Amazonian Trojans and Marketing Fear-Mongering

Hello there, welcome back to our scheduled programming on how to drum up clicks and views on your website “Powered by Fear Uncertainty and Doubt”.

As most marketing organizations know, sometimes you need to be a little creative when coming up with news and research. You draw a target for your security researchers to hit, and hope they come back with meaningful data that’ll make it to the next news cycle. And sometimes it actually works.

This time it didn’t. Recently, when reviewing my Twitter/Facebook feeds, I ran across “news” that state that Amazon (OMG – our trusted Amazon) are selling Rooted Android tablets, preinstalled with Trojans. Most of the public probably goes: “Hide your Nexus and shoot your Kindles!” in response. How dare Amazon sell us trojaned tablets?

But worry not, only after actually reading the details of the article ( and the original research report ( you’ll understand that:

  1. Amazon has nothing to do with this. Just like you and I can set up shop on Amazon and start selling backdoored laptops, Amazon wouldn’t have anything to do with said backdoored laptops.
  2. It’s not about your usual tablet. So you can pull back your Nexus, brush up your Kindle, and keep using your Asus/Samsung/LG/[brand] Android tablet.
  3. It’s not even really an Android issue. One could have jailbroken an iPad, install a backdoor/trojan on it, and sell it online. The Android part is relates more to the price point and the ability to sell really cheap tablets.
  4. I dare you to recognize any of the “brands” of tablets sold with these trojans. Funny, the top “brand” is actually, wait for it, “NO BRAND”. I kid you not.


So after sorting out the FUD, we are left with no much of a scare. Suspiciously cheap tablets, marketed mostly as “no brand” (or other brands which at least I’ve never heard of), are filled with questionable software. Kind’a reminds me of even “big name” manufacturers who load their phones/tablets/laptops with assorted unwanted software (officially dubbed “bloatware”). Wow. How did this not make headline news across the nation?

Bottom line – it’s pretty sad that we end up running research on the fringe areas of consumer devices and shopping behaviors. Yes, there’s a technical merit to analyzing a Chinese backdoor, but marketing it as “OMGWTFBBQ!” by sprinkling in Amazon and Android in the headline is pure marketing alchemy. Let’s get back to two things:

  1. Educating that when the deal seems too good, it probably is.
  2. Focusing our research efforts on more meaningful things. Yes, this also applies to stunt hacking, or junk hacking of sorts. There’s a lot of brainpower that could be diverted to solving problems that we have been dealing with for ages, yet would probably yield less media buzz.

Debunking the “8200”, “81” and other #### ex-Israeli Army Intelligence myth

I’m a known and pretty vocal advocate of self learning, self starting, and inquisitive entrepreneurial spirit. As such, I’ve witnessed over my years in the security industry, a lot of occasions where the halo or myth surrounding some so-called “elite” units in the Israeli Army Intelligence has blinded people.
Such blindness comes from a very small percentage of people who capitalized on what used to be highly selective knowledge and experience in a narrow field of practice. But that was almost 20 years ago. Companies like Checkpoint, Nice, and Amdocs, were all started by alumni of such intelligence units, who basically applied their specific experience from the army signals intelligence unites to building firewall systems, telecom and spy/monitoring technologies.

Nowadays, the reality could not be further from this. What used to be a very specific skill-set and knowledge, is mostly open, and freely accessible to anyone with the right aptitude to pick up and master. Back in the days you had to earn your “hacker cred” in order to get access to the forums where people were sharing knowledge, today most of that “exclusive/unique” knowledge is wide open and available.

And today I ran across an article that infuriated me because of its ignorance. Enter: “The cyber labor market in Israel, the cyber guild“. In this article, the author claims, again, that the “ex-#” alumni phenomenon is filling the Israeli market and basically owning it to a point where non-guild members are shunned out. It claims that whereas information and knowledge should (or is?) open, in the guild market it matters more where you came from than what you actually know and have experience with.

I respectfully call BS on this. It’s just not the reality anymore. Yes, there is an obvious alumni network effect, but such that is just as common with other alumni organizations (think Ivy-league Universities, local schools, or any other melting-pot where people get to know one another). But the “guild” part is just wrong. It’s actually the complete opposite. After the initial success of the early founders, the “Ex-#” units basked in the glow and enjoyed a fairly long streak of alumni that only had to mention their unit’s name (or even not that – just to keep things more hush-hush) in order to nail a high-paying job. However, with such high expectations, the failures became more apparent. And then the realization – that 8200, which is the largest unit (people-wise) in the Army, does not actually employ thousands of talented programmers and hackers. That a huge percentage of it are grunt workers, pushing papers, poring over analyst reports, and operating the collection and dissemination processes and technologies. Glorified IT support in most cases. And with that, the sham evolved. The “friend brings friend” system worked most of the time when the initial friend was one of the actually few talented alumni, who brought their few talented friends. The rest ended up blowing the bubble out of proportion, and infusing the industry with the glorified IT technicians. And the industry balked fairly quickly. I have personally witnessed companies hurting and buckling under the cost of incompetent alumni recruitment, and eventually realize their mistake and quietly ditch those. I have personally interviewed tens (if not hundreds) of people, and very quickly realized (again – after making a few trust mistakes myself) that my gut feeling and personal assessment of ones personality is more consistent than their alleged history in a “famous” unit.

