Spam Nation is a non-fiction book written by Brian Krebs, a well known journalist and the author of the KrebsOnSecurity.com blog. The book's primary focus is on the cybercrime coming from the post-Soviet states, especially related to spam. The main story line revolves around Pavel Vrublevsky and Igor Gusev, two partners in crime who, like in a classic gangster flick, become enemies and start an all out war of attrition - “Pharma Wars”. Bribing politicians, hiring FSB agents, hacking and leaking each other's databases anything goes in this personal fight. Along the way you will learn about the inner workings of the massive spam operations and the political, criminal, financial, and social forces that drive them. Read more.
exodus - vuln-dev - master class
A few weeks ago I had a great pleasure of studying at a week-long training taught by Exodus Intelligence. The Vulnerability Development - Master Class was taught by Aaron Portnoy, Zef Cekaj, and Peter Vreugdenhil. The class had an excellent presentation of two complementary yet unique subjects of vulnerability discovery and exploit development primarily under Windows environment. The instructors are truly masters of their field which was reflected in the great quality and depth of the material.
While it is still fresh in my mind, I would like to share with you some of the notes on the covered subjects, the recommended prerequisites, and tips on how to get the most out of this very intensive training. Read more.
isec open forum bay area
It feels like the infosec community in the Bay Area is just getting warmed up toward the end of the year with another quarterly iSec Open Forum. As a small and local security event, it usually hosts novel security topics from local security professionals that may not appear in more mainstream events. After getting to the talks area at the end of a long hall with folks from Dropbox zooming by on their skateboards and razorblades, I found an infosec crowd of about a hundred or so people ready to learn and connect.
Below are my notes from the event: Read more.
baythreat 4 - day two
After a great day of hanging out with old and new friends all while getting inspired to start breaking/researching anything ranging from 50 year old behemoths to Internet enabled light bulbs, I raced down peninsula to the epicenter of Bay Area's security community at Hacker Dojo. Baythreat Day Two has begun.
In a terrible miscalculation of a sleeping schedule I have regretfully missed several morning talks; however, below are the writeups of another series of excellent presentations from the breaker track for the remainder of the day. Read more.
baythreat 4 - day one
The year is almost over, but the infosec community in the Bay Area shows no signs of slowing down with the fourth annual BayThreat conference happening this Friday and Saturday. I always loved smaller hacker cons for their much more personable feel and few carefully selected talks that you can see without missing a dozen others. I love BayThreat not only because it is a local event, but also due to the overall quality of the talks and organization being on par with many of the larger cons.
BayThreat 4 marks the return to the Hacker Dojo, albeit at a different location, which in my opinion is even better than the original. Below are a few writeups on the talks from the breaker track that I had a chance to attend. Read more.
smarter password cracking with pack
Last week I gave a talk during the Password '13 security conference on various password analysis and pattern detection attacks using the Password Analysis and Cracking Kit. You can download slides for the presentation here.
The conference itself was an absolute blast with great organization by Per Thorsheim and Jeremi Gosney. The conference gathered a fascinating crowd which spawned hours of great discussions on password security, cryptography, politics and everything in between. However, I especially enjoyed meeting in real life with many members of Team Hashcat.
Team Hashcat had another great run at the CMIYC during Defcon where we placed 2nd. As always I ended up spending most of the conference in the hotel room or the chill room at Defcon, but that's part of the fun doing contests. Russia-based team Inside-Pro placed first by scoring more points on harder hashes, молодцы ребята!
Today, I have finally finished writing documentation for the many changes and adding the final polish to the next release of PACK 0.0.4. There should be noticeable performance bumps for all of the tools in the toolkit especially Rulegen which is now finally using multiple CPU cores. You should also try out the completely rewritten 'maskgen' which is now capable of generating highly optimized mask collections for use with Hashcat suite of tools (see presentation slides above for more details). Enjoy and most importantly have fun with password cracking! Read more.
crack me if you can
I had an opportunity to participate in the "Crack me if you can" password cracking competition during this year's Defcon. It was a fun and educational experience. Using a couple of video cards, decent processors as well as some research into password generation I was able to place 4th in the contest. In this post you can learn more about hardware, software and strategy used to crack about 25k passwords in two days. Read more.