Bad Boys For Life

Bet you thought this was going to be about the long-awaited, upcoming sequel to the Bad Boys movie franchise? No sorry, not really. We’ll get to that in a bit.

I started this blog back in 2010 because I wanted to share some of the things I learned conducting Internet investigations since the 1990’s. I was an old school guy with a young mind who wanted to give back a little. Well somewhere around 2013 when I all but stopped blogging, the world was getting a little bigger. All of sudden everyone was coining themselves as an OSINT Expert (even if they weren’t), so I decided to take a step back to observe and just work.

Back in high school I remember watching the original Bad Boys movie about two comical cops played by Will Smith and Martin Lawrence. At the time I thought it was the coolest duo since Crockett & Tubbs. Well when I saw the new Bad Boys For Life trailer recently, I thought, “Hell if these guys can do it after a 17 year hiatus, so can I.”

So here I am ten years older and wiser. In the words of the great John Wick, “People keep asking if I’m back and I haven’t really had an answer, but yeah, I’m thinking I’m back.”

Stay safe and keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.

Dancing the Two-Step

With the recent Adobe security breach we should all be reminded how vulnerable our data really is in the hands of hundreds, sometimes thousands of data providers and online businesses. We are relying on others to keep our information safe and out of the hands of these bad guys. Going back 20 years, would you ever have thought to trust so much personal information to so many? Not me. It has almost become 2nd nature for us to hand over personal info without a  thought. It is a little scary to think how complacent we have become with not only our own personal information, but also our employer’s and client’s information.

I have the pleasure of being in great communities of investigators and security professionals, who for the most part will give you free advice that for many is invaluable. Most professional groups have some type of Listserve or online group through which they communicate. But, being a member of a Listserve can come at a price. Listserves are a convenient way for malware to be spread to thousands of people via one single email address. When one person is complacent and allows their email account to be hacked, it puts many of us at risk. Not to mention yours and your client’s data. What should be done?

There is something called Multi-Factor or Two-step authentication that has been around for years, but has just in the recent few become mainstream and widely available. Multi-factor authentication provides a second layer of security to online accounts in addition to your standard password. This 2nd layer could be a hardware device like Yubikey, or a 4 digit code that is sent to your cell phone. I use both. Multi-factor authentication is now available through most major online service providers such as; Google, Yahoo, MSN, Facebook, Twitter, PayPal, etc.

My question is…why not? It’s very much like your bank asking you for your telephone password in addition to your name or locking the deadbolt on your front door in addition to the handle lock. These two things have become acceptable to us, and so will securing your online accounts. We just need to place the same importance on those accounts as we do our homes and finances.

This Gizmodo article does a good job at getting you started: How to Enable Two-Factor Authentication on All Your Accounts

Stay safe and keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.

Who do you trust?

I recently listened to the audio book “Ghost in the Wires” written by infamous hacker Kevin Mitnick. Although I would not approve of his activity, I was very interested in his  Phreaking and Social Engineering skills.

Growing up in the investigations industry in the 80’s and 90’s, social engineering was second nature. We did not have the vast databases available today, so we relied heavily on human interaction for information. Today this skill is very much in play; however, social engineering is increasingly being adapted by criminals, rather than colleagues. My recent trip to the hacker conference DefCon in Vegas reaffirmed this. Attending seminars on this very subject, were thousands of hacker types, several who were likely criminal masterminds. I watched as they jotted down notes and laughed at the ease of tricking everyday folks into handing over their personal details.

Good tips on this subject can be found in today’s blog post at titled “How Can I Protect Against Social Engineering Hacks?” It’s worth a look.

Keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.

Website Security with a Little Obscurity

While strolling around the Internet the other day, I stumbled upon this solid post on and thought I would share.

Security By Obscurity

Security by Obscurity is a term that describes security through secrecy. If you don’t tell anyone that you have a million dollars buried in your backyard, then it is “secure” because nobody will find it.

There’s a saying in the security field: Security by Obscurity (SbO) does not work. If you are vulnerable, then you are still vulnerable. You’re just hoping that nobody discovers the exploit.

In my opinion, SbO does work to a degree. While SbO should not be your only security option, it does deter pre-attack reconnaissance. For example, most automated scanners look for obvious signs that can be used to identify a vulnerable system. If the scanner finds something, then the attack will come later. However, if you remove these markings then the scanners won’t flag your site for an attack. SbO removes the “low hanging fruit”.

The first thing you want to remove is anything that denotes what software version you are running. For example, WordPress is a very popular blog software package. If the bottom of your blog says “Powered by WordPress“, then everyone knows what software you are running. Knowing “WordPress” isn’t that bad. However, WordPress also embeds the version in the HTML content. For example, the “We Love WP” site runs WordPress. If you “view source” of their web page, you will see at the top:

<meta name="generator" content="WordPress 2.8.4" />

Now we know that they are running WordPress version 2.8.4. If you happen to know of a security vulnerability for version 2.8.4 (such as a XSS or Traceback denial-of-service), then you know that the “We Love WP” blog is vulnerable.

Similarly, the popular vBulletin web forum software includes the version at the bottom of the page and in the HTML meta data. Does the world really need to know that theGraphic Forums uses version 3.6.1?

So the first thing to do (regardless of whether you know of a vulnerability or not): remove all information about software and version from your site. This includes information embedded in your HTML pages and RSS feeds. Where to do the change depends on your software. With blogs, it is usually in the custom template, default template, or PHP/ASP pages. You probably don’t need to change every single web page — but you will probably need to change it in a few places.

This won’t stop someone from attacking you and does not close the security hole. What it does do: this prevents automatic scanners (and casual observers) from quickly determining that you are vulnerable. (Congratulations, you are no longer the lowest hanging fruit and most likely to be attacked.)

For the really creative types out there, don’t just remove it. Change it! Misinformation is far more damaging to an attacker than no information. Rather than removing the “Powered by WordPress”, change it to say “Powered by Serendipity” — a totally different blog package, or just lie: BlogProKit 9.8.1. Now if someone if going to attack you, then they will initially do so with the wrong set of exploits.


Hope you found it at least a little informative as I did.

Keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.

Just who do you think you are?

As an everyday Joe, being able to find out who is behind a phone number could help identify a crank caller, scammer or phone threat.  As an investigator we have long had resources for this type of thing, some that are free and many which cost money.

In my previous post titled Jenny 867-5309 I detail many sources used to help identify phone subscribers. Those were sources utilizing either caller ID data or directory assistance. But what if the phone number you are trying to ID is a mobile phone and is not listed in an online database? You could call the number and listen to the voicemail, but that would compromise your own phone number. Drum roll please…’s the turn.

Super-sleuth Robert Scott author of the “The Investigator’s Little Black Book” and proprietor of has created a nifty little investigative tool for the masses called Spy Dialer. How it works is you submit the subject’s mobile number into Spy Dialer and it anonymously queries the voicemail system of that number. The cool part is what magicians call the Prestige; a surreptitious recording of the subscriber’s voice and that’s not all…the ability to download the recording to your PC!

Well now you may ask, what’s the catch?  No catch. There is both a free and a paid service. The only vice of the free service is if your perp calls the number back it will play a short quip about Spy Dialer. The paid service is a very reasonable at $9.95 per year. There is even an Android app currently available and an iPhone app in the works.

So the next time you get this Prank Caller (offensive), the only question will be, do I want to be the victim or victor?

Keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.