Sandbox Stories : Flight of the Great Cuckoo Bird

Recently I had the chance to deploy a Cuckoo Sandbox System… OMG! This was a pure tale of madness. While in the end I won, the journey was filled with peril… Much Peril… Forget it… It’s too perilous… While I found a million tutorials and videos on the net. I noticed one thing… None of them really did what I wanted it to do.  Yes they set it up in the most basic way, but I needed more… I wanted to watch this bird fly… So I grabbed my tin-foil hat, made a pot of coffee and set out to see what results the net would show me.

At first glance around the net I found a few scripts for setting all of this up. The issue with scripts is that you never know if they are going to work. So they way that I went about its more of the Long Way. But at least I learned how to set it up by hand. The old Fashion Way…..

For you that do not know what Cuckoo Sandbox is?  It is a system that you analyze malware with. Basically you send a file to a Virtual Machine with Cuckoo and it runs that file. Anything that that file does, is reported back to cuckoo. Kewl!! So I headed out to get the installation Docs at Cuckoos Website.

A few things became instantly clear about cuckoo.

  • It was going to take more thank cuckoo itself
  • I was going to need Virtual Machine Software
  • I was going to need an Operating System for the Malware
  • I was going to need Applications for the malware to use
  • I was going to need Malware

So pieces of software you will want to have are freely available in most repos. Other pieces you will have to purchase or may already own.  I use Licensed VMWare Workstation to do all of my labs, and I own my Copies of Windows. So keep it Legit… Also if you don’t require sudo then please leave that off all commands.

The first thing is to create a VM to hold our complete Sandbox Environment. I have used both Ubuntu and Debian 8 to complete this lab. I failed a lot and had dependency issues, so if you’re not fluent in nix then choose Ubuntu 15.10 Desktop. When creating this VM take into account how much malware you will be running. If you’re going to do a lot of memory dumps or pcap traces then increase the HD size to compensate. Also there are options in configuring cuckoo.conf that will delete certain files or not. Check there as well.

After creating the Ubuntu Install you need to make sure it’s up to date… This is really important. If you do a kernel upgrade please reboot the system before going any further…

On most debian based systems you can just do the following command:

  • sudo apt-get update -qq&&sudo apt-get upgrade -qq&&apt-get dist-upgrade -qq

Make sure you reboot if you have upgraded your kernel image. Later will be installing some kernel packages and will need to get the running version. So make sure you U-P-G-R-A-Y-E-D-D!! The two D’s are for a “double-dose of admin pimp’n!”

U-P-G-R-A-Y-E-D-D!! The two D's are for a "double-dose of pimpin

So now that our system is up to the latest version lets create a user called cuckoo with this command:

  • sudo adduser cuckoo

This is the account that you’re going to be running the sandbox as, and creating your actual malware virtual machine. I have seen things on the net that state if you do not build the malware vm as cuckoo user you will have issues.  So to be safe we will build as the user.

So now that we have our user let install cuckoo sandbox from their git source.  This will ensure that we are running the latest release of cuckoo. If you do not have GIT installed please do so with this command:

  • sudo apt-get install git -y

Now change to the cuckoo user directory:  cd /home/cuckoo

  • sudo git clone git://

This will install the latest version of Cuckoo to the cuckoo user’s folder. After that run the next command to change the ownership of these files to the cuckoo user and group.

  • sudo chown -R cuckoo.cuckoo /home/cuckoo

Now that we have the Cuckoo Source, we want to install some build packages… Use the following commands to prep the system.

  • sudo  apt-get install build-essential checkinstall -qq
  • sudo chmod u+rwx /usr/local/src
  • sudo  apt-get install linux-headers-$(uname -r) -qq
  • sudo apt-get install python python-pip python-pefile libpq-dev python-dev python-magic python-dpkt python-mako python-sqlalchemy python-jinja2 python-bottle libffi-dev libssl-dev libgeoip-dev exiftool tesseract-ocr libfuzzy-dev libboost-python-dev genisoimage subversion -qq

One of the packages we just installed was tesseract-ocr. This is what will screenshot the desktop on the vm that we are running the malware on. By deafult it is disabled. Enabling it will consume more disk space.

Now we need to get the python environment installed.

  • sudo apt-get build-dep python-psycopg2 python-pymongo mongodb libcap2-bin tcpdump -qq

Now we need to modify tcpdump to let the cuckoo user have access to it.

  • sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Let’s now test to see if it worked. Run the following command. CTL + C stops. If the command fails fix issue.

  • sudo getcap /usr/sbin/tcpdump

Now we need to install SSDeep.

SSDeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length. ”

You can find their site here: SSDeep Website

  • sudo pip install ssdeep
  • sudo apt-get install python-pyrex -qq
  • cd /opt
  • sudo git clone
  • cd pySSDeep
  • sudo python build
  • sudo python install

Next we are going to install Yara. But first let’s get some supporting packages…

  • sudo apt-get install g++ libjansson-dev libmagic-dev -qq
  • sudo apt-get install libpcre3 libpcre3-dev -qq

Ok let’s install Yara.

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a Boolean expression which determine its logic”

You can find their site here: Yara Website

  • sudo apt-get install yara python-yara libyara-dev -qq

New we need to install Yara Python.

YARA can be also used from Python through the yara-python library. Once the library is built and installed as described in Compiling and installing YARA you’ll have access to the full potential of YARA from your Python scripts.”

  • cd /opt
  • sudo git clone –recursive
  • cd yara-python
  • sudo python build
  • sudo python install

Now we need to install some Yara Rules (Optional)

  • cd /opt
  • sudo git clone

Now we are going to Install DTrace,

DTrace is a performance analysis and troubleshooting tool that is included by default with various operating systems, including Solaris, Mac OS X and FreeBSD.”

You can find their site here: DTrace Website

  • cd /opt
  • sudo git clone dtrace
  • cd dtrace
  • sudo tools/
  • sudo make all
  • sudo make install
  • sudo make load

Now we need to Install Virtual Box. This is where the Malware or Virus will be allowed to run.

  • sudo apt-get install virtualbox-qt virtualbox-guest-additions-iso -qq
  • sudo apt-get install libvirt-bin virt-manager checkinstall -qq

Now that we have our Virtual Machine Software we can start installing some of the extra software we need to user the web interface, backend storage, and java. If you want to use elasticsearch 1.7 remove it from the pip install line below.

  • sudo updatedb
  • cd /opt
  • sudo pip install sqlalchemy bson jinja2 markupsafe libvirt-python pymongo bottle pefile django chardet pygal clamd django-ratelimit pycrypto rarfile jsbeautifier dpkt nose dnspython pytz requests python-magic geoip pillow elasticsearch java-random python-whois git+
  • sudo apt-get install postgresql-9.4 postgresql-contrib-9.4 libpq-dev -qq
  • sudo pip install psycopg2
  • sudo apt-get install openjdk-7-jre-headless -qq

To search past reports you need to have Elasticsearch installed.

  • sudo wget -qO – | sudo apt-key add –
  • sudo echo “deb stable main” | sudo tee -a /etc/apt/sources.list.d/elasticsearch-1.7.list
  • sudo apt-get update -qq
  • sudo apt-get install elasticsearch -qq
  • sudo /bin/systemctl daemon-reload
  • sudo /bin/systemctl enable elasticsearch.service
  • sudo service elasticsearch start

Let’s add some fonts and web hooks

  • sudo apt-get install wkhtmltopdf xvfb xfonts-100dpi -qq

Now we need to install Clam AV

ClamAV is an open source antivirus engine for detecting Trojans, viruses, malware & other malicious threats.”

  • sudo apt-get install clamav clamav-daemon clamav-freshclam -qq

Now we need to install PYDeep. These are the Python/C bindings for the ssdeep.

  • cd /opt
  • sudo pip install git+

Now we need to install Man in the middle proxy and a few other packages. Mitmproxy is an interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed. So when our malware try’s to connect to the internet we can see what its doing.

