Tomorrow I fly out to Vegas for an extended run of training, conference attendance, networking, and speaking. I’ll get to all of that, but last things first: I am very happy to have been chosen to, for my third consecutive year, present at DEF CON on a fun and offense-oriented topic:



This year I’ll be speaking about the attack surface of attack tools. Specifically, small devices hidden by malicious attackers or shipped to a client for pentesters for the purpose of remote access and attack. I’ll discuss some of the problems with having a small embedded device that runs a pile of perhaps-not-completely-hardened tools, how to respond to a device if one is located within your organization, and how such devices may be open to counter-attack. We’ll spend some time discussing the implications of a malicious attacker compromising a pentester’s implantable device, and then roll into a case study involving the most popular device of this type: Pwnie Express’ Pwn Plug. I’ll demonstrate some (very easy to follow) zero-day in the Pwn Plug, as well as discuss what one might want to do post-exploitation, along with how to acquire a nice forensic image of the device.

That talk will be on Saturday, August 3rd, at 2PM in Track 3 of DEF CON 21. I’ll be holding what I hope will be a nice informal Q&A afterwards (my past talks at DEF CON have had excellent Q&A sessions), so I hope to see some readers there.

Apart from that, I’m going to be in Vegas for a while. I am extremely excited to be taking Stephen Ridley and Stephen Lawler’s Advanced ARM Exploitation training for my first 4 whole days in Vegas. The Stephens are the operators of and by all accounts have put together a very good class. I’m excited about improving my skills, and if you follow me on twitter (@McGrewSecurity) I’m sure you’ll hear all about it.

I’ll be in attendance at both Blackhat and DEF CON, so be sure to track me down to have a word. My current beard-status is pretty close to my twitter avatar, so I should be easy to spot. Also, I’ll be the one floating a few inches off the ground, due to the fact that I’ve recently completed my Ph.D. dissertation (on the topic of SCADA HMI vulnerabilities, the topic of my talk last year), and have taken a position at Mississippi State as an assistant research professor. If you have interesting research ideas or just want to raise hell with a security geek with strong views, do get in touch and/or find me at either conference.


If you are unfamiliar with Daniel Suarez’ pair of brilliant novels: Daemon, and its sequel Freedom(tm), you really need to stop right here and go read them. They’re fascinating books and I think most folk in information security would enjoy reading them.

Possible mild spoiler alerts follow.

A major element of the two novels is a botnet, created with artificial intelligence and pathfinding elements developed by an MMO game developer, that, upon the creator’s death, begins to wreak havoc in order to affect a form of major societal change. While a botnet can autonomously do a lot electronically, such as build up funding via various forms of fraud, gather information from online systems, etc., it would be limited in what it can do in the “real world” (beyond what’s in the immediate reach of control systems).

To accomplish things outside of cyberspace the botnet recruits human operators to do various tasks, using VOIP, surveillance systems to monitor progress, and the funds it is acquiring to reward/incentivize operators. By the second book this escalates to the point that “DarkNet” operators wearing glasses that project waypoints and objectives for them to accomplish perform tasks for “DarkNet credits”, an alternative currency built around the new society being built by the system.

In short: Human nodes in a botnet. You can treat a human like a remote procedure call: arguments are task description and money, return value is measured success or failure.

Obviously this is something that Google Glass was created for. I think so, and Google appears to agree:


I don’t think they read the same books I read, but hey, maybe they did.

Honestly, I was just having a laugh at what immediately came to mind when Glass was announced. While I’d be happy to develop a nice tactical objective/waypoint control system for multiple operators using Glass, I’m not (at the moment) keen on paying $1500 and a flight to New York for the privilege.

If anyone wants human botnet software and wants to fund it, let me know.


I went to download the Opera Mini web browser on my iPod Touch (quick review: nice, fast!) and it made me agree to the new iTunes/App Store terms of service.  Times like this make me glad I don’t have a credit card associated with the iTunes account at the moment:

I’d love to see some statistics on how far people make it before giving up.


I’ve been busy this week teaching part of the intro series of courses we have at the National Forensics Training Center, but I still wanted to post a quick update.  I figured I’d share a few interesting things I read this week, and talk a bit about some extracurricular activities going on in our lab tommorow.

For a couple of weeks now, I’ve been using Instapaper to mark articles and sites to “Read Later”.  The benefit of Instapaper is, with the integration and sync’ing between all the different computers I use and (crucial) my iPod Touch, I actually wind up reading things that I intend to read later, instead of them just getting bookmarked and forgotten.  While I’m on WiFi I can sync them all up to the iPod and read them anywhere, offline, where I don’t have the distractions of grabbing new emails and messages.

