In the past I have been blogging over at Binary Intelligence, a joint blog shared with co-worker Jim O’Gorman. Both Jim and I have been busy with work and other projects and have somewhat outgrown the site. I wanted a place where it would be easier to post content that included videos, custom scripts and code, and other downloadable items that didn’t work out so well on a site hosted by Blogger.

I’ve imported most of the content from Binary Intelligence over to here, but because of the way the import works every post lists me as the author. Keep in mind that anything written prior to this post (May 23rd) may have been written by Jim. Binary Intelligence will most likely be dormant, but may see a post every now and then.

Hopefully this new format works out as well I would like it to.

I mentioned a few posts back that I’ve been helping contribute content over at Social-Engineer.org. Today they released their first podcast and I was lucky enough to be the interview guest. The podcast builds on this post I did a while back about interviewing techniques.

I think the podcast presents some useful information. Even though the topic is interrogation, pieces of the conversation should be useful in everyday interaction.

Give it a listen and let me know what you think. If you RSS and don’t want to come back here to leave comments, hit me up on Twitter @_remnant_ .

Thanks to everyone over at Social-Engineer.org for making a great site and some fun times.

I have recently started using an iPhone for a variety of different functions related to my work. All in all, I have to say it is not my favorite phone, but it is serving a purpose in allowing me to become familiar with a variety of different options that this mainstream device offers. In working with the device and looking for a new Twitter client, I came across an application named Twinkle. I wanted to share with the community some of my observations from using the application.

Twinkle is a social networking application created by Tapulous for the iPhone or iPod Touch. It is similar to Twitter, with a few key differences. When a user first installs and runs Twinkle, the application requests an e-mail address to generate a Tapulous account. The e-mail address is utilized to confirm the account and a profile is created.

Matt sent me the link to this story today. This is a situation I have been following for a while:

A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age.

In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted.

…

Boucher’s attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period. Budreau was out of the office on Thursday and could not immediately be reached for comment.

I would be interested in hearing the community’s opinion on this matter.

Personally, I think this is wrong. While it sucks that people would use technology in such a manner, the effect of such a ruling would be extremely negative. With the DHS making claims such as:

A pair of DHS policies from last month say that customs agents can routinely–as a matter of course–seize, make copies of, and “analyze the information transported by any individual attempting to enter, re-enter, depart, pass through, or reside in the United States.” (See policy No. 1 and No. 2.)

DHS claims the border search of electronic information is useful to detect terrorists, drug smugglers, and people violating “copyright or trademark laws.”

And you join that with the authority to force users to give up passwords.. Well, lets just say I will not travel with client data on my system, even in an encrypted format. The argument of “If you have nothing to hide, you won’t mind us looking” is invalid as well, as data is entrusted to me and I have an obligation to not share it.

And beyond that, anyone that is savvy enough to use encryption is also going to know to just keep their data in the cloud, encrypted, and access it when they reach their destination. Oh, use a product like Truecrypt, and place the encrypted container in your windows/system32 directory under the name of “explorer.dll”.

These sorts of moves do nothing other then hurt legitimate use of technology while doing nothing to reduce the risk they are targeted too.

Thoughts on this matter are welcome.

Many people who are either laid-off from their job or simply moving to another opportunity often secretly take proprietary data from their employer on their way out the door, a study released this week found.

Nearly 60 percent of employees who quit a job or are asked to leave are stealing company data, according to report by the Ponemon Institute, a Tucson based research group. The survey was based on interviews with 945 adults who were laid off, fired or changed jobs in the last year.

Seventy-nine percent of those who admitted to taking data said they did so despite knowing that their former employer did not permit them to take internal company information.

WashingtonPost.com

Gone are the days of spending two hours writing a police statement.

In Derbyshire, officers are swapping their notebooks and pens for a small memory card, so that hours of film can be gathered as evidence on something as small as a fingerprint.

It is the latest way to get the best out of technology that’s already been tried and tested.

Headcams have been worn by police officers in other parts of the country for quite a while, but here in Derby city centre they’re being used alongside a new computer system which means officers can store and retrieve the footage quickly and easily.

In the time it takes to burn the evidence onto a DVD, an officer could be back out onto the street.

From BBC News.

Police Blotter: Courts split over police searches of handhelds

From the link:

Doug Bates and his wife, Stacey, were in bed around 10 p.m., their 2-year-old daughters asleep in a nearby room. Suddenly they were shaken awake by the wail of police sirens and the rumble of a helicopter above their suburban Southern California home. A criminal must be on the loose, they thought.

Doug Bates got up to lock the doors and grabbed a knife. A beam from a flashlight hit him. He peeked into the backyard. A swarm of police, assault rifles drawn, ordered him out of the house. Bates emerged, frightened and with the knife in his hand, as his wife frantically dialed 911. They were handcuffed and ordered to the ground while officers stormed the house.

The scene of mayhem and carnage the officers expected was nowhere to be found. Neither the Bateses nor the officers knew that they were pawns in a dangerous game being played 1,200 miles away by a teenager bent on terrifying a random family of strangers.

They were victims of a new kind of telephone fraud that exploits a weakness in the way the 911 system handles calls from Internet-based phone services. The attacks — called “swatting” because armed police SWAT teams usually respond — are virtually unstoppable, and an Associated Press investigation found that budget-strapped 911 centers are essentially defenseless without an overhaul of their computer systems.