  • sudo apt-get install libpcre++-dev uthash-dev libconfig-dev libarchive-dev libtool autoconf automake mitmproxy -qq

After you install these packages you need to runthe program mitmproxy and then CTL +C to close it out.  This will create the p12 file you need for cuckoo. If your unsure where it was create use the locate command to find its path.  We need to copy it to a new location for cuckoo.

sudo cp /home/root/.mitmproxy/mitmproxy-ca-cert.p12 /home/cuckoo/cuckoo/analyzer/windows/bin/cert.p12

Now we need to install Malheur.

Malheur is a tool for the automatic analysis of malware behavior. By using machine learning, Malheur collects behavioral analysis data inside sandbox reports and categorizes malware into similar groups called clusters.”

Their website is here: Malheur Website

One thing I noticed is at if you try and build the info part it fails to build. So simple say no, and use 0.6.0 as build number and it will create the deb file.

  • cd /opt
  • sudo git clone malheur
  • cd malheur
  • sudo ./bootstrap
  • sudo ./configure –prefix=/usr
  • sudo make
  • sudo checkinstall

This will build a deb file for install. See note if fails.

  • sudo dpkg -i /opt/malheur/malheur_0.6.0-1_amd64.deb

Now we need to install PEFile

pefile is a multi-platform Python module to parse and work with Portable Executable (aka PE) files. Most of the information contained in the PE headers is accessible as well as all sections details and their data.”

Their GitHub is here: PEFile

  • sudo apt-get install python-pil python-pefile -qq
  • sudo pip install distorm3 pycrypto openpyxl

Now we need to install Volatility.

The Volatility Framework is open source and written in Python. Releases are available in zip and tar archives, Python module installers, and standalone executables.”

Their website is here: Volatility Website

  • cd /opt
  • sudo apt-get install volatility volatility-tools -qq

Now we need to get v8 and pyv8 Binaries. You need to make sure you set the export path.

  • cd /opt
  • sudo svn checkout v8
  • sudo svn checkout pyv8-read-only
  • cd v8
  • sudo export PyV8=`pwd`
  • cd ../pyv8-read-only
  • cd pyv8-read-only
  • sudo python build
  • sudo python install

Now we need to install Suricata.

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF).”

Their website is here: Suricata Website

  • cd /opt
  • sudo add-apt-repository ppa:oisf/suricata-beta
  • sudo apt-get update -qq
  • sudo apt-get install suricata -qq
  • sudo echo “alert http any any -> any any (msg:\”FILE store all\”; filestore; noalert; sid:15; rev:1;)”  | sudo tee /etc/suricata/rules/cuckoo.rules
  • sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata-cuckoo.yaml

Now we need to install Etupdate. Etupdate updates the Emerging Threats open ruleset for Suricata.

  • cd /opt
  • sudo git clone
  • sudo cp etupdate/etupdate /usr/sbin
  • sudo /usr/sbin/etupdate -V

With all of that installed we need to set our VM Host Only Interface”

  • sudo vboxmanage hostonlyif create
  • sudo vboxmanage hostonlyif ipconfig vboxnet0 –ip

Ok now let’s set some IPTables Forwarding

  • sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s -m conntrack –ctstate NEW -j ACCEPT
  • sudo iptables -A FORWARD -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
  • sudo iptables -A POSTROUTING -t nat -j MASQUERADE
  • sudo sysctl -w net.ipv4.ip_forward=1

Now Install MYSQL and Python Mysqldb

  • sudo apt-get install mysql-server python-mysqldb -qq

Now Install Snort IDS

“An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. ”

Their website is here: Snort Website

  • sudo apt-get install snort -qq

Now since we have installed all of this we can finally get to install cuckoo itself. We also need to add cuckoo user to the vboxusers group so we can restore snapshots. We also need to change the ownership of the suricata-cuckoo.yaml file. And finally change files to cuckoo ownership.

  • sudo usermod -a -G vboxusers cuckoo
  • sudo chown cuckoo:cuckoo /etc/suricata/suricata-cuckoo.yaml
  • cd /home/cuckoo/cuckoo
  • sudo pip install -r requirements.txt
  • sudo git pull
  • sudo chown -R cuckoo:cuckoo /home/cuckoo/
  • sudo chmod -Rv 777 /etc/snort/
  • sudo chmod -Rv 777 /var/log/snort/

Next we need to install VMCloak.

VMCloak is a utility for automatically creating Virtual Machines with Windows as guest Operating System. It has been tailored to generate Virtual Machines directly usable from within Cuckoo Sandbox, but it can also be used for other purposes as Cuckoo‘s components can be omitted through the configuration.”

Their GitHub is here: VMCLoak GitHub

  • cd /opt
  • sudo git clone
  • cd vmcloak
  • sudo pip install -r requirements.txt
  • sudo python install

You can also install from pip, but it will not be the latest release.

  • sudo pip install vmcloak –upgrade

Next we need to create some mount points for the iso images we are going to be installing. I am using WinXpSp3 Pro 32 bit at the time of this writing. VMCloak also supports Win7 as well. I’ll show both below.

For Windows Xp

  • sudo mkdir -p /mnt/winxp
  • sudo mount -o loop,ro /home/cuckoo/diskimage/winxpsp3pro.iso /mnt/winxp

and for Windows 7

  • sudo mkdir -p /mnt/win7
  • sudo mount -o loop,ro /home/cuckoo/diskimage/win732pro.iso /mnt/win7

Now that we have our mount points, we can use vmcloak to install our operating systems into virtualbox.

As I stated before, I have heard stories about cuckoo having issues if the vm is not built as the cuckoo user. So we need to either add cuckoo to the sudoers file or chomod 777 /user/bin/genisoimage. VMCloak needs to call genisoimage and will fail for permissions on some systems.

At this point we need to log into the account as the cuckoo user. We will be creating the Virtual Machine, assigning packages to that machine and finally taking a snapshot. As we submit malware to cuckoo, it restores the snapshot, does the analysis, and then submits the results to the reporting server. I use the –vm-visible option because I like to watch the malware run.

As the cuckoo user do the following steps.

  • vmcloak-vboxnet0
  • vmcloak-init –winxp –iso-mount /mnt/winxp –serial-key “Your Serial Number “–vm-visible -d winxp
  • vmcloak-install –vm-visible winxp adobe9 wic pillow dotnet40 firefox_41 java7 silverlight5 pil chrome iexplore
  • vmcloak-snapshot –vm-visible winxp xpcloaked

The first command brings up the vm interface. The second command starts the winxp install. This may take a while. The third command installs various packages into the vm. The last command snapshots the vm. You may want to connect to the vm and install more software and then snapshot after.

I found a few things wrong and needed to correct them before running the snapshot. First the file is out of date with cuckoo. So updating it and changing the name to agent.pyw needed to be done. You will need to edit the registry entry on the vm to point to agent.pyw. Also this will background the agent script so you do not see it in any screenshots. Remember to disable the “auto update” or “check for updates” feature of any additional software that you install.

After our snapshot is created you will see it in the virtual machine manager.

Now that that you have your snapshot. Let’s configure cuckoo and then start analyzing some malware.

The configuration files for cuckoo are in /home/cuckoo/cuckoo/conf/ folder. The first file we want to edit is cuckoo.conf. Here are the items that you will need to check. Each item has a description above it (I left it out of here) that describes what it is. Please check it as I have not listed all the options here. Only ones that I wanted to make sure you look at. Please pay special attention to the highlighted ones.

  • delete_bin_copy = off
  • machinery = virtualbox
  • memory_dump = on
  • terminate_processes = off
  • reschedule = on
  • process_results = on
  • max_analysis_count = 0
  • max_machines_count = 0
  • max_vmstartup_count = 10
  • freespace = 64
  • tmppath = /tmp
  • rooter = /tmp/cuckoo-rooter
  • route = none
  • internet = none
  • upload_max_size = 10485760
  • analysis_size_limit = 104857600
  • resolve_dns = on
  • sort_pcap = on
  • connection =
  • timeout =
  • default = 120
  • critical = 60
  • vm_state = 60

Now open auxiliary.conf and edit the sniffer and the mitm as well as verify the paths on your system.

