Skip to content

Author: Will Chatham

Will Chatham is the Security Assessment Engineer for Arbor Networks. Since Netscape 2.0, he has worked in a wide array of environments including non-profit, corporate, small business, and government. He started as a web developer, moved into Linux system administration, and ultimately found his place as a security professional. Having most recently conquered the OSCP certification, Will continues to hack his way into various things in an effort to make them more secure.

5 Tips to Finding the Ideal Working Space in Long Island

Although, nowadays, most people operate their business from their homes, research shows that customers tend to have more confidence in businesses that have a brick and mortar shop that is outside of the home. This is because it’s easy to get in touch with such businesses when you have a burning need. And as an entrepreneur, having an office puts a statement that you are serious about what you do. Besides that, it guarantees that you will enjoy working in a cool environment that’s free from disturbances and have enough space for keeping your tools of the trade. However, finding an ideal office space for rent can be a huge challenge, especially if it’s your first time. This is because you don’t know what to look for. Here is a list of things to consider when looking to find offices in Long Island.

1. Location

When it comes to setting up an office, location is everything. In fact, the location that you go for will definitely determine how your business will perform. You should actually narrow down to a strategic location. An ideal office location is one that’s within a city so that your clients don’t have to drive for many hours to reach you. You should also make sure that the area where you will have a has a reliable transport system. This is because you can’t be sure that all your clients will use their cars when coming to your office. Besides that, you have to consider the other businesses that are in that area. For best results, it’s advisable you rent an office in an area that’s known in majoring in your niche market. That way, you will have higher chances of being seen by clients that visit other similar businesses in the same office block.

2. Size

The size of an office plays an important role in determining how comfortable you will fee. At the end of the day, you want to pick an office space that’s neither too small nor large. If by any chance you pick a small space probably because you don’t want to have time for doing a thorough search, you will have an office that’s congested, meaning you will not have enough space for all your equipment. On the other hand, a bigger space will make your office look empty. Such a problem can be avoided by approximating the size of the office by measuring every square foot that you might need for keeping all your stuff including furniture and computers.

3. Price

The price of office space is usually determined by location and size. If the space is small, you will definitely be charged much less rent than someone who takes a bigger space and vice versa. Besides that, offices that are located in prime locations normally cost more. But that’s not a problem. Before occupying any working space, you should first ask yourself whether you will be able to afford the listed price without hurting your finances. It actually depends on the profits that your business is currently making. However, don’t make your decision based on projections because you can never be sure whether your venture will thrive in the new location. In addition to that, you should consider asking for a discount because everything including rent is negotiable. If an office space has been vacant for too long the landlord will be desperate to have some tenants. Take advantage of such desperation to ask for a discount.

4. Accessibility

People generally like visiting offices that are accessible. Such offices have infrastructure that make visitors feel at home. Some of the things to look out for include elevators, grilled staircases and parking yard. Assuming that your office will not be on the ground floor, it’s advisable you pick a block that’s served by an elevator round the clock. Keep in mind that some of your clients might be using crutches or a wheelchair. In addition to that, you should rent an office in a place where there is ample parking space for your car and those of your clients.

5. Consult a Tenant Broker

Tenant brokers usually know a given area like the back of their hand. They can therefore help you find an office space for rent within a short period of time. And since they have been around for many years, they definitely know the best offices in town that are tailored to meet your needs. Besides that, they know the landlords that are a pain in the neck and those that are cool. They can therefore spare you from the trouble of renting an office space that’s not close to what you really need. The good thing is that they will not ask you to pay them because they are usually paid by the landlord.

Your ISP May Know You Better Than Your Mother: How?

They say your mother knows you best. After all, she’s been with you right from birth to adulthood. I, however, dare to disagree with this well-known fact by stating that ISPs might know you better than your mother. The question is, how? Before I get into the technical nuances, let’s start with the basics.

What is an ISP?

ISPs, or Internet Service Providers, are corporations or institutions that provide internet services to customers at a fee. They give all kinds of internet access be it DSL, dedicated high-speed interconnection, dial-up, cable modem or any other connection.