This story leaves a lot of questions unanswered. I am certainly curious how all of these terms are going to be defined. If a male employee gets fired, he harasses his male ex-boss online, does the employee have to register as a sex offender when sex was never a motivating factor?

New Mexico is taking another look at cyberstalking with legislation that could mean serious prison time for those who use the Internet to harass someone.

Albuquerque Mayor Martin Chavez and two state lawmakers are proposing a new state law that would bump up cyberstalking to a felony and would force cyberstalkers to register as sex offenders.

Hogfly recently posted a typical scenario and gave a few interview tips. It really got me thinking about how important interviewing can be to our job. Whenever we receive an engagement, the first thing we start with is information gathering. After all, you can’t do your job if you’re not even sure what it is.

Depending on the type of work and situation you find yourself in, one potential roadblock I often see is that the people you need to get information from might feel their job is at stake. If the main source of info is a sysadmin that feels he will be held responsible for a data breach, he is likely to be in damage control mode and not as forthcoming. An effort will probably be made to mitigate responsibility surrounding the steps he took before or after the incident.

So how do you get all the information you need? First let’s talk about some training.

In my previous life I conducted criminal interviews for several years and went to numerous interview and interrogation classes. The methods varied from reading body language clusters to written statement analysis. I found every class very interesting, but didn’t incorporate some of the methods into my interviews. I found that I could read major body language indicators, but I wasn’t very good at catching the “clustering”. If a blink, finger tap on the table, shift in the seat, turn head to the left meant one thing, but a blink, finger tap on the table, shift in the seat, turn head to the right meant another thing, I just wasn’t going to catch it.

The two classes I got the most out of were the WZ Method of Interview and Interrogation and SCAN (Statement Analysis). I found that I was much more suited to picking up the different nuances of spoken word indicators and could use those to my advantage. However, if you like body language, check out Stan Walters’ Kinesic class. The Reid Method of Interview and Interrogation has been around for years and is quite good as well.

A couple of books worth taking a look at are You Can Read Anyone and No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. I think social engineering is really a skill most people should learn. One of the hardest things for me to pick up and start doing was lying, but you can make friends quickly if you present yourself in a certain way – even if it isn’t true.

There’s another good source of information, and I’m somewhat embarrassed to admit this in an open forum, but I am a closet fan of some of the “how to pick up women” websites that are out there. I’m married so I don’t care about the end goal these sites have, it’s just that every now and then there is a great tidbit that can be applied to interviewing, sales or general conversation. More on one of these tips later.

Ok, so now you know a little bit about the training. Let’s go use it.

In all of the criminal interviews I have done, I found that your reaction can make a world a difference. The minute a subject feels like they are being judged or scrutinized they will either stop talking or completely change the subject or story. So first, get yourself in the right state of mind. Make sure you are ready for the interview and whatever might be said during it.

After you’re prepared, how do you actually start the interview? I think this can be situational, but a great thing to consider is one of the “pick up artist” concepts of frame control. You need to set the frame of the conversation and not let the interviewee control it. A quick and easy example is to start a conversation by saying something like, “I’ve always enjoyed working with everyone here at the bank. They’re always so nice and helpful.” You’ve set the frame with the bank employee that they should also be nice and helpful so as not to ruin your opinion of the other bank employees. I find this to be a very interesting concept.

You can also see how it’s applied with the WZ Method of Interview. Part of this method is to start by saying something like, “Hi, I’m really interested in getting to know what you do here and the steps you’ve taken, but first let me start by introducing myself and let you know a little bit about me.” During your introduction you basically let them know about your qualifications and what you are able to accomplish. You are framing yourself as the expert and they should treat you as such. The theory is that if you do this right, they feel that they’re not in a position to put up much resistance. For instance, if they ran a virus scan they might as well tell you now, because you’re going to find out later anyway.

Now ask the other person to introduce themselves. When I was doing a suspect interview, I always let them tell me the complete story first and then go back through and asked very detailed questions. I often found that the subject’s sticking points either included way too many details compared to the other parts of the story or vice versa.

Once you’ve started and are getting through some basic questions, I think Hogfly’s tips bear repeating:

1) Never accuse.
2) Keep your cool. Emotions play a larger role in system compromises than people believe.
3) Be aware of your body language. You must always be aware that your face, posture and hand play, are a huge role in gaining the trust of the interviewee.
4) Ask leading questions.
5) Listen. You can’t learn anything if you’re talking.
6) Be nice.
7) Get them talking and keep them talking until you have enough information to proceed appropriately.

Listening is key. I comically found that if you are given a short answer to a question that requires more detail, a silent blank stare will often indicate to the subject that their answer wasn’t good enough. If there is more than a few seconds silence, I would ask another question. Silence isn’t necessarily a bad thing, but you do want to keep the conversation flowing.

Let’s list some more bullet points:

- Get yourself prepared and in the right of state of mind

- Have a plan ahead of time

- Introduce yourself and your qualifications, set your own frame

-Be nice, courteous, nonjudgmental, and mostly un-reactive to bombshell statements

-Get as many details as you can

-Make them your friend and ally so they will help you later

-End the interview on good terms, you never know when you will have to talk to them again

Hopefully some of this information is helpful. Anyone have any other tips or experiences to share?