  • [sniffer]
    enabled = yes
    tcpdump = /usr/sbin/tcpdump
  • [mitm]
    enabled = yes
    mitmdump = /usr/bin/mitmdump

The next file we need to open is memory.conf  and edit a few things. Again I have listed a few things you need to pay attention too. Guest Profile needs to match your Operating system or you will get errors.

  • guest_profile = WinXPSP3x86
    delete_memdump = no
  • [malfind]
    enabled = yes
    filter = on
  • [yarascan]
    enabled = yes
    filter = on
  • [ssdt]
    enabled = yes
    filter = on

The next file that needs to be edited is virtualbox.conf. Please pay attention to this file. Xpcloaked is the label for my virtual machine settings and needs to be defined. The definition is [xpcloaked]. The default will say cuckoo or something like cuckoo1. The “snapshot” setting is the name you have it when you created it. In my case it was vmcloak.

  • mode = gui
  • interface = vboxnet0
  • machines = xpcloaked
  • [xpcloaked]
  • label = xpcloaked
  • platform = windows
  • ip =
  • snapshot = vmcloak

The next file is reporting.conf that we want to edit.

  • [jsondump]
    enabled = yes
    indent = 4
    encoding = latin-1
    calls = yes
  • [reporthtml]
    enabled = yes
  • [mongodb]
    enabled = yes
    host =
    port = 27017
    db = cuckoo
    store_memdump = yes
    paginate = 100
  • [elasticsearch]
    enabled = yes
    hosts =
    calls = no
  • [malheur]
    enbaled = yes

Ok that last file in this folder we want to edit is processing.conf

  • [analysisinfo]
    enabled = yes
  • [apkinfo]
    enabled = no
  • [baseline]
    enabled = no
  • [behavior]
    enabled = yes
  • [buffer]
    enabled = yes
  • [debug]
    enabled = yes
  • [droidmon]
    enabled = no
  • [dropped]
    enabled = yes
  • [dumptls]
    enabled = yes
  • [googleplay]
    enabled = no
    android_id =
    google_login =
    google_password =
  • [memory]
    enabled = yes
  • [network]
    enabled = yes
  • [procmemory]
    enabled = yes
    idapro = no
    dump_delete = no
  • [screenshots]
    enabled = yes
    tesseract = /usr/bin/tesseract
  • [snort]
    enabled = yes
    snort = /usr/sbin/snort
    conf = /etc/snort/snort.conf
  • [static]
    enabled = yes
  • [strings]
    enabled = yes
  • [suricata]
    enabled = yes
    suricata = /usr/bin/suricata
    conf = /etc/suricata/suricata-cuckoo.yaml
    eve_log = eve.json
    files_log = files-json.log
    files_dir = files
  • [targetinfo]
    enabled = yes
  • [virustotal]
    enabled = yes
    timeout = 60
    scan = 0
    key = a0283a2c3d55728300d064874239b5346fb991317e8449fe43c902879d758088

Now we need to edit /etc/suricata/suricata-cuckoo.yaml and uncomment some items. Find the entry’s below and uncomment them.

  • eve_log = eve.json
  • files_log = files-json.log
  • files_dir = files

Wow. That’s a lot of edits… As you can see it takes a number of 3rd party software to really get this running. So what we need to do now is install the cuckoo community scripts. As the cuckoo user navigate to /home/cuckoo/cuckoo/utils/ folder and execute this command

  • python -afw

After this has completed, we are ready to start our cuckoo sandbox.

As the cuckoo user execute these commands from the /home/cuckoo/cuckoo folder

  • python

If you get an error simply start the virtual machine and then stop it. It will bring up the network interface.


In another terminal run this command as the cuckoo user from the /home/cuckoo/cuckoo/web/ folder.

  • ./ runserver

Ok now that we have started cuckoo and the webserver we can open our browser and go to the Cuckoo Web Interface. This is where we will submit our malware to and get our reports.


Ok so far so good. Next we need to submit a piece of malware to the machine and let it run. There are some options here is you have defined them. Dirty connections let your malware talk to the internet. I have run both.


Let’s click Analyze and see what happens.


Ok, so now we have submitted our malware to the cuckoo system. What we should be seeing is the virtual machine come online like the screenshot below. Once it is online, cuckoo will pass the malware to the machine and execute it. As the malware does different things, the memory and traffic are dumped and pcaps are created.

Now we can see that cmd.exe is being executed. Every time a new piece of malware is loaded, you will see the Virtual Machine “Restore” the snapshot and then do its job.


After the malware has run and the timeout is reached the Virtual Machine is shut down and all of the data should be in the cuckoo system now. If we go to the recent page and click on our submissions, we should see something similar to what’s below.


Here is the lower half of the screen above.


So now that you have a basic malware lab you can play with it for hours exploring how malware and virus work. You can learn a lot by just watching it run. There are many other software packages that you use along with the ones I’ve stated before. I encourage you to adjust this system to your liking. If you need to a great source of older applications to install in your sandbox you can go to

Many times I had to watch the terminal for errors and warnings. This helped me dial in the settings that I needed to get this up and running. A few noted I need to leave off with. Many times I ran out of space. These files can be very big, so make sure you create a vm big enough to hold all the dumps, pcaps, and screenshots. Also I suggest doing small runs of files if you want to do more than one at a time. I had a lot of fun with this project and there were many different ways to do this. I hope it helps someone.

Last thing.. I want to say thanks to @da_667 and @MalwareUtkonos for motivation, and a few quick pointers…


What is OpSec?

For normal people we can define it like this: basically you need to not leave about bits of information that can be traced back to you, or be put together like a puzzle to form a bigger picture about who you are or what you are doing. Don’t use credit cards in your name, sign up for social networks, and post pictures with Exif data or landmarks in the background. These types of acts leave a trail right back to the person. Other ways to practice OpSec might be to not give people your personal information, your back account information, or even share your passwords. The biggest way I feel people destroy their OpSec is by telling people what they are doing. Many people trust others with little thought to how the information they are giving them can be used to betray them.


The military defines OpSec with a very structured definition. “Operations security (OPSEC) is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.”

Who uses OpSec?

When we look at how the term has changed in the last 10 years, we can add in many types of situations. Businesses use it to protect their R&D and product lines. Law Enforcement uses it in investigations to build cases against criminals. Hackers use it to keep from getting arrested, and terrorists use it to keep their plans secret. OpSec is used by so many types of organizations that it has become a daily practice. Many groups use VPN, Tor, or other types of technology to hide their traffic or actions.

I have great OpSec! How can I fuck it up?

There are many ways to fuck up OpSec. When we look at some of the most highlighted hackers who have gotten caught these last few years we notice a couple of things. They did not practice good enough OpSec. Most of these hackers slowly leaked information that was used to trace or correlate them to their traffic or habits. This eventually led to their arrest and was used as evidence against them.

Many people say to use Tor (The Onion Router) to create a VPN to hide your activities. As many have found out this is completely false. Law enforcement and criminals alike use and operate on Tor or VPN services. Tor is not secure (it leaks your location, and stands out like sore thumb) and is enough to get you looked at. VPNs are not secure either. Both VPN operators and Tor exit nodes can see what’s going through the pipe. In one case the government used an Adobe flaw to connect outside of the Tor network and reveal the users IP address.

No one can honestly say that they use the best OpSec that’s out there. What’s safe today may not be safe tomorrow. When traveling the internet, you connect through many systems and it is impossible for anyone to tell if those system are secure, uncompromised, or that the owner isn’t doing malicious things to the traffic. While we all use software, it’s not as secure as we think. Bugs, tech issues, and other flaws exist in the product line, which may leak your usage.

Here are a few other ways to screw up your OpSec:

  1. Doing operations from your house or work
  2. Using the same MAC address for multiple operations
  3. Using the same Internet handle for both personal and operations work
  4. Working with others who will sell you out to save their ass
  5. Bragging about your operations

There are so many ways to screw up your OpSec and the list grows longer every day.

Let’s look at a few people that fucked up their OpSec. Many stories have been written about each of these people. Some stories are more accurate than others.