How Do ISPs Work?

The working of an ISP is quite simple. When you want to access a site on the internet, the browser of your access device converts the domain name of the said site into an IP address which is sent to the ISP, usually by a router. Your ISP will then convey your access request to the ISP of the site you intend to visit. The ISP of the site sends back a link through which you can access the site. ISPs can also pay other ISPs (upstream ISPs) to offer internet connectivity which usually has a more extensive network than your ISP.

Data and ISPs

Now that we are up to speed with ISPs, we have the hot button issue, that is, your data and ISPs. Are ISPs collecting your data? Are they spying on you? Can they provide your browsing history data to law enforcement/government? Can they sell your data to third-parties? Is there any way you can protect your data? A simple answer to all of the above questions is Yes, but it’s much more technical than you think. Let’s break it down for you.

First things first, your ISP has access to all the data you transmit or receive through the internet. With all this access, they track and monitor said data to observe how the information is being used, to provide security against cyber-attacks and to prevent the abuse or misuse of data. The service providers can, therefore, tell what sites you visit, how often you visit these sites, frequency of visits, and the duration you spend on the site. To be on the safe side choose a VPN service to encrypt your connection and protect your privacy. Check this review of Private Internet Access for a start.

Visits to unencrypted websites are akin to a data gold mine for the ISPs since it is in these instances that the ISPs get the most data from users. Unencrypted sites use Hypertext Transfer Protocol (HTTP) which is unencrypted as opposed to the much more secure Hypertext Transfer Protocol (HTTPS).

To put it simply, when you visit an unencrypted website, your ISP can view the full content of the site on visits and the complete URL. This is alarming, seeing as research confirms that 8 out of 10 lifestyle websites are unencrypted. The solution to this problem should be fairly straight forward – a transition from unencrypted to the more secure HTTPS. Well, not entirely since all third party associates and partners on the site must support HTTPS. For your reference, addresses of sites prefixed with ‘https’ mean that they are secure. Secure sights prevent the ISP from accessing the full content and or URL of the site in question. ISPs have been known to collect data, and over time create a detailed profile of someone’s internet activity.

In most cases, ISPs can’t be compelled to share the data they have collected over time on an individual, though it is common practice for some to sell data to advertisers and other third parties. In the US for instance, the law allows ISPs to share non-identifying data.

How Can You Protect Yourself?

Now that we have covered the nuances of ISP data dealings, a salient query is: do the subscribers of these ISPs have any way to protect their data and internet activity? It is noteworthy that private browsing features like incognito browsing don’t offer much respite as the ISP can still access one’s data. Google provides excellent add-ons, as does the EFF, that automatically convert HTTP to HTTPS in your web browser.

The magnum opus of internet security remains the VPN services. What VPNs do is they encrypt your internet traffic and activity, hence preventing your IP address from being accessed by anyone. With some of these VPNs, the user might incur additional charges, especially subscription-based VPNs. This is, however, a small price to pay for protection from over-ambitious ISPs.

Conclusion

Mothers are an embodiment of love, resilience, and most importantly, safety. ISPs on the other hand, not so much. Sadly, the latter might have in their possession more information about you than the former. Take the necessary step to ensure the ISPs don’t compromise your privacy and security.

Picking a Master Lock M5 Magnum

As you may or may not know, I was a locksmith for the better part of a decade, working on campus at Warren Wilson College as a student, learning the trade as I earned my BA in psychology, then being hired to work there and train other students after I graduated for about 4 years. I also ran my own business (Chatham’s Lock & Key) for about two years, and I did a stint at Willis Klein up in Louisville for a summer.

So it was interesting to me that once I started attending information security conferences, I saw how popular lock picking has become among that otherwise computer-based hacking crowd. They have “lock picking villages” where you can learn to pick locks, contests to pit your skills against others, and there are now loads of videos and tutorials online for “locksport” enthusiasts.

I was resistant to get into “locksport” for a while, perhaps because I had “been there, done that,” but also because the phrase “locksport” annoyed me.

