BSidesLV, Charity, and a change of heart.

Read it all heathen! Teaser list of stuff in the charity box is included below.

As most reading this blog know, next week is the annual pilgrimage to Las Vegas to attend the ‘meta-con’. A mix of BSidesLV, BlackHat Briefings USA, DEFCON, and a number of other smaller sub-conferences, meet-ups, gatherings, and the ever present ‘hallway-con’. It is a week of chaos. Incredible opportunity always clashes with regrets, wishing you had checked out a talk, or met up with long-time friends, or run into new people you only know virtually. My first DEFCON was #2, twenty years ago, and it seems like both yesterday and a lifetime ago. I won’t go into a long analysis on how it is changed; just know it has changed drastically. Not saying for the better or worse either, because it is both.

Next week I am putting up an infamous attrition.org box-of-shit for charity at BSidesLV. I have done charity boxes at BSidesDEN in 2012 and 2014 that raised around $480 for the supported charities (usually EFF and/or HFC). Those were in addition to other charity auctions via eBay to support the Open Security Foundation, EFF, and the Concoctory.

You may notice a trend here. The last few years, I have made a big change to help support charities/NFP a lot more than I did before, including volunteering time as I can. Next week I will be working the registration desk at BSidesLV, and working as a volunteer for the Skytalks at DEFCON. Unrelated to security, I donate a fair amount of money and/or time to animal-related charities around the Denver area. I support a variety of humanitarian efforts to support research to cure ailments, fight hunger, and more.

Now, I want to do more, and I want more security professionals to do the same. As an industry, we make a ridiculous amount of money providing security services. As an industry, we fail miserably at doing so. Sure, we have our individual wins here and there chasing contracts. But as a whole? Digital security is at an all-time low. There is more computer crime, more breaches, published vulnerabilities are not dropping despite incentive not to disclose (if you even quote CVE and a ‘drop’ to me, get out of my industry), and a more fundamental lack of trust in anything related to computers. If we’re making stupid money providing inferior services while towing a favorable line, we need to look inward and re-examine our lives. It simply isn’t ethical to reap the rewards on the back of false promises. As an industry, we need to strive to do better (and we have proven we can’t), or start to give back to more worthwhile efforts.

I encourage you to consider this seriously. Look at how you can give back to the community in more ways than you are currently doing. Figure out more causes that could benefit from your time or financial support. Break away from the corporate high-dollar conferences run by non-security companies and support the home-grown community-driven conferences. Keep that in mind and bid generously on my two auctions.


box-teaser

Next week at BSidesLV, on Tuesday and Wednesday, you can participate in the silent charity auction and bid on this box-of-shit. Unlike previous boxes, I have worked to ensure this one is different, more interesting, and more valuable (which is subjective, I know). First, it has a limited edition attrition.org DEFCON 22 badge in the box. Only five were made this year! One is up for auction by itself right now, and it sets the stage for the box. Next, there is a hand-knit Lazlo hat made by J. Renee Worsing that comes with care instructions. Not only is the badge made by Make It Urz, there is an engraved Lazlo lapel pin in the box.

If you win this box, you are fully encouraged to embrace that badge. Walk around all of the conferences telling wild tales of your work with attrition.org. Spin stories about the other staff members, what you have endured, what para-military ops you have done on our behalf. This badge gives you creative license to social engineer anyone and everyone you meet. Flash that badge and you have a 0.3% chance of walking into any other party. Flash that badge at the 303 party and I will personally escort you in, even if the party isn’t open to the masses yet. Find me in a random bar, I will buy you a drink or three. ALL WEEK.

That is the tip of the iceberg! In addition to those fine items, the following is contained in the box. And yes, my wording is carefully chosen to keep you guessing, while being entirely accurate at the same time.

  • Collectible currency from 8 different countries.
  • A military challenge coin.
  • Certified piece of history circa 1989.
  • Original ‘FREE KEVIN’ bumper sticker.
  • Attrition.org bracelets.
  • A gift card. For a store, some amount more than a dollar.
  • DEFCOn 21 speaker badge.
  • Lockpicks.
  • A “pocket full of fun”. Make of that what you will.
  • Cold, hard cash.
  • Stickers, items from a jail, and “sparkle power”.

All of that is in addition to the usual box-of-shit stuff that is more questionable in value. This box was designed for fun, for you to enjoy as you open it up and dig through the contents. Nikita contributed a lot of the material found in this box, so you should buy her a booze next week. Not so much for the box, more for the amount of time, effort, and anguish she puts into making DEFCON happen. It isn’t entirely the ‘Jeff show’.

Remember that your money is going to worthwhile charities that help other people. None of this money goes to me. It will go to a fund that is divided up to support EFF, HFC, and Securing Change.

20140802_164721

Samsung Galaxy Phones Factory Reset Persistent Local Information Disclosure

A couple years back, I handed my Samsung Galaxy S1 down to a friend. When she got it she browsed the file system out of curiosity and noticed that it had retained private information; both from applications, as well as content I generated (e.g. pictures). While she promised to do a write-up of all the information left behind, she never did (flake!). This is obviously a problem for those who reset their phone thinking it is truly wiped clean, and then hand it off to a friend, sell it, or trade it in for credit.

The other day, a relative and I both upgraded our phones. Him from a Galaxy S2 to a S5, and me from a Galaxy S3 to a S5. So I figured why not check both out to see if they did the same. Cliff notes: The Samsung Galaxy S2 (model SGH-T989) ‘factory reset’ leaves a lot of personal information behind, while the Samsung Galaxy S3 (model SGH-T999) does not. It certainly does not delete your content.

Here is what I found left behind on the Galaxy S2. Directories for installed applications that did not get deleted, or deleted entirely:
\CamScanner
\foursquare
\gameloft
\Intsig
\Lazylist
\telenav
\data\flixster
\convertpad

files:
\telenav70\sdlogs\4\22\2014042208.txt
\telenav70\sdlogs\5\23\2014052320.txt
\Photo Editor\2014-03-30 19.11.22.jpg
(personal picture)
\lookout\log.txt
\Intsig\CamScanner\.log\log-2013-12-25_21-59-09.log
\DCIM\Camera
(55 personal pictures)
\contactBackup\contacts.csv
\contactBackup\contacts.pdf
(both contain full list of contacts: name and phone #. this is from an app that backed up contact info)
\Android\data\com.zynga.words\cache\FBImages
(three images, FB avatar pics of players)
\Android\data\com.facebook.katana\cache\.facebook_-372648771.jpg
(private image from FB)
\tmp_fsquare.jpg
\tmp_fsq
(a PNG thumbnail of avatar selected for the app)
tmp_fsquare

The Galaxy S3 (model SGH-T999) that I used pretty heavily, was much better after factory reset. I found the following left behind:

\Phone\Application\SMemo
(didn’t use this app despite installing it. files suggests private info may be available after reset)

All pictures, contact info, and information from applications is gone. So from the Galaxy S1 to the Galaxy S3, Samsung figured out the ‘Factory Wipe’ finally.

Screenshot_2014-07-03-20-26-56