In the case of the group known as YardBird, they used a common encryption key that was given to all members. While this allowed them to kill a key and replace it quickly, it took only one member getting caught and giving up the encryption key to expose a portion of the group. Once the police had the key they could read messages meant for the group.

“During a period of 15 months, there were around 400,000 images and 11,000 videos uploaded to a central server run by the group and shared by the members. The reason we know that, is because during that 15 months, the FBI performed an undercover operation to infiltrate the group in hopes of apprehending the members. They successfully apprehended 1 in 3 members of the group. One of those who remain free to date, was the leader of the group, who also went by the online name YardBird.

How is it possible that after so much effort was put in by the American Federal Bureau of Investigation (FBI), the Australian Federal Police (AFP) and the Australian Queensland Police Service, that people high up on the wanted lists were able to evade capture. They used strong cryptography, and proper OpSec rules.”

Link: The YardBird Story

Jeremy Hammond had pretty good OpSec, but was working with an informant: Hector Xavier Monsegur (AKA Sabu )… Hammond told Sabu a few detailed things about his life, and that was used to pin-point who he was. Hammond had been arrested before, and had told Sabu about it, which led police to put two and two together.

Hector Xavier Monsegur, AKA Sabu, who is allegedly the mastermind of hacking group, LulzSec
Hector Xavier Monsegur, AKA Sabu, who is allegedly the mastermind of hacking group, LulzSec


Link: The Down fall of LulzSec

In the case of Higinio Ochoa (my best friend), he uploaded pictures with the GPS location of his Girlfriend to his operations Twitter account. After the police identified her, they identified him through her social media accounts. In short, you need to keep your online identify completely separate from your personal life. Higz failed to follow this rule by using his girlfriend in his pictures. Yes, it was funny to see his taunting on Twitter, but they were able to use that to connect him to his crimes. Most people think that he was caught due to not understanding Exif metadata, but that is an untrue statement. One of the best ways to screw up OpSec is to rush. Deadlines are deadlines, and if you rush to meet them, you make mistakes, such as publishing the picture with metadata instead of the one you just cleaned as Higz did.


With so many possibilities and so many flaws, I think we can assume that you can never have 100% solid OpSec. If you work with anyone else, publish your victories, or communicate to others about what you’re doing, you’re at risk of fucking it up, or you’ve fucked it up already. If you look at today’s news about hackers who have gotten arrested, you will see the sentences are rising. People from other countries are being extradited to face charges in others. Groups form and break apart faster and faster, as they are infiltrated and members are turned on one another.

So in closing… listen my brothers and sisters… Practice good OpSec… or better yet… rethink what you are doing… It might not go well… Stay safe…

So you just got a new computer, the cable company came in to put in your new line, and you just can not wait to jump on twitter. One thing is making you a bit worried tho, all those digital fingerprints have been left from before and you can’t shake the feeling that your last boyfriend has been following your Facebook posts a little too closely. Whats a young lady/man to do? Well, its time to go … SECRET SQUIRREL!

Internet safety or as I like to call it PIISec is something that more often then not is overlooked when we surf or buy stuff online. I don’t subscribe to the notion that it is OK to spy on me because i am not doing anything wrong, in fact it kinda disgusts me.  If you wish to know something about me, say for instance, what type of cool gadget I just bought from Hak5 Shop then please ask. Don’t place a cookie in my cache and have me sign something you know I am not going to read. I want to be as safe online as I can be and deep down, i would like you to be safe too.

Live like a spy, THINK like a spy!

Fake it till you make it is a long overused phrase but in security its always wise to be a little if not very paranoid. In the post snowden world its no longer an if but a WHO is watching me in my everyday boring life. Keeping this in mind we need to make some personal choices and STICK WITH THEM! The methodology I use is stolen from the Microsoft security model called the “Ring of Trust”. Imagine you are the sun and around you are three orbits, each one granted a little bit more knowledge about you as they get closer and each one given a bit more PII (Personal Identifiable Information). The reason we want to start doing this sort of micromanagement is because sometimes in this day and age we find ourselves saying we have 25,000 friends yet only 3 show up to our parties. These kind of social networks are HUGE kinks in our PIISec and allow our threatscape to be very large for anyone wanting to social engineer us. The way I break up my online contacts is like this:

Ring 0

  • Family – Close
  • Work – Bosses
  • REAL Friends

By real friends I mean people who can or would drive to your house and knock on the door if they thought you were in danger or missing. NOT people you talk to “all the time” or people who “liked” your posts.

Ring 1

  • Family – Not so close
  • Work – Associates
  • Friends – People you talk to often and normally but not ring 0 friends.

This is a middle ground, these people have a phone number to you and an email address for you but its saved in a contact list and probably under some name like “Hairy dood” or “Loud Chick”.

Ring 2

  • Work – Vendors or random people from work, they need to send that e-vite to the boss’s birthday SOMEWHERE.
  • “Friends” – Everyone else … They know your Twitter handle or Facebook profile.

These are of course just suggestions but after a while, it becomes second nature so please don’t give up before trying a few of them. The whole reason we are breaking our life up like this is because it makes it easier to not only give the person asking the right information but if your PIISec is broken its easy to see where it all went wrong. The goal of course is not only to be safe but to trust our most private of information to only the closest people in our lives. We should also take some time to consider WHAT information is sacred and what can be disposable. I like to be vague to everyone, even if your my best friend its very unlikely you will know my address until its absolutely necessary. My Social Security Number is known to only my immediate family and my phone number to a select few I have chosen. So before we get started and the comments come in let me just say this. It is 100% possible to do this with any mix of the following, including adding extras along the way but to be honest sometimes you have to just be happy with being secure enough because to be totally secure you have to be totally off the grid. That being said I recommend the following setup and uses.

  • 2 phones
  • 3 email address’s
  • 2 PGP Keys

This is a good start. One phone can be a crappy throw away and the other can be your personal phone. You do not want to have two IPhone 6’s when your faced with throwing one into a garbage can. You want to have 3 email address’s at the very least, one for your services, one for your bills and one for your ring 0 friends. This ensures that the email you check the most wont be filled with spam or stupid notifications and keeps your personal email off any lists you may not want to be a part of. Use your Ring 0 email address for correspondence ONLY! There is no need to use it to sign on to any services. 1 PGP key is usually enough but I recommend two. One will be used for your ring 1 contacts and the other is your secret squirrel key. IF some nation state is looking for you its probably best to have that backup key to buy you a bit of time. I recommend for your forward facing pgp needs since it does all the handwork for you and allows you to easily verify your contacts. If you need an invite you can hit me up on twitter and if I got some left will happily send one to you. I will need an email address so have your ring 2 email address handy! Simple copy/paste tools allow you to be secure without a whole suite of tools….however you still may want some.

For instant communications I recommend some sort of XMPP system, preferably one that supports OTR. There are tons of applications so to go over each would be crazy. I like to think in these terms: Use OTR or End-to-End encryption chat systems if available and if they are not then wrap your text in PGP and feel good that your doing better then most. The EFF has a great site dedicated to this and more over at its Surveillance Self-Defense site.

Browsing Safe

For general browsing needs I prefer to use Firefox over chrome however security wise they are both as vulnerable as the other. One can argue and argue over which is better, I will leave that to you to decide. To me I have seen them both render slow, both get exploited and both render fast. I personally run both but I do tons of web programming and like to check for cross platform compatibility. What to install on your browser however is a whole different thing. Every browser should have both Privacy Badger and AdBlock installed. Together these tools will ensure that you have a totally different web experience. You may actually start to enjoy surfing the web again!  Another addon that I suggest is NoScript for Firefox or uMatrix for chrome. These will limit the effects if you happen to find yourself on a site loaded with drive by malware software and generally keep you safe while you surf. Also since we are trying to ensure we take the safe route where ever we go, I should mention HTTPS Everywhere, its a great plugin that tries to force HTTPS where ever possible. While not something that is a MUST for every site you should install it simply because if you can make it harder for the bad guys you might as well. Plus we don’t EVER want to push credentials over a plain HTTP connection.