Some things I star’d and enjoyed recently:

  • Should I Learn Assembly Language – HD Moore tackles the question of whether or not penetration testers have a need to learn assembly language.  Spoiler: The answer is, essentially: you can get away with not knowing it if you just use the shellcode in Metasploit, but it’s a must if use public-sourced exploits or just want to understand how the shellcode works (which you should).
  • Network Time Protocol (NTP) Fun – Cool little writeup over at the carnal0wnage blog about a new module in Metasploit that performs some information gathering over NTP.
  • Clueless FUD Article… – In which Steve Manzuik points out that there is a lot more information sharing going on behind the scenes in infosec than you might be aware of (or at least more than the author of a specific DarkReading article is aware of)

Tomorrow afternoon, a group of guys (who have historically done well in past CTF events here at the university) and I will be acting as the red team for a cyber-defense exercise being hosted by the University of Alaska Fairbanks.  They have a nice VMWare setup in Fairbanks that all of the teams will be remoting into, and we’re really looking forward to giving the participating universities a hard time.  If you happen to be one of the readers that local enough to Mississippi State University to drop by for a visit, feel free to come by the forensics lab in Butler Hall tomorrow between 1:30 and 7:30 PM to see how things are going.


Well, if you had any feelings that the Electronik Tribulation Army had turned over a new leaf, after declaring themselves to be a whitehat group, disavowing the alleged crimes of their former leader, and opening up their forums for public registration, then it is probably safe to put those feelings to rest.  Old habits die hard.

Since their coming-out, the admin, Xon (pronounced, “Zon”), maintained a private area of the forums so that “trusted” ETA members could “still conduct our operations without everyone in the world seeing it.”  This is, by itself, not unusual.  Many forums have private sections for “elite” or paying members.

What is interesting, however, is that in their move today to new forum software, Xon (pronounced, “Exxon”) neglected to protect those normally private areas of their site, offering normal members a view behind-the-scenes.

Among old posts of pirated software and skiddie tools, is a forum named “Blacklist Watch”, described as “This is where we actually watch people who we know, we hate and we want to watch out for and other stuff to”.  Apparently, I am the only person they know and hate (and want to “other stuff to”), as there is only one thread in that forum: “Robert Wesley McGrew”.

I have archived that post here, as it likely won’t last much longer on the original site.  Note that, due to idiosyncrasies of the new forum, after the first, top post, further posts are in reverse chronological order:

Some highlights to watch for, from the usual crew (XXxxImmortalxxXX, E.T.A. Fixer, Xon (pronounced, “Zone”), et. al.):

  • A flattering estimate of my age
  • Me somehow getting burned by Paul Schmehl on FD by being CC’d on a email he responded to
  • XXxxImmortalxxXX calling my wife a fat bitch
  • “Identity: SANS Wesley Mcgrew , Mississippi State University CIPC SCADASUMMIT”
  • Discussion of getting my high school transcripts so they can see how I totally aced a typing course that still involved IBM Selectric typewriters
  • This discussion:
    • E.T.A. Fixer: Nice thread, anyone have a black van?
    • Xon (pronounced “Ex Oh En”): No, but I have a white car…
    • E.T.A. Fixer: How big is the trunk?
    • Xon (pronounced “Zune”): Big enough…. trust me…
    • Backdoor.Armageddon: Hahaha i see where this is going now lmao….
  • Some other Crystal McGrew’s account!  Fascinating!
  • Apparently, all Mac OS X-using security geeks are homos.
  • The absence anything that I didn’t willingly put on the Internet
  • The absence of a surprising amount of things that I did willingly put on the Internet

Edit: Xon argues that the timestamps are off from the move to a new forum software (that has been reverted). It’s easy to see, however, that a majority of these posts were made after their “transformation”, as there is information in there that applies to my new hosting, which I switched to on September 8th.


I am currently in the process of setting up a new host for .  This should be the last post on the old host.  I’m just throwing this on here so by the time I switch (probably later today) this will already be in folks’ RSS readers to explain any (hopefully minimal) downtime or weirdness.

The look and content is going to stay the same for now, so you won’t have to change feed URLs or links.

Some alternative contact info, in case mail starts bouncing or dropping, or if you just want to see how it’s going:

EDIT: Everything seems to be working fine!


If you took a look at the slides for Monday’s lecture (or were there in-person), you might recall that the last slide of content contained quotes from the ETA’s current site on the Internet, The new leader, “Xon”, has disavowed the actions that led to the previous leader’s arrest, and is very firm in stating that the new ETA is “ethical” and no longer engages in illegal activities.

