Hacker Halted 2020

Due to Covid-19 the EC-Council have decided to make this years Hacker Halted conference an online affair and lowered the cost of basic entry to 0. The event is in it’s 14th year and looking through past events it looks to be a classic collection of guest speakers covering a wide array of cyber security topics. From the technical sides of offensive and defensive cyber security to the “softer” topics of hacking people and getting more people interested in careers in cyber.

EC-Council make their money by selling training certs so this event is likely going to be heavily aimed at getting people interested enough in Cyber to buy one of their courses but as long as the talks deliver some interesting knowledge before trying to sell anything I don’t see a problem with it.

If anyone wants to register you still have a few days to visit their site :https://www.hackerhalted.com/registration/

Once registered you should receive an e-mail with instructions on how to download the Hacker Halted app which currently has details of confirmed speakers and various games which will start once the event goes live (Although currently the games seem to simply involve watching and reading all the content from the conference) Including an interesting version of Jeopardy which appears to award points for getting drunk while playing.

The Agenda looks fairly busy with enough talks to keep most people busy if they are also working full time jobs and trying to view this in between meetings or after work. A lot of the scheduled slots are replays of previous talks so if you needed to stream something live you may be able fit it into your life. Or if you want to watch everything as it is released you should be very comfortably able to get through everything with the length of breaks in between each event.

Advertisement

Interview with Burpsuite creator Dafydd Stuttard

Here’s an old video from 2015 showing an interview with the creator of burpsuite answering a few questions about how it started and why he initially started developing the tool. Like a lot of security applications it seems to have started its life as a hobby project which kept growing with new features until enough people found it useful for it to become mainstream.

Here are some useful timestamps:

6:30- interview starts
13:10 – how burp got its name
29:30 – Burp spider
32:45 – Server side template engines
40:00 – pricing
45:00 – the wider security community
46:30 – Recommendations for vulnerable test applications

Its interesting to note the difference in presentation between Dafydd who most likely spends his days presenting security ideas to IT managers at corporate jobs compared to the two podcast hosts who seem to be trying to create some sort of cross between the stereotypical hoodied hacker and Joe Rogan. As the security industry matures I’m expecting we’ll come across more of the former.

Spotting mobile passcodes/patterns from a distance

 

A quick warning to anyone who has a very simple passcode to their phone, you never know when you’re being recorded on camera or being watched across the room, if your passcode to get into your phone doesn’t involve your hand moving around to different keys too much its likely very simple for someone to guess your code. Someone entering the code 123456789 will be obvious to spot by the hand movement, as will someone using a passcode with only 1 digit repeated

As seen here with Lance Gooden unlocking his phone whilst being recorded. even though we can’t see the mobile phone screen it’s fairly obvious what the passcode is:

 

The same applies for unlock patterns which are a simple L or backwards L shape.

In Lances defence this could be a burner phone which only has a Whatsapp chat with the family, or he’s actually far smarter than he appears and has temporarily changed his code for the day if he knew he was going to be recorded. but it does highlight that if you are using a passcode/pattern as your only method of authentication to get into your phone you should try to use different characters as much as possible.

Jack Dorsey twitter simswap

This article from the BBC today https://www.bbc.co.uk/news/uk-england-norfolk-49513692 talks about how the CEO of twitter Jack Dorsey was a victim of a sim swap attack recently where someone “tricked” a phone provider into transferring the phone number associated with Jacks account onto a different SIM which they control.

“trick” is in quotes as it could just as easily been done by paying the phone company operator to turn a blind eye and no tricks were needed. The attacker then proceeded to tweet some offensive and embarrassing things.

The interesting thing isn’t that a sim swap happened (they seem to be at almost epidemic levels currently), but that twitter doesn’t have some sort of extra controls for high level accounts which could minimise the damage caused by an account take over.

Perhaps they could look at implementing some sort of account feature which signifies that you have a “corporate” or “professional” account and automatically blocks any tweets containing offensive or rude words, or restricts tweets to only come out during predefined business hours.

if the feature also had a mandatory 24-48 hour delay between turning it off/on it would serve as a simple buffer to prevent a drunken disgruntled employee with access to a corporate account logging in at 2am and posting something offensive

It would also have made it slightly harder for whoever took over Jacks account to cause as much offence.

 

Untagging your tagged photos on Facebook, Instagram and Twitter

With the popularity of camera phones in recent years its very likely that anything you do on a night out with friends gets documented by someone else in either a photo or a video. Whilst your drunken dancing might be funny at the time and entertain all your friends it might not make you look like a good candidate for a job in the future (unless that job is a sloppy backup dancer).

If friends have uploaded the photos and tagged you in them it makes an interviewers life much easier when they search for your name to see what comes up.

The social sites don’t always make it obvious how to remove your tag from something so heres a how-to guide for Facebook, Instagram and Twitter.

How to Untag yourself from a photo on Facebook

1. Log into Facebook and visit your activity log (little triangle in the top right corner).

   

   Facebook activity log

   2. Select “photos”, then browse the results and check any media you want to untag yourself from.

   

   how to untag yourself from facebook photos

   3. Select “Report/Remove Tags”.

   4.Select “I want the photo untagged” and then”Untag photos”.

   

   Remove tag from facebook photo

   How to untag yourself from an Instagram photo

Untagging yourself in Instagram is slightly more hassle as you need to be logged into the app on your phone or tablet, you cannot do it from their website.

1. Open the app and go to your page by selecting the head and shoulders icon.

   

   Instagram head and shoulders icon

   2. Select the clipboard in the top right.

   

   Instagram clipboard Icon

   3. This should bring up a page with all the photos you have been tagged in, Browse through them and tap on the one you would like to remove yourself from.

   4.Select the 3 dots near the bottom of the photo.

   

   3 dots, instagram untag

   5. Select “photo options” and then “Hide from profile”.

Note: This doesnt remove the tag from the picture but it does remove it from your profile so people will have a harder time searching for it.

How to remove tagged photo from twitter

Now that twitter is about more than just 140 characters you might find yourself tagged in a tweeted photo. Praise goes to the twitter devs for making this one of the easiest sites to untag yourself from

1. Log into your twitter account and navigate to the photo you are tagged in.
2. Select the 3 dots at the bottom of the photo and select “Remove my tag from photo”.

   

   Remove yourself from tagged twitter photo

   Note:This doesn’t remove the photo, it just removes your tag which makes it more difficult for people to find it associated with your account.