Password Vaults and Physical Security

So the biggest complainant most people have with not using the same password over and over is trying to securely keep all those passwords around and accessible. Even having a bank of say 3 passwords is a bad choice when you consider that if I was tasked to brute force them the mathematical probability of me succeeding would be huge. The other problem I see is keeping data safe. If its a full hard drive or simply your key vault it should be wrapped in some sort of secure container to keep it from being lifted and broken into offsite. While having a secure vault is a good start having that extra layer is even more comforting. These problems seem huge but with a couple pieces of software/hardware we can tackle them hands on.  For password vaults the most often used is Keepass. This vault not only works on a multitude of operating systems but allows you to throw in special files that must be there in order for the password to work. This is essentially a poor mans 2FA (Two Factor Authorization) since it can be placed on each computer you use and carry your vault with you or better yet two USBs. One with your special file (can literally be any type of file) and one with your vault. I personally prefer LastPass since it is also available on plenty of platforms but goes a step further and offers browser extensions and mobile support for a price. LastPass also has 2FA like Keepass using their software sesame but can also use hardware 2FA generators like the ones sold by Yubico (I have yet to purchase one yet since money has been tight so Yubico if your listening get at me!).These are pretty cool and can be used with plenty of software packages. If you got the money buy one now, if you got extra money, by me one!


Now many people may ask why I have yet to suggest TOR and to that the answer is simple. I do not trust TOR enough to take the speed loss it offers. I have seen the tests ran by some of the top scientists and while I will not deny that THEORETICALLY Tor will keep your connections anonymous it is still too predictable for me to lose so much bandwidth. A good VPN company will offer you decent security and speeds while not breaking the bank.  For most people however TOR is simply overkill and should be used to help those truly censored to be heard. Run a node if you want to support TOR but don’t expect it to be safe. That brings me to another issue I have with TOR. Many users feel OVER safe while using it and it causes them to not only leak data but put themselves at risk by feeling much more brave then they should. I see TOR as the drunk glasses of the internet.

If your looking for a good round up on VPN’s this is a good read.


While the internet is still very much the same dangerous place it always was if not more so its not somewhere I’m willing to stay away from. That being said, keeping safe online is as much a mindset as it is a software/hardware problem and I hope I have helped even in the smallest way. I will expand this post as information and questions comes in.

I'll have what she's having

Getting a malware lab installed is one thing, but configuring it to be useful is a whole undertaking in itself. One of the first problems we run into when setting up a proper lab environment is simulating the internet. Sure a network will allow each computer to talk to another but what about those pesky URLs, who is going to do all the resolving? It can of course be easily simulated with scripts and custom applications but let me tell you something. As a programmer for the last 20 years the one most annoying thing to have to do is reinvent the wheel. That’s EXACTLY why they have frameworks for these types of things. That being said, to simulate the internet from 4chan to google, I am going to use a framework called InetSim. This collection of applications included can emulate everything from IRC to basic HTTP.

To perform a quick run-time analysis of the network behavior of unknown malware samples, we were in need of a tool to simulate internet services which are commonly used by malware in our laboratory environment. We started off with a bunch of home-grown Perl scripts together with specially configured server service implementations like Apache, Postfix, dnsmasq and ntpd, but we were not happy with this because of a lot of disadvantages resulting from the combination of many programs (e.g. problems with correlation of log data).

While talking to other security analysts, we noticed that there is definitely a need for a comfortable single suite to simulate different internet services with common logging and centralized control functions. So we decided to start the project ‘INetSim’ to develop such a suite.

Nice piece of awesomeness yes? Ok, so now we have to prepare a VM for it to be installed too. Wait… you mean there are VM ready versions of Linux that I can just download and run? Aye there is, and its called TurnKey Linux. TurnKey Linux is great for just these types of projects, it can be downloaded and ran in such short time that all one must really pay attention to is the configuration, which is really, really, really easy. Now the version of Debian Linux that I prefer is Jessie, and unfortunately v 14.0 of TurnKey Linux is in ISO format only.  Its ok though, soon it will be available in one of the many other formats that TurnKey Linux is known for so just enjoy the ease of use and install your VM already.

Install TurnKey Linux

  • Memory 2GB
  • HDD 40GB
  • Network Adapter NAT (Will change to our Malware Lab Network after updates and software installs)
  • TurnKey Linux Core

networkconfigSo, once a VM is created and you fill in your specific details, I chose these settings because I wanted some wiggle room to add shared directory space so it seemed like a good idea.  It first asks you for a root pw, then for the Hub services API key, I personally skip it since I backup my own stuff but your free to do what you want. They also ask you to sign up for their security updates but im anal about updates so no need to tell me! Same with the auto install of security updates. After that you simply quit the configuration menu are your presented with a login prompt to your newly installed and updated TurnKey Linux box.

One of the reason I like Debian so much is that they usually have some version of software I am going to use in their repository. Now it working is something completely different but hey, at least they try.  Knowing that most if not all the dependency’s I was going to need were in the Debian repo it was time to add the INetSim repo and get this beast running!!

nano /etc/apt/sources.list.d/sources.list

and add the following line:



deb binary/

Your going to want to install the signature key also so run wget then update Apt-get

wget O | apt-key add –

apt-get update

If everything goes according to plan you simply have to install INetSim now

apt-get install inetsim

That gets her installed but we need to edit some configuration files if we want her to purrrrr. The first thing is that since this box’s sole purpose is to fakes the net, we need to ensure that she starts up on boot.

nano /etc/default/inetsim

That will open up the configuration file, and we need to change ENABLED from 0 to 1.

The next thing we want to do is configure the actual main configuration file to enable services and setup our dns.

nano /etc/inetsim/inetsim.conf

As you can see it has a lot of services turned on, I personally will leave them that way and simply play with our DNS. Our IP Address is local so I want to make sure we bind to it instead of the default localhost to

Next we are going to uncomment the dns_bind_port and dns_default_ip, changing the latter to your static IP.

There are tons of things to configure and to go over each one would be crazy, the documentation is available and the system is pretty well commented. So, after its been nice and configured to the way I want her, its time to configure my malware test platforms to talk to her and test it out. If everything is working, and it should be since the system is made to be easily configurable, you can type in and should get a nice simulated internet page.



Vulcan mind meld

For those familiar with the popular series Star Trek the mind meld is a pretty cool trick. It exposes the mind of the person to be probed and all the deepest secrets known along with some other cool tricks, few of which I know since while it is a wildly popular show, I myself did not follow it. My point is that a social engineer is a great asset to any team but a really good social engineer would be able to do more then trick a low level secretary into reveling her password and undies over snap chat.IMG_0634 Some one who could get so far into your psyche that you would knowingly hand over your assets without question is a far more valuable tool and dangerous foe then any simple Jedi trickster. For those of us who wish to bring our game up to a whole new level I present you with not a literal 120 step program but in depth information that will allow you much more control over yourself and thus, those you interact with. This is not going to be a short post since a whole lot of information has to be explained. Please take the time to read my points and learn a thing or two to be a great social engineer.

Before we get too crazy here let me explain that you will not find a simple tactic that works 100% of the time in this post, each person you will encounter will have different levels of different tells and knowing all the possibilities of each will allow us to better do what every social engineer must do. Guess the advisory’s feelings towards you so that you may change tactics before you hit a brick wall. These observations come from my life’s work of studying people. I am above all an observer, someone who watch’s interactions between people and groups while challenging myself to interpret each signs significance. I have read many books and practiced daily so while I am very confident on the correctness of my methods and observations, I am in no way saying that the information presented is 100% across all boundaries.  Case in point, a variable that will need to be addressed is something as strange as comfortable talking distance. An American has a higher chance of feeling uncomfortable by you being close to them then say a Japanese national simply because of culture differences.  Keeping this in mind will make it easier for you to inadvertently come off as rude for being too close, or too far away from the person you are talking to. While  stereotyping is generally a very bad idea when you are trying to make friends or hire someone, it is your best bet when trying to profile someone as quickly as possible, filling and altering the opinion as you learn more about them.


Getting to know someone

451488687_a7f661f768_zWhile you are essentially judging your target you are doing so with as much of an educated guess as possible.  These tells allows us to alter a judgment and refine our understanding of our target. For instance. If you were yelling at me to get into your car, I would judge the situation different if the setting was outside, at night, and in a dark alley then if we were say, outside a noisy night club. While it may seem obvious, it is because the example was made to be so,  many times we need to go over our assessment to ensure that we are taking in all possible variables.  In predicting someone’s attack surface its best to consider the following 7 points so that your first impression of your target is well informed. There are over 700,000 distinct physical signs given off by the human body we need to keep track of, 1000 are body postures, 5000 hand gestures, 250000 are facial expressions.  We have to make sure we take in everything about the person we are talking to.

  1. Personal Appearance
  2. Voice
  3. Body Language
  4. Actions
  5. Communication Style
  6. Environment
  7. Content of communication

When you are engaging your target try to stay away from the following influences as not doing so gives the target the chance to create the answers we are looking for and causing us to guess wrong or interpret wrong.

  1. Emotional / Commitment
  2. Neediness
  3. Fear
  4. Defensiveness

By keeping these feelings out of your statements you will be able to form questions that are more informative and less judgmental. When you are “interviewing” someone make sure you set the mood for them to be as informative as possible. Since ANY distraction is a potential interruption and interruptions are conversation killers try to keep you target engaged in conversation. Never interrupt, condemn, argue or patronize your target since that judgment can lead to the target injecting tells and false information to protect their pride. Be empathetic, involved yet not overly so, stay comfortably close to your target and answer with “Right” or “I understand”. Be aware of your body language and stay away from giving off tells that may be picked up and give away your true motives; never get too familiar too fast when talking about yourself so that you can return as quickly as possible to the target.  Listen with all your senses and if possible always in person so that you have control of the environment. Listen on their turf and somewhere they feel comfortable while avoiding an audience. Go slow and easy, the best answers come when you don’t allow somebody too long to ponder the possible replies. Think ahead of some questions that you want to ask but don’t be afraid to improvise also. Questions should generally start in these categories: compassion, socio-economic background, satisfaction with life.

A good beginning lineup would be, Where were you born?, What do you do for a living?, Do you belong to any organizations?,  What are your goals in the next 5 years.

Try to remove physical obstacles between you and your target so that they feel more closely connected and part of the conversation. Most importantly consider the context of the conversation. If the target is often exaggerating or misquoting others then its best to interpret the information under that context. In general there are three types of questions

  1. Open Ended – No suggestion on what you may want the answer to your question to be.
  2. Leading – Same as open ended but with a restricted scope to elicit a response you are looking for.
  3. Argumentative – Dangerous but can force someone into a reluctant admission.

Using these 3 types of questions one can craft a great line of questioning that will lead to hopefully the information you are seeking. Don’t forget that after each question you should ask good follow up questions to ensure the information you are getting is as clear to you as possible. You may rephrase your last question or if needed completely repeat it with emphasis on certain words you want your target to concentrate on.


Discovering Patterns

As I have mentioned before there is no silver bullet in character development but knowing what the tally is at the end of an evaluation will help you understand that person that much more. When undergoing the character development stage of an interview make sure to note things down so that you can keep track if said trait changes or is altered in an attempt to change your personal picture of the target. Keep the following in mind when you first meet someone to get the most information from each additional meeting.

  • Persons most striking traits, and is it consistent?
  • Consider each characteristic in light of the circumstances.
  • Look for extremes
  • I.D. deviations from the learned pattern of the individual your targeting.
  • Is the individuals state of mind temporary or a permanent one.
  • Distinguish between elective and non-elective traits.
  • Give special attention to certain highly predictive traits.

When you first meet someone new, take notes, mental or otherwise of the two or three characteristics that stand out to you the most. To be able to accurately identify patterns in peoples traits and behaviors you need to consider the “stage” upon which they act. Note each change in a person as the settings change and they become more comfortable around you. The significance of nearly EVERY trait depends directly on how big,small , intense or subtle it is. Anything unusual is usually important in understanding people. Ask yourself, is the clue I am evaluating just an isolated event or have I seen this before. Someone’s level of compassion, socioeconomic background, and satisfaction with life almost always revel most about a person so try to touch on each when in a conversation.

Elective Traits
Non Elective
Clothing, Jewelry, Mannerisms, Tattoos, Makeup
Sex, Age, Race, Body, Handicaps

First Impressions

Personal Appearance

first-impression-1cpq5ujOf all the methods available the first impression is the least reliable but it is where we all must begin. Look for consistent combinations of clues, they will be there if your on the right track. Someone wearing inappropriate clothing, makeup, using inappropriate gestures and hairstyles can reflect many things so try not to allow one bias override all others.

Body Language

Involuntary body language may be the ONLY sign of negative traits or emotions. Pay special attention to inappropriate actions. Look for anything that is peculiar or peculiarly unique. Consistency is one key to interrupting body language so make sure they match the person before relying heavily on them. As you will see many signs will show up in multiple categories and you must be able to use all the clues you collect to decipher just which sign the speaker is conveying. Keep in mind that if a person is not lying their manner will not change significantly or abruptly. People who are bored will usually distort themselves physically. Defensive people close up.  Make sure you do not misinterpret boredom as surrender or frustration. Someone who is nervous will need an outlet for this nervous energy.

Psychological Profile of someone deceiving.

  • Humans see the world as a reflection of ourselves. If consistently accused be weary.
  • Is person focused internally or externally ? Confident people are more interested in you understanding not how they appear.
  • Point of view of third part is often missing
  • Leaves out negative aspects
  • Willingly answers questions but asks none back

Signs of Dishonesty. (Honesty would be opposite signs)

  • Shifty or wandering eyes
  • Change in voice
  • Rapid Speech
  • Any type of fidgeting
  • Shifting back and forth on ones feet or in a chair.
  • Any signs of nervousness
  • Exaggerated version of the “sincere, furrowed brow” look
  • Sweating, shaking or licking lips
  • Any activity that obscures the eyes, face or mouth.
  • Running ones tongue over the teeth.
  • Leaning forward
  • Inappropriate familiarity such as invading your personal space.

Signs of Attentiveness / Pensiveness

  • Maintaining strong eye contact
  • Gazing steadily a an object
  • General stillness
  • tilting or cocking ones head
  • Chewing ones lip/pencil
  • Furrowing one’s brow
  • Folding ones arms and staring into space
  • Leaning back in ones chair
  • Looking upward
  • Scratching ones head
  • Holding ones head in ones hand
  • Resting ones head on the hands/fingers.


  • Letting ones eyes wander
  • Gazing into the distance
  • Glancing at watch or other objects
  • Sighing Heavily
  • Yawning
  • Crossing and uncrossing legs & arms
  • Tapping fingers or feet
  • Twiddling thumbs
  • Pointing ones body away
  • Shifting weight
  • Leaning forward and backward in ones chair
  • Rolling the eyes
  • Moving ones head from side to side
  • Stretching
  • Cradling ones chin in hand
  • Picking at things (clothes, shoes, ring, etc)
  • Attempting to do another task

Anger / Hostility

  • Arms, legs, ankles crossed
  • Short or rapid breath
  • Frequent reputation of certain phrases
  • Finger pointing
  • Rapid speech
  • Rapid body motions
  • Tightly closed lips
  • Stiff, rigid posture
  • Shaking
  • False / Sarcastic laughter
  • Frozen expression / scowl

Frustration / Confrontational

  • Frequent eye contact
  • Within your personal space
  • Gesturing with hands
  • Shrugging or pointing

Surrender / Total Surrender

  • Sighs
  • Grimacing
  • Rapid exhaling
  • Hands on hips
  • Hands on head
  • Exaggerated movements
  • Rolling / Closing eyes
  • Walking Away
  • Shaking ones head
  • Shrugging