Registration on their forums has also opened up, and I was surprised that Xon made the goodwill gesture of activating the account I created the night before my lecture. Here’s a direct link to their forum section:

There are still posts on the forums that go back to just after Jesse “GhostExodus” McGraw’s arrest, before the ETA’s attempt to transform into a white-hat organization, so there is some pretty interesting reading there.  Registering an account and having it approved by an admin is required to gain access to the forums, however the process seems to go pretty fast.

Is the Electronik Tribulation Army really a white-hat group now?  While Xon may feel strongly about the transformation, he may find it difficult to bring the members in line for it.  With members like “E.T.A FIXER” (aka DarthAnonymous, TrashBagTeddy, etc.) that continued to troll the comments sections of this site, and scroll insults (and creative ASCII art) in this site’s IRC channel long after the arrest, other ETA members may find it difficult to convince others that they have truly abandoned their blackhat ways.

This is also the first time someone’s made a “motivational” poster about me.  Touching! :

(Credit goes to Fixer.  I did crop the image a bit.  You can find the original in a couple of threads on the ETA forums)


This is really all you need to know from Dan Kaminsky’s talk, “Something About Network Security”.  We got first dibs on it at Black Hat USA 2009:

“If only we could find a big enough Care Bear, we could totally ride this pony.”

I’ll have some slightly more useful Black Hat and Defcon posts once it’s over and I can get my notes straight.


Poking around on various “hacker” forums, this sort of thing is a common sight:

If I had the stamina and will to maintain a “skiddie clown quote of the day” for any length of time, this would be a prime candidate.  Especially this part:

im sick of being hacked ive done nothing wrong expect steal about 200 passes

Looking at posts like this got me to thinking about this scene’s combination of wanting to learn about “hacking”, inexperience, and the desire to do something immediately “fun” (important point: they want to jump straight to 0wnage, with a minimum of time studying how).  It reminded me of a phenomenon I was seeing on forums like this a while back, where members were becoming aware of the CSIS and SANS US Cyber Challenge competitions:

These challenges are geared towards high school students and undergraduates, and it gives them a interesting and competitive outlet for exercising skills that might otherwise be used for more script-kiddie-like endeavors.  In addition, it helps give them motivation to learn new skills that’s missing when you have an entire Internet’s worth of computers out there that have vulnerabilities you already know how to exploit.  In a recent interview with Forbes, the director of SANS, Alan Paller, stated the logic behind this kind of competition well:

“Offense must inform defense,” he says. “We’d like it to be just training defenders, but if they don’t know how attacks are performed, they’ll be incompetent.”

It might work, too.  If the structure of this training (which is still in its infancy) is good, and it’s interesting and challenging enough, then it could be possible to leverage script-kiddie-level skills into something useful.

It might work, too.  If the structure of this training (which is still in its infancy) is good, and it’s interesting and challenging enough, then it could be possible to leverage script-kiddie-level skills into something useful.

This might be what some of the people on these forums are looking for.  I’ve already witnessed an entire “hacking group” that normally occupies themselves with web defacement split into teams and sign up for the DC3 forensics challenge.  On another site, I noticed that GhostExodus, before he was arrested, had signed up for the DC3 challenge as well, as had XXxxImmortalxxXX (the guy who bragged to me about GhostExodus’ hacks).

Maybe in the near future, activities like the US Cyber Challenge will get people like this on a productive path before they wind up getting into trouble.


I meant to post this a little more than a week ago, but all the GhostExodus stuff sort of bumped this up until now.  If you’re new to the site because of all the recent action, here are the posts that lead up to this one:

Core Security are still visiting the site on a daily basis, which is pretty cool.  It looks like they occasionally verify that I’m still ranked higher on google than them for searches for their own party, but they seemed interested in the GhostExodus stuff too.

As a token of appreciation for pointing out their rude and unnecessarily elitist invitation processes, Kimberly Legelis, Core Security’s VP of marketing, sent me a Core Security t-shirt and a Core Security USB sparkly lamp thing:

It was accompanied by a nice handwritten note from Kimberly.  I’m looking forward to dropping by their booth at Black Hat to meet her and the others in-person.

This probably won’t keep me from poking fun at Core Security every once in a while here (especially now that I have them reading this site on a regular basis), but I will feel slightly guilty about it now.  I’ll get over it :) .

© 2012 McGrew Security Suffusion theme by Sayontan Sinha