However, I lost that battle when I found my old lock pick set from back in the day, and then found myself working a Master lock I had in the garage. Check out my first contribution to the Locksport community in this video.

Stay tuned for more.

OWASP Attack Surface Detector Project

When I did a short work stint at Secure Decisions in 2018, one of the projects I got to work on was helping to create the Attack Surface Detector plugin for ZAP and Burp Suite. I left that position before the project got published, but I am happy to see that it was a success.

Here it is in all its glory.

From the OWASP description:

The Attack Surface Detector tool uncovers the endpoints of a web application, the parameters these endpoints accept, and the data type of those parameters. This includes the unlinked endpoints a spider won’t find in client-side code, or optional parameters totally unused in client-side code. It also has the capability to calculate the changes in attack surface between two versions of an application.

There is a video that demonstrates the plugin, and yes, that is me doing the voice-over.

Kali Linux Dockerfile

Since recently discovering there is now an official Kali Linux docker image, I’ve been fiddling with it and tweaking my own setup to get it to how I like it for the things I use it for. I have a work version and a personal version. What follows is my personal version, used mostly for R&D, CTF challenges, and bug hunting in my free time.

My Kali Dockerfile (for Mac)

# The Kali linux base image
FROM kalilinux/kali-linux-docker

# Update all the things, then install my personal faves
RUN apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y && apt-get install -y \
 cadaver \
 dirb \
 exploitdb \
 exploitdb-bin-sploits \
 git \
 gdb \
 gobuster \
 hashcat \
 hydra \
 man-db \
 medusa \
 minicom \
 nasm \
 nikto \
 nmap \
 sqlmap \
 sslscan \
 webshells \
 wpscan \
 wordlists 

# Create known_hosts for git cloning things I want
RUN mkdir /root/.ssh
RUN touch /root/.ssh/known_hosts
# Add host keys
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts

# Clone git repos
RUN git clone https://github.com/danielmiessler/SecLists.git /opt/seclists
RUN git clone https://github.com/PowerShellMafia/PowerSploit.git /opt/powersploit
RUN git clone https://github.com/hashcat/hashcat /opt/hashcat
RUN git clone https://github.com/rebootuser/LinEnum /opt/linenum
RUN git clone https://github.com/maurosoria/dirsearch /opt/dirsearch
RUN git clone https://github.com/sdushantha/sherlock.git /opt/sherlock

# Other installs of things I need
RUN apt-get install -y \
    python-pip

RUN pip install pwntools

# Update ENV
ENV PATH=$PATH:/opt/powersploit
ENV PATH=$PATH:/opt/hashcat
ENV PATH=$PATH:/opt/dirsearch
ENV PATH=$PATH:/opt/sherlock

# Set entrypoint and working directory (Mac specific)
WORKDIR /Users/wchatham/kali/

# Expose ports 80 and 443
EXPOSE 80/tcp 443/tcp

Build it

docker build -t yourname/imagename path/to/theDockerfile 

(don’t actually put ‘Dockerfile’ in the path). Do change ‘imagename’ to something apropos, such as ‘kali’

Run it

docker run -ti -p 80:80 -p 443:443 -v /Users/yourname/Desktop:/root yourname/imagename

The above examples require you to replace ‘yourname’ with your Mac username

-ti
Indicates that we want a tty and to keep STDIN open for interactive processes

-p
Expose the listed ports

-v
Mount the defined folders to be shared from host to docker.

Hope that’s useful to someone!

Hat tip: https://www.pentestpartners.com/security-blog/docker-for-hackers-a-pen-testers-guide/

Music Updates

I just updated my My Music page, which was long overdue. There’s not a lot of new stuff to report just yet, but I am in a ska band that is practicing and trying to determine a name. Stay tuned for more about that.

Here is a Spotify playlist featuring my songs, or songs I played on over the years:


And here’s an open directory from which you can download a lot of these goodies:

https://www.willchatham.com/songs/

Lastly, here’s a crappy video I made of me playing with myself the other day: