Skip to main content


Does AI know us better than we know ourselves???

Seriously guys, can we talk about the fact that ChatGPT wrote the headline for the #1 most up-voted post on Reddit's /r/chatGPT subreddit, when given the prompt to make a headline as "click-baity" as possible? Don't believe me? You can confirm this for yourself by opening the sub-reddit, then sorting by "Top" -> "All Time" (or just click HERE ). As a geek who loves both social psychology and technology, this phenomenon was immediately fascinating to me. I think there are a few possible explanations:  Occam's Razor - The most likely (though also the least interesting) explanation, is that the posted content was sufficiently witty and meta enough to warrant it landing the top spot. I admittedly got a chuckle upon seeing it, and I'm sure others had a similar gut reaction. Unwitting Collusion - It is also possible that Redditors unwittingly colluded on upvoting this out of a shared sense of irony. This itself raises some fascinating questi

Talking chatGPT, AI, and our future robot overlords at RSAC 2023!!!

Just recently received the fantastic news that my presentation (on leveraging Large Language Models like chatGPT for social engineering) was accepted for RSAC 2023!!! I started my research into using AI systems for social engineering exploitation about a decade ago. And it has been crazy to see the evolution of this technology over the years, and how recent innovations in the last few years have completely changed everything. I've had the amazing opportunity to share this story with audiences at ToorCon, DEFCON (AI Village), HOU.SEC.CON, and Texas Cyber Summit. And now, will have the opportunity to share it at RSAC 2023! It's crazy how much this talk evolves just in the few months between presentations. But with chatGPT, Bing, Bard, and other emerging LLMs, things are changing SO FAST now! There is so much new and awesome stuff that will be added into the RSA presentation. Looking forward to seeing everyone in San Francisco.  What the talk is about? The talk has the same title

Talking OT Security at HouSecCon 2021

I will be delivering a talk at HouSecCon (on October 7, 2021), about security assessment methodologies for OT infrastructure. The talk is entitled -- "OT Security -- Assessment Methodologies for Securing the Things that do the Things" What's the talk about???   When Information Security professionals attempt to cross-apply their skills to OT (Operational Technology), they often find an environment that, compared to IT infrastructure, is considered beyond reproach.We are often told — “do not patch”, “do not scan”, “do not attempt to harden”, “do not even look at these systems or PEOPLE WILL DIE”. While these risks can be sensationalized, the mishandling of OT infrastructure can indeed result in operational downtime, safety issues, and the potential for loss of life. Drawing from years of OT security experience, the speaker will discuss risk-conscious, white-glove approaches that can be used to effectively assess and secure OT environments, without disrupting critical opera

Alexa Hacking at DEF CON 29

This year, I delivered a talk at DEF CON 29 IoT village on the social exploitation of victims proxied through Alexa voice assistant devices.  Check out the Video here!!! The talk was live-streamed on Twitch on Friday, August 6th at 3:30pm PT on the IoT Village Twitch Channel . If you missed the live talk, check out the video on YouTube here: What's the talk about??? As voice assistant technologies (such as Amazon Alexa and Google Assistant) become increasingly sophisticated, we are beginning to see adoption of these technologies in the workplace. Whether supporting conference room communications, or even supporting interactions between an organization and its customers — these technologies are becoming increasingly integrated into the ways that we do business. While implementations of these solutions can streamline operations, they are not always without risk. During this talk, the speaker will discuss lessons learned during a recent penetration test of a large-scale “Alexa for

Cyber Cyborgs Among Us

 Not quite human...and not quite machine I recently had the privilege to interview Len Noe on the Set Solutions podcast. Not only is Len an awesome human being...he's also a little bit more than human being. Sometimes referred to as cyborgs, grinders, transhuman, or biohackers. Len has augmented his own biology with technology in order to begin transforming himself into the ultimate cyber weapon. He has multiple implants in his hands that can be used to support different types of cyber attacks. He introduced multiple different attack scenarios during his talk at the RSA Conference "Biohacking: The Invisible Threat" , and will be covering them again at BlackHat USA later this year!!! While there still remains a stigma and some controversy around this trend, I would argue that Len is just ahead of his time. With multiple major R&D firms investing in similar capabilities (such as Elon Musk's Neuralink ), Len and others like him, are blazing a trail for what lies in t

Bootstrap Fail - Persistent XSS via Opportunistic Domain Sniping

This is the story of how a failed Bootstrap implementation on a website allowed me to gain JavaScript code execution into thousands of user browsers. How I Found It? Before I get into the story, I'll quickly explain how I found this vulnerability in the first place.  I have started developing a new opportunistic approach for acquiring persistent XSS (Cross Site Scripting) on various web-services across the Internet.  This methodology consists of the following steps: Use custom web-crawler to spider web services across the Internet and scrape source code. It iterates through IP addresses and hits the web-root content for every IP address. It then identifies websites that are using externally hosted JavaScript. This is achieved for each server by… Reviewing the HTML source code for <script> tags with a source (src) value containing a full web-address (rather than a local path). An example would be <script type='text/javascript' src='

Bypassing GSuite CAPTCHA for Username Enumeration and Password Spraying

While performing a recent assessment of an organization using GSuite, I discovered that the implementation of CAPTCHA to stop automated activity is wholly inadequate, and I was able to accomplish both username enumeration and password spraying with relative ease.  Classic Username Enumeration When you enter an invalid email address in the Google login form, you are returned an error which states -- "Sorry, Google doesn't recognize that email."  But when you enter a legitimate email address, you are prompted for a password.  This varied response is the basis for any username enumeration attack. Automate the process of iterating through a list of emails, then measure the responses to determine which are legitimate. But of course, Google throws another wrench in the mix, which might seem at first to be a show-stopper. After a couple of invalid usernames are supplied, Google throws you a CAPTCHA to solve. I quickly discovered while interacting with this, that the best way to