BHIS’s Annual Infosecker’s* Gift-List

Buying gifts can be tough, especially for your family members who are totally mystified by your profession. “Don’t you hack the stuff with the things?” Have no fear, BHIS is here (you can forward this on to them for a reference)!  I’ve asked around and thist list is infosecker approved.  I hope our testers didn’t think I was asking because I was going to buy them things…  

Mr. Robot (Seasons 1 & 2) – Ahhhh…. binge watching, isn’t that what short winter days are for?  And if not short winter days, then definitely holiday vacations and breaks! For when you just can’t get enough of the gritty depressing world of infosec at work!

Season 1 available on Amazon Prime (Season 2 on DVD/Blue Ray). Or the iTunes store. (Protip: you can’t tell the difference between HD and SD on an iPhone, so save some money and space.)

The Cuckoo’s Egg reads like fiction, but isn’t. Back from the ancient world of 1986, this is for when you can’t get enough of infosec at work, but prefer reading!

If you feel like you’re fighting the same battles over and over again at work, go back to then and see how different things were. They had dial-up modems. Otherwise … pretty much the same.

Death Wish Coffee

From their website: “Death wish coffee is created by using the strongest combination of beans and a perfect roasting process.” Sounds delish! This is Beau’s favorite, though we have yet to try any in the office.  We’ve added it to our office wish list as well! (hint, hint!)

“I don’t drink coffee, but I hear it helps you not sleep” –Kelsey

Death wish coffee? That sounds interesting” –Brian F

“Wait, what Kelsey? How can you not drink coffee?” BB King

Cardboard VR Glasses 

Because let’s face it VR isn’t QUITE there yet, so in the meantime a box on your face should do the trick. Also, cheap!

Blisstime Google Cardboard V2.0 3d Glasses Vr Virtual Reality Cardboard Kit with Headband Fit for 3–6inch Screen

Books are like the necktie of gifts – some people think it’s boring, other’s love them! You’ll know how to proceed.

RTFM: Red Team Field Manual by Ben Clark – Because it’s a classic reference and also, this name – brilliant.

Description from Amazon:

The Red Team Field Manual (RTFM) is a no fluff, but thorough reference guide for serious Red Team members who routinely find themselves on a mission without Google or the time to scan through a man page. The RTFM contains the basic syntax for commonly used Linux and Windows command line tools, but it also encapsulates unique use cases for powerful tools such as Python and Windows PowerShell. The RTFM will repeatedly save you time looking up the hard to remember Windows nuances such as Windows wmic and dsquery command line tools, key registry values, scheduled tasks syntax, startup locations and Windows scripting. More importantly, it should teach you some new red team techniques.”

“I avoid Windows as actively as possible, and this book helps me do that. Now I don’t have to learn Windows, I can just reference it.” -Some BHIS Tester at some point

The Web Application Hacker’s Handbook

There isn’t a description on Amazon but check out this review by Jason Haddix (from 2011):

“There’s a running joke we have on our assessment team about the Web Application Hackers Handbook. Every time we see a new technology, or have to deal with a one-off situation, we start doing research online only to find it was already referenced in WAHH somewhere. We’ve all read this book several times too, it’s like Dafydd and Marcus sneak into our houses at night and add content…

Joking aside though, there is no other reference for web hacking as thorough or complete as WAHH.

With WAHH2 the authors added a significant amount content and rehashed existing chapters that were already deeply technical. The bonus in WAHH2 is its associated labs. Dafydd and Marcus have been giving a live WAHH training for years and have now moved the stellar CTF like challenges to the cloud. You can buy credits ($7 for 1hr) and move right along as you read the book (MDSec.net). When I say the labs are stellar, I mean it. The labs come almost straight from the class and start trivial and then get crazy. The injection labs were by far my favorite, housing 30-40 different injection types/variants each between XSS/SQLi. The CTF in the class (which i’ll mention again is where the MDSec.com labs are based from) gets ridiculous toward the end. Even seasoned web testers fall around questions 14-16. But i digress…

WAHH2 is now the defacto buy for any pentest/QA/Audit team. Its usage will surpass any other book on your bookshelf if you are doing practical testing.

5 stars, i’d give it 10 if I could.”

Hacking Exposed Wireless

“The first six chapters cover everything you need to do a wireless assessment. Really.” – Fletch

The Tangled Web: A Guide to Securing Modern Web Applications 1st Edition by Michal Zalewski

“Ooh – great book! It’s aging almost as well as The Cuckoo’s Egg, I think.” – BB King

Description from Amazon:

Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. To keep users safe, it is essential for developers to confidently navigate this landscape.

