For many, many years customers have been paying us to help them see further down the road with regard to upcoming trends and threats. Major conferences are often followed up with questions of "What did you think of XXX?". ThinkstScapes aims at answering these questions and more. More importantly, ThinkstScapes aims at raising to the surface the research and happenings that really should be on your mind, that are currently being hidden in the noise.

With a report every quarter, and ad-hoc updates on key InfoSec events during the year, we think ThinkstScapes is an important subscription for anyone who needs to understand whats going on in the Information Security space. (ThinkstScapes)

Shameless (aka: iTried on the Mac App Store)

On January 6th, Apple launched their Mac App Store. Pundits have taken pretty polarizing views on the store, with some hailing it as a boon to indie developers (since they can (trivially) publish to a world stage without worrying about credit card transactions) while others say that this is yet another way for Apple to exert big brother type control.

I think it's a healthy dose of both. As I mentioned in the past, Apple does have an amazing ability to create markets (and in the process, value) where there previously were none. Sure there were app developers before the iPhone App Store, but the question is: "How many smart phone apps did you buy before you got your iPhone?". I had several smart phones before my iPhone, but never bought an app for any of them. Of course this does put Apple in an enviable position, with identities, credit cards and eyeballs of millions of customers.

A little while back I released iTried, a simple utility that uses the built-in iSight camera to take a picture of the person at the keyboard when the apple screensaver is disturbed. I figured it would be worth checking out the submission process (which was surprisingly painless and efficient). So today, you should be able to grab iTried from the Store..

Disclaimer: It's exactly the same version i previously released online for free, and i don't plan on retiring on the proceeds, so if you want a copy but don't want to pay for it, just drop me an email.