  • Isolation from social contact
  • Poor concentration
  • Inability to focus or plan ahead
  • Low / Quiet speech
  • Downcast eyes
  • Slow and deliberate movements
  • Change in appetite (either under or over eating)
  • Forgetfulness
  • Inattention to hygiene or dress

Grief / Sorrow

  • Tears
  • Listlessness
  • Inability to complete normal daily tasks
  • Isolation
  • Down cast eyes
  • Apathy
  • Signs of depression & confusion
  • Relaxed facial muscles
  • Slumped or slacked body
  • Motionlessness or slow movement


  • Shifting back and forth
  • Looking back and forth between objects
  • Tilting head from side to side
  • Opening and shutting hands or moving one hand then another
  • Opening and closing mouth without saying anything


  • Eyes darting back and forth
  • tensing of the body
  • Curling up of the body
  • Shifting weight side to side
  • Rocking in ones chair
  • Crossing / Uncrossing arms/legs
  • Tapping hands, fingers, feet
  • Adjusting o diddling with objects
  • Wringing the hands
  • Clearing the throat
  • Nervous cough
  • Smile tick (a quick smile then back to their normal expression over and over)
  • Biting the lip
  • Looking down
  • Chattering nervously
  • Shaking or quaking (Extreme situations)
  • Sweating
  • Chewing nails or picking cuticles
  • Hands in pockets
  • Rotating side to side with upper body
  • Becoming silent



0x600Learn to hear between the lines as every conversation is built from two distinct dialogs. The actual words and the conscious / subconscious vocalization, volume, cadence and tone of voices. To hear the unspoken message focus on the voice not the words in short spurts. Consider if vocal characteristics are voluntary. Listen for patterns and changes as the conversation continues, consider context and the environment. Lastly compare the voice to the body language your picking up and the words being used. Keep the following in mind when interviewing someone since they can be indicators of someone trying to fool you.

What is said: Verbal Content

  • Uses YOUR words to make a point
  • Keeps adding information unit they are sure your sold on the story.
  • May stonewall to limit challenges to position held by accuse
  • Watch out for Freudian slip
  • Depersonalizes answer by offering belief n the subject instead of directly answering.
  • Implies an answer but never states it directly

How something is said

  • I, we , us are underused pronouns or absent
  • Deceitful responses to questions take longer to think up
  • Reactions that are all out of proportion to the question
  • Speaks in monotones and passive voice.
  • Statements sound like questions.

Decoding Vocal Clues

Loud Voice

  • Control
  • Persuasion
  • Compensation for a perceived flaw
  • Reaction  hearing loss
  • Inebriation

Is this voice appropriate? Is the loudness constant or does it vary? How is the voice being used?

Soft Voice

  • Can be used to manipulate
  • Lacks confidence and assertiveness
  • Maybe reflects calm self-assurance
  • Arrogance

Does the speaker seem tired? Is the speaker internally forcing someone within ear shot? Is the speaker maybe lying? Is the speaker limiting who can hear?

Rapid Speech

Fast speaking by someone who is usually normal paced can mean

  • Nervousness
  • Anxiety
  • Impatience
  • Insecurity
  • Excitement
  • Fear
  • Drugs & Alcohol
  • Anger
  • Caught in a lie
  • Desire to persuade.

Slow Speech

  • Anxious
  • Ill
  • Confused
  • Under the influence
  • Confused
  • Lying
  • Deep in thought
  • Fatigued
  • Sad or grieving

Is slow speech normal or is it discomfort?

Halting Speech

  • Insecurity
  • Nervousness
  • Confusion
  • Untruthfulness
  • Attempt at precision

Speech patterns in halting speech include pitch, intonation and emphasis, flat, unemotional voice, pretension/snobbery and whining.


  • Anger
  • Sexual interest
  • Disbelief
  • Excitement
  • Frustration
  • Nervousness

Raspy Voice

  • Smoking
  • Illness
  • Gives speech’s

Mumbling (chronic)

  • Lack of confidence
  • Preoccupation
  • Insecurity
  • Fatigue
  • Anxiety
  • Inability to articulate thoughts.
  • Self-consciousness
  • Illness

Mumbling (unchronic)

  • Distracted
  • Tired
  • Chewing
  • Under the influence

Mumblers seldom demonstrate significant leadership ability or even any desire for such control

Accents: May tell you about cultural mannerisms.


Communication Style

In general there are 6 different communication styles, each style tells us a little bit about the person speaking along with some details about who they are vs. who they want us to think they are. On a simple scale from 1 to 6, one is the hardest to communicate with while 6 is the easiest. Here is a quick rundown of each style along with its ranking.

  1.  Nobles – Believe communication is to exchange information ONLY.
  2. Magistrates – Opinionated, argumentative and difficult to deal with.
  3. Senator – Chooses whatever communication style works best in the situation.
  4. Candidates – Seek to communicate along a path of least resistance.
  5. Socratic – Purpose of communication is to talk. Loves discussion and debate.
  6. Reflectives – “Touchy feely” people. VERY communicative.

Looking for motive

There are many reasons for manipulative conversations including but not limited to avoid embarrassment, trick someone, avoid hurting other people, cover up a lie, or pull someone into an argument. Manipulative answers can be broken down into 5 categories.

  • Non responsiveness – May be avoiding embarrassment, conflict, truth or an emotionally difficult subject.
  • Not denying or explaining when expected – Hiding something, wants to avoid conflict, playing “games”, may be offended or trying for control.
  • Short answers – May be early signal for dishonesty.
  • Long Answers – May be used to hide the truth. Used to avoid lying outright to try and spread the truth about. Is answer candid or incoherent?
  • Answering questions with a question – Used if someone doesn’t want to commit to an answer, used to redirect the conversation and may show them as being secretive.


Conversational Detours

The pregnant pause

A pause after you have said something provocative, threatening or off subject catching the other person off guard could mean that you were surprised or offended. A brief pause could mean anger, frustration or disgust. Look closely for clues in the persons face, eyes, and mouth.


Constant or poorly timed interruptions may be motivated by impatience or boredom. Are they trying to control the topic by changing or altering the topic?


Rambling usually revels nervousness, confusion, insecurity, a need for attention or . If this is not normal for the individual then it could mean intoxication, severe fatigue or simply distraction.

Changing Subjects

Intention can be gathered by looking at the relationship between the old topic and the new one.

Revealing habits of conversation

Defensive Behaviors

  • Withdraw – Grows silent suddenly, pay attention to tone and content.
  • Aggressive Attack – Blame someone else or you to excuse or sidestep issue.
  • Profess religious beliefs, family values or high morals.
  • Emotionally disarm attacker by flattering them with praise.
  • Unprovoked protestation of innocence – Really overblown excuses for innocence.

People commonly volunteer information to make a connection with you by telling you what they think you want to hear.

Verbal calling cards

  • Slang – Can shed light on cultural influences and social economic background. This includes bad grammar. How and when slang is used is also important.
  • Word Themes – The more a person relies on word themes the more strongly he relates to some aspect of those favored words.
    • “Aggressive Terms” – Won, battle, out flanked, aggressor.
    • “Honesty” – Frankly, to be honest, to tell the truth.
  • Use of titles – The way a person uses a tittle can revel his geographic background. I.e. Sir or Ma’am can be a sign that the speaker is from the south or military. Can show or ignore respect and be sarcastic for example changing Dr. Oz’s title to Mr. Oz .
  • Profanity – May equal being socially inept, excitable, or insensitive to the reaction to others. If used in anger the person may be seen as aggressive and a volatile temper. Excessive is threating and may be used as intimidation. To gauge profanity consider how often and under what circumstances its used.
  • Braggadocio – Takes the form of interjecting ones accomplishments when they are not relevant, name dropping or exaggerating ones success. They always lack true confidence.
  • Exaggeration – No room for grey. Signals insecurity and trying to get noticed. Trying to control the conversation and trying to control their true behavior.
  • Ingratiating behavior – Blatant manipulation, kissing up, brownnosing, consider the context, may be trying to comfort you or make you feel accepted. May lack confidence. Brownnosers fall into two categories.
    • Those who ingratiate to gain personal advantage.
    • To win your approval.
    • If demeanor, appearance and other clues point to passive then they probably were not trying to manipulate you.
  • Self Criticism – If speaker does this more then twice, start to ask “why”. Very insecure and low self esteem. May be looking for support, encouragement, help or you to disagree with them. May be used to put you at ease. How they respond to others remarks is a good test to gauge reasoning.
  • The broken record – Either senile or mental issue or nervously filling space in conversation, or sending a loud clear signal that something is on his mind and wants acknowledgement.
  • Gossiping – Consider target and context to find motives.
  • Humor – Can be sarcastic, subtle, genuine or insincere. Can be a weapon or a shield. Frequently use to disguise true feelings. Used to turn conversation from serious to lighter one. Compassion to show empathy or understanding. Disguise emotions they don’t want to expose.
  • Sarcasm – Used to either get a laugh or make a point indirectly

