skiptracer released

by admin

Sunday, June 3rd, 2018 at 12:02 am

Our new open source python OSINT framework, skiptracer was released yesterday @ HushCon. Initial attack vectors for recon usually involve utilizing pay-for-data/API (Recon-NG), or paying to utilize transforms (Maltego) to get data mining results. Using some basic python webscraping of PII paywall sites to compile passive information on a target on a ramen noodle budget. The modules will allow queries for phone/email/screen names/real names/addresses/IP/Hostname/breach credentials etc.. It will help you collect relevant information about a target to help expand your attack surface.`Everyone should be encourage to submit new ideas/modules. you can get the code here.

CT’s #1 hacker part deux – electric boogaloo

by admin

Wednesday, April 25th, 2018 at 2:37 pm

Seems our pal Mario Dinatale, or’ Mario Di Natale’ as he now uses for SEO reasons (see post: Hacks Lies Nation States) has bullshitted his way into another job. I wonder how much bullshit he fed into his new employer Kyber Secure ‘Why do you care’ you might ask? Because charlatans like him lie their way into jobs and bragging about ransomware ‘takedowns’ they had no part in, are some of the reason why this industry and security is such a shitshow. I feel bad for the clients.

OWASP Top 10 – 2017 released

by admin

Monday, November 20th, 2017 at 10:37 pm

You can get it from here:

Office DDEAUTO attacks

by admin

Saturday, October 21st, 2017 at 3:15 am

New post on about macro-less Office command execution and how to use different payloads with the attack.

‘Hacker’ Lies, & Nation States?

by admin

Saturday, June 17th, 2017 at 2:51 pm

I’m calling out questionable “facts” on at this presentation titled: “Hacks, Lies, & Nation States” @ AnyCon from today, only because it involves someone from my home state, Mario Dinatale, who claims to be “the State of Connecticut’s #1 Cybersecurity expert
That unprovable claim, along with a bunch of buzzwords and random tech stories he seems to have plucked from headlines of the past 20 years, years. Dinatale’s talk appears to be full of fluff and dubious claims that anyone in the industry can see through.

His recent claim to fame was that he took down Teslacrypt ransomware’s C2 server after only 2 hours , while the FBI couldn’t do it after a year. He said he got angry after the ransomware locked up the town of Hamden’s computers and demanded almost a half a million dollars in ransom, although I can find no public reference to this incident. In the video he stated the attackers started DDOS and spamming in retaliation of him foiling their plans, so he sat down and took them out, thus scaring them into dropping the ransomware’s decryption key onto their website. Even though ESET claims their researcher contacted the ransomware’s authors for the key because they started moving to a newer ransomware. If anything he carelessly posted images about his job with the police to Reddit/Imgur that could have aided an attacker.

Coupled with the fact his job as ‘CIO’ was in jeopardy in 2014 for a police investigation for employee misconduct, he amazingly was put in as CIO for the town of Hamden (hooray for unions!) shortly afterwards.
His Linkedin profile is littered with reviews from old non-techy cops and others praising him for his ‘skills’.

He goes on to talk about how he was ‘hacking’ NASA as a kid to use their Cray computer or that he was ‘hacking’ the FBI reading their emails and which ‘were full of office talk and cat pictures’. He also shows random pictures from Defcon on how he was there just to ‘hack the attending FBI agents’. We did find him wearing a ‘Defcon’ hat under his handle mastry0da and references to *mastry0da iz an fbi sn1tch* . Though his only proven ‘hack’ was this picture , showing him getting suspended for changing grades on school computers in 1999, when there likely was little to no security at all.

In his talk he then he goes on to claim the FBI inducted him into Infraguard due to expert skills taking down the Teslacrypt ransomware , seemingly overlooking being arrested in 2013 being charged with “risk of injury to a child and disorderly conduct
According to, his behavior does not appear to have changed as he was charged with DUI last week (Jun 7, 2017).

In a move that makes some question his expertise, his ‘About Me’ page on his personal website contained his Private PGP key, instead of his public key. While he has since removed it, his web site does not appear to have a new key to replace the old compromised key. Although we got screenshot
bigger image and key before he deleted it.

I’m tired of the security industry and government as a whole putting these fake wannabe ‘cyberexperts’ that use buzzwords and prnewswire articles about themselves, thrusting them into the spotlight. Taking these self-professed experts at face value and not challenging them is dangerous for the industry, citizens, and the customers they claim to protect. (Gregory Evans anyone?). This is why Infosec as a whole is a fucking shitshow, hiring snakeoil salesmen and wanna-bes.

In this video, after introducing himself as a “premiere cybersecurity expert to multiple federal agencies in the state“, he doesn’t seem to be able to define what the term ‘cybersecurity’ even means, after being asked to do so, jumping from term to term throwing in words like OSI model and onion.

And this interview after his talk is even worse, he blames infosec industry for failing the government and being greedy , even though he was working for the government and claim hes an expert to multiple federal agencies. Then around minute 7 tries to decry infosec ‘rockstars’ even though he himself is trying to be one with these false claims.

UPDATE: Mario seems to be playing damage control by deleting his CIO youtube video, contacting /r/netsec, contacting ‘colleagues’ on Linkedin, and getting his GF to try use her Media company’s twitterbots to deflect the spotlight from him.
I’ll take this post down if he can prove he hacked the TeslaCrypt C2 ransomware server with proof on how he ‘reverse-engineered’ the malware to gain access.

update #2: Looks like he has bribed or forced the news sites to remove articles. Good thing the internet is forever, links have been update to lead to the wayback machines links on also screenshots are the articles are ::HERE::

happy new years

by admin

Thursday, December 31st, 2015 at 6:06 pm


200,000 Comcast customers Jacked

by admin

Tuesday, November 24th, 2015 at 2:44 pm

Someone leaked the data for free. Better update your passwords just in case. Here’s a sorted passwordlist from the dump.

Tesla Motors pwned.

by admin

Saturday, April 25th, 2015 at 4:26 pm and their twitter got owned today

whoever had control of the twitter mistakenly posted a screenshot of their skype session

the site is currently down.

Kali on Raspberry Pi 2

by admin

Monday, February 23rd, 2015 at 12:49 pm

pi 2
cyberkryption has finished getting a build for Kali Linux 1.1.10 for a Raspberry Pi 2 with working XFCE and raspi-config
Check out his blog for more info:

ATT U-Verse VAP2500 vulns

by admin

Tuesday, November 25th, 2014 at 10:59 pm

ATT U-Verse service includes the VAP2500 video access point as part of the installation,. From their guide “The VAP2500 enables you to transmit multiple standard- and high-definition video streams throughout your home wirelessly. You can enjoy a full range of video services and applications without having to run wires, lay cables, or drill holes. The U-verse Wireless Access Point operates only with authorized U-verse Wireless
Apparently it’s full of holes too:

1. Readable plain-text file, admin.conf, which holds the username and md5 encrypted passwords
(defaults are: ATTadmin : 1b12957d189cde9cda68e1587c6cfbdd MD5 : 2500!VaP
super : 71a5ea180dcd392aabe93f11237ba8a9 MD5 : M0torola!

2. They use the md5 hash of the username as a cookie for authentication

3. gui suppports command injection

More info:

similar report:

Your IP:

You are from the area.

We love our country, but fear our government.