I have personally mentored extremely talented people who had to fight for their place, had to learn programming languages and platforms, gain their experience in the real world, and become some of the more sought after talents out there. At the same time I’ve seen the “ex-#” alumni stagnate at dead-end jobs because they could not scale beyond their alleged field of expertise. The market is highly capitalistic out there. It won’t tolerate too much of the halo effect, and albeit huge efforts in fueling that effect through several alumni organizations, and alumnus in executive positions, this doesn’t really hold. If you are looking for innovation and “thinking outside the box” maybe try to look for people who have not been indoctrinated in a very strict environment to perform a very narrow task. Look for people with broad experience, from different paths of life, who share core traits – curiosity, innovation, drive, and the ability to say “I don’t know”. That’s how the modern market operates. There is no guild. And if you are led to believe so – try to see who/what is it that gave you that impression. You’ll be quick to learn that it is mostly self-serving marketing created to favor the less talented who need to rely on riding the coattails of the successful few. Who by the way – were mostly self-taught and would have made it without having the “ex-#” experience 😉


Social media and online interaction are dramatically changing the way our companies and employees interface with society at large. Recent examples of people tweeting or posting something silly or offensive and being responded to by doxxing or even threats of physical abuse are, unfortunately, becoming more common.

Today SIRA member Alex Hutton and Ian Amit are publicly announcing an open (free as in speech, free as in beer) project to help security departments identify social media presences that are more “at risk” to negative reactions and general information security risk. This framework of indicators is a little something we’re calling “Social Media Risk Metrics” (catchy, right?). SMRM is being introduced at Derbycon today complete with a demonstration, worksheet tool, and suggestions for further development.

The mind map is available here:

The calculation tool on Google Sheets is available here:

Additionally, here are some of the links mentioned in the talk, these are all tools that can be used as part of the OSINT collection and analysis that is part of the SMRM.
Predicting elections paper:
Sentiment analysis tools:

Hacking, community, friends, and professionalism

Adult. What a weird concept.

I keep finding myself saying that word in different contexts, and it feels weird because deep inside I’m still pretty much a non-adult (can’t really say kid, so non-adult would work best here).

Lately, all the buzz was around (another) overblown drama in the infosec community, fueled by emotions, friendships, followings, almost to a cult behavior, sprinkled with the necessary “wait a second, someone needs to be the adult here” moment.

So here goes – as Lesley eloquently put it, this is my community. She quotes the hacker manifesto, which I still hold close to my heart as well, and I couldn’t agree more with her. But there’s a bit more that I’d like to add.

We are hackers (at least a lot of my friends and who I consider the more “fun” part of the infosec community). As such, yes, we tend to have personalities that can become borderline, but at the end of the day we learn how to deal with each other. We have been for decades already. Nothing new.

However, in the past few years, a weird spin is developing around this community. This spin (like many) brings good as well as bad to us. The good part, is more visibility and attention from the “muggles”. The outside world. The business, media, and general population. What we do is starting to bubble up into people’s attention as they get closer to the matrix, and realize that we have lived it all our lives. Cars, factories, financials, entertainment, social, you name it, we’ve done it. And it’s great. The bad part is that we get more attention. And as such we get to see cases of “rockstar” issues.

Now, I usually don’t care much for this rockstar bullshit. Everyone gets their 15 minutes of fame, and everyone should be able to enjoy it while it lasts. But letting it get to your head is when things get ugly. And while I can look up to people in the community because I respect what they do, and the kind of people they are, the “rockstar” phenomena is flawed when you look back at who we really are. Hackers. And this is what drove me to this rant.

How did we, hackers, get to have our “own” people behave like sheep? From where I’m sitting, this is inexcusable.

It’s totally OK to look up to someone. I do. But the second that blindly following someone clouds your judgment you lose your hacker-cred (again – in my personal view). And while we all cultivate our quirky personalities, we need to remember that we do represent something bigger – especially when viewed in our hacker persona. And mixing this with personal quarrels is a recipe for disaster.

Case in point – I consider Adrian a friend. Someone who I respect for what he does, for his personality, sense of humor (sarcasm ;-)) and contribution to the hacker community. I can also disagree with him, and tell him so without being afraid that he’s going to be insulted. And then have drinks and laugh about it.

I also hold BSidesLV close to my heart. I’ve been close to it and part of it pretty much from the first instance in Vegas. It represent a big part of what I consider the hacker community, and have grown (along with the usual growing pains) to something that I am proud of.

So yes, when the latest twitter drama unfolded, I could easily convey my support to Adrian on a personal level, while also supporting the BSidesLV decision to part ways with him. As ambivalent as it may sound, it makes perfect sense to me. Pretty much like being able to separate friendship from business. Hard and painful decisions sometimes need to happen, but based on my experience, they tend to strengthen friendships rather than ruin them.

So yes, for some of you this may seem out of context. If it does – totally ok, I’m sure you’ll catch the next drama. For others – it’s also OK to get pissed at me for picking one side, or another, or both. I still love you for what you are. Because at the end of the day, we are all hackers.

But lets also stay professionals. Adults. It’s not a bad word. It just makes us stronger, and at the end of the day lets us have more fun and focus on what we do best.


Update: because I’m lazy I didn’t sum up the gist of said drama. Here’s a summary from someone less lazy: (thanks Rob!).