In The Tangled Web, Michal Zalewski, one of the world’s top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they’re fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security. You’ll learn how to:

  • Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
  • Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
  • Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
  • Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
  • Embed or host user-supplied content without running into the trap of content sniffing

For quick reference, “Security Engineering Cheat Sheets” at the end of each chapter offer ready solutions to problems you’re most likely to encounter. With coverage extending as far as planned HTML5 features, The Tangled Web will help you create secure web applications that stand the test of time.

“..or at least realize you’re not alone when they don’t” BB King

Raspberry Pi 3 & Zero

Spend Christmas break building some of this years BHIS projects! (Beau’s post &  Jordan’s post)

“OMG! It’s so tiny and adorable, I’ll take 10” -All people, everywhere

“Can we please get a hundred of these and build a supercomputer??” -Lawrence (paraphrased)

Adafruit Feather boards

If the Raspberry Pi is too straightforward, try one of these! There are a bajillion options, so pick one and challenge your hacker to find a creative use. WiFi? Bluetooth? Packet radio? Data logger? Tell us what they build!

USB data blocker (stocking stuffers!)

You rent a car and it has a handy-dandy USB charging port.  But do you really need that rental car to have access to all of your phone’s data?  NO!  Use this so that all that comes through that USB port is power and not data transferring!

Can’t we just bring our own wall adapters?BB King

No BB King, no you can’t! There are ONLY usb sockets! Gaaahhhh!

RFID blocking wallet

Turns out you’re not as crazy as people once thought to be wary of people stealing your credit card info.  Block all those pesky RFID thieves with this wallet!

The Badgy

If you’re feeling spendy, and want to really pull out all the stops you might think about a Badgy!  Who wouldn’t love a reason to print any kind of fake badge for physical pen tests?

“Want!” -Kelsey (more or less)

Geeky T-Shirts

There’s no place like 127.0.0.1 for the holidays either!

Hacking Fuel

Yummy and how else are you going to become that 400lb hacker?!

“They’re basically air, they don’t add any weight, promise” –Kelsey, who doesn’t eat cheetos

“Good thing my keyboard keys are black, otherwise they’d be orange” -Gail, who also doesn’t eat cheetos

Pizza Bag

I picked this specifically for Kelsey, who loves food, and also cutesy things. But really, who on your list wouldn’t LOVE a pizza purse.

hahaha It’s so happy why is a sparkly pizza bag almost $50??” –Kelsey, in a hangouts message

Divided Keyboard

For those scary moments when you’re getting hacked and need assistance from a friend! (This might be one of our favorite “hacking” scenes from a TV show.)

“Ergonomics, fixes your back, my wrists don’t hurt anymore, so much money, blah blah worth it.” -Lawrence (paraphrased)

“That’s exactly how Lawrence talks.” – Sierra

Treadmill Desk

We keep hearing that sitting is as bad as smoking and it terrifies us as we have sitting jobs.  Last year we got on an office running kick, and this year we’re doing even more to combat early death from sitting.  Gail bought a treadmill desk and Kent built us all standing desks in the office (painful!).  Maybe your lucky infosec-er would like to walk!  Even a super slow walk over the course of a few hours burns beaucoup calories!

“I never understood why people couldn’t shut up about their treadmill desks, I mean, gawd, so annoying, right? But now I can’t shut up about mine. I love it soooo hard!” -Gail (paraphrased)

Burner Phone

Did someone say a burner phone?

“If you go to Walmart, you’re gonna have to break up your order into several parts, but it turns out the Walmart cashiers don’t care.” –Rick or Jordan, on the fact that Walmart only lets you buy a certain number of burner phones at one time.

Other Ideas

“Anything from the Hak5 shop is cool:

“I already have a Pineapple though.” –BHIS Tester

“You could always have two Pineapples.” -Another BHIS Tester

And when all else fails, some bitcoin is always great! Then your InfoSecker can buy their own toys, anonymously!

“I thought bitcoin was dead?” –Kelsey

“Didn’t everyone switch over to dogecoin? 😉 ” -Someone who wasn’t Kelsey, promise

“Dogecoin is clearly not as important because I’VE never heard of it.” -Sierra (office temperature of “very average person”)

Conclusion

Hope you found some things for the infosecker in your life!! We’re wishing you all the merriest and most wonderful of holidays!!

*Why yes, we did name this the InfoSecker’s list, because it’s not just pentesters, it’s not just defenders, but it’s someone more specific than just regular IT person. You saw it here first!