Actions in / with speech

  • Words < actions
  • Focus on how one behaves towards others.
  • We all make mistakes, but not patterns
  • People MAY change, ask yourself
    • How long is it set?
    • How recently has it changed?
    • How quickly?
    • What could have motivated him?
  • Look for patterns – Question ANY time someone deviates from their known pattern.
    • Selfishness
    • Performance under fire
    • Unkempt promises
    • Avoidance
    • Preaching
    • Fanfare
    • Spending habits
  • Environment
    • Read environment with all your senses.
    • See the big picture – Clues are everywhere but focus on props, calendars, photos, books, magazines, art, plants, desk or refrigerator props.
    • Watch for differences in peoples public vs. private environments.
    • Find out where target goes for “me” time.
    • Birds of a feather, who we hang with says a lot about how we think.
    • Everything about us is effected by our environment

Exceptions to our rules

  • Always consider whether your missing something.
  • Be alert for:
    • The elastic person – time and exposure will show up lies.
    • Rehearsed Presentation – remove from comfort zone
    • Liars – focus on nothing that he says
    • Delusional Thinker – Fool yourselfers
    • Physically Disabled – They think and react differently depending on the condition.
    • Illness, fatigue and stress
    • Drugs and Alcohol – will case changes from one moment to another
    • Cultural influences
    • Never forget coincidences do happen! Don’t assume too much.
  • When listening to your inner voice make sure you review evidence that made you feel your “hunch”


Snap Judgments

Sometimes we have to make our decisions as quickly as possible. With time and practice you will be able to do a pretty decent snap judgment that is pretty close to truth. Please keep in mind that this is something that takes a great amount of concentration to ensure you don’t miss anything that will bias your judgment incorrectly.

A quick way to do such a snap judgment is to follow a simple workflow

  • Work from overall picture down to subtle clues.
  • Keep I mind the question your trying to answer. No reason to over analyze.
  • Zoom in on “key elements”, if you see a unique trait, does it tell you something if you watch closely?
  • Look for patterns
  • Decide quickly, second guessing yourself can lead to lots of problems!
    • Error on the side of caution and practice, practice, practice!


Interpreting Traits

These are probably the most socially arguable part of this method but you will find that tied together with the information collected using the methods already mentioned you will be able to draw some very interesting conclusions quickly.


  • Tan – outdoors a lot or tanning salons
  • Pale – No so outdoorsy, oober skin health, ill or from somewhere with lots of snow and bad weather.
  • Irregularities – Facial, maybe they cant afford to remove or don’t care


  • Poor hygiene – out of touch, high level of self centeredness, lack of common sense, insensitive, mentally ill, drug use, ill, poor, lazy.


  •    OCD, egotistical, structured, vain, inflexible, unimaginative, concerned about others opinions

Writing, logos and pictures on clothes

  • T-shirts with sports insignias – Fan of sport
  • Souvenir T-shirt – Traveler or Outdoorsman
  • Prominent Designer – Image conscious and may lack confidence.
  • Regional style
    • Tip off where they are from
    • Where they lived or currently live.
    • May identify them with that region.
  • Cultivated images – May not reflect true inner identity but outward role.

Flamboyance VS Conservativeness

  • F = Bright colors, shocking or distinctive styles.
  • C = Classic styles, subdued colors, careful and meticulous grooming
  • F = Want to stick out generally
  • C = want to bend in.

Conservative dressers are generally confident.

Flamboyance – Creative, artistic, imaginative

  • Usually not overly “poor” or very practical
  • are non conformists and don’t care about opinions as long as they got an audience
  • Independent even a bit flaky


  • Are conformists
  • Often practical, authoritarian, ad analytical
  • Most people are conservative in their thinking habits.

Practicality VS Extravagance

  • Practicality – Anything that points to comfort, cost or utility over style
  • Extravagance – Simply opposite


  • At ease with themselves
  • Not self-centered
  • Willing tot be non conformists
  • Frugal


  • Image conscious
  • Poor self esteem
  • Desire acceptance and approval

Sexual Suggestiveness

  • Tremendously confident
  • Very insecure
  • Trying to get attention
  • Sexually liberated
  • Outgoing, vain, self centered


  • Out of social mainstream
  • Insensitive to issues of appearance
  • Poor or lower socioeconomic background
  • preoccupation elsewhere
  • Sloppiness
  • Artistic, intellectual or absent minded
  • Professor syndrome


Interpreting body languagebodylanguage


Preen, glance at themselves, make grand gestures, keep great distance from others, bore easily, make sexual maneuvers and posturer, boast, adopt affections.


Good listening skills, self-depreciating humor, quiet demeanor, shows courtesies.


Lead\control conversations, surrounded by peers, volunteer for unpleasant tasks, good listeners, self assured smile, walks with confidence, almost striding. Firm handshake, better dressed, good hygiene, dress appropriately or more expensive, engaging, seldom follows trends, physical and athletic, good eye contact, conservative haircut, erect posture, squares body to talk.


Verbal repletion, repetitive motions, signs of indecision or frustration, conflicting or inconsistent behavior, shifting or shuffling


Crossing arms, legs, and/or ankles, clenching teeth, jaws or lips, averting the eyes, body squared to talker, hands on hips, quick exhaling, closing mouth tightly and refusing to talk. Leaving abruptly


Turning away, flushing, nervous laughter, avoiding eye contact, shaking ones head, avoiding people, leaving the room.


Wide open eyes, screaming , blushing, hands over the face, being frozen, gulping and swallowing, looking a around, clutching other objects or hands tighter, hands in front of the body, leaning or shifting backward, turning away, quick, jerky flailing or stretching out of the extremities, shaking, heavy breathing, quick swallow breathing, holding ones breath, walking quickly, stiffness, licking lip, small tentative steps.


Stiffening body, powting, crossing arms, grimacing, avoidance, signs of anger.


Whispering, set jaws, a guarding posture, covering ones mouth, body turned away, avoiding social interaction, revealing little emotion, brief, mechanical handshake, frequently locks down, looking around when being addressed, removing personal stuff from view.

Openness: Worm smile, kissing on greeting, long eye contact, standing close, firm handshake, enjoying social interactions.

Sexual or Romantic Interest

Exaggerated smile, laughter, staring, winking, wetting lips, thinking, crossing/uncrossing legs, thrusting out chest/hips, walking with swagger or wiggle, primping lounging back, coy smile, flipping hair, personal space invasion, reveling clothing, touching ones clothing, touching object of affection, excessive perfume, makeup or cologne, overdressing, whispering, intent listening, intently looking the other person up and down, isolating ones affection by trying to get them alone.


Suspicion:  Furrowed bow, squint in the eyes, turning head slightly down, looking slightly upward, tilting head, tight lips, signs of pensiveness.

Disbelief: Eye-rolling, head shaking, grimacing, frustration, turned up mouth corners, quick teeth exhale.


repeated action, biting nails, shaking, wringing hands, fidgeting, face rubbing, hands through hair, lack of focus.


Using the provided information above you should be able to reliably and consistently judge a person simply by talking to them. This technique along with knowledge in the field of Information Security would make anyone a dangerous honey pot in of themselves. Please handle with care and never stop learning.

Sign In

Reset Your Password