All posts by Jose Quinones


Security B Sides Puerto Rico (#BSidesPR) delayed …

How Security B Sides Puerto Rico (#BSidesPR) came to be.

Recently Hurricane Maria hit Puerto Rico really hard, just a week after Hurricane Irma and I had to cancel Security B Sides Puerto Rico (October 6, 2017) for the time being. This was our fifth year and this had me nostalgic and thinking on how BSidesPR came to be.

The story starts 5 years back (2012) when I was whining and complaining on social media that in Puerto Rico the tech community was nonexistent, and that all events where boring sales/expo type events and a stranger on twitter and now a good friend Juan Sanchez (@goze) basically told me to shut up and do something about it. That comment made me stop and consider that if I wanted something to get done I should not wait for anyone else to do it for me, pretty obvious when you think about it, right.

What I did next was start to get information on how to do a conference because of course, I knew nothing about it. By that time, I used to listen to Pauldotcom Podacast, now Security Weekly Podcast and heard Jack Daniel talk about Security B Sides and loved the idea of sales free conference, centered on community.  There was this guy, Carlos “Dark Operator” Perez (@carlos_perez) that worked in the podcast and he also complained that in PR the all tech events were sales/expo shit.  He is Puerto Rican so I decided to reach out and to my surprise the guy lived 10 minutes from my home. Probably cross paths at the mall and never new better (Carlos is now one of my closest friends). So after I met Carlos and talked about how to make this work I still needed more troops to execute.  I went to a couple of good friends: Jose Arroyo (@talktoanit), Daniel Mattei (my brother from another mother), Angel Colon, and Juan Sanchez to start sizing up the community and plan the event.  In that process I met my right hand and good friend Johana Martinez (@johanaMRPhD) a Doctor in Psychology that was introduce to our group by curiosity of how hackers think and a common friend Jose Arroyo.

But then I had another problem, in Puerto Rico there was no tech community that I knew of. Looked for it and found 2600 group that did not meet anymore, also found DC group that was no more so I had to start from scratch. There were a couple of startup meetups, but does that really count? usually startup meetups are about building a company and making money “fast”, you know the idea that makes you rich.  But, I was pleasantly surprised. There I met couple of true nerds and InfoSec curious guys, so we started doing meetups every other month, and visiting Universities to talk to the Computers Sciences & Information Systems students about InfoSec and started building build the community.

Finally we did our first Security B Sides Puerto Rico on April 2013 only 150 people showed and we had massive losses but we had a blast.  I was super happy and proud of what we accomplished and I still am.

(Security B Sides Puerto Rico  2013 Speakers hanging out.) #LobbyCon




It’s been 5 years of hard work doing InfoSec community work, workshops and meets in schools, universities, government agencies, law enforcement and even church groups. As you may know because of crashing economy in Puerto Rico a lot people that started with us and not in Puerto Rico anymore, so it’s been a war of attrition.  Some times I’ve felt alone, sometimes I’ve been alone, but we’ve hold up, this is not over, we will come back.

… stay tuned, we are looking into a date in December 2017.

Funny Story: To DoS or DDoS? … that is the question.

I recently received an invitation to attend a seminar in “How to protect your business from DDoS attacks” the invitation was sent via an HTML attachment.

So, in my paranoia I opened the file in an editor before trying to load it in a browser.  While in the editor view I saw a link to a web server using an IP address directly.

Again I wanted to investigate further, so I loaded the root of the server ( on Firefox with “Header Spy” add-on in Firefox, just to see some info on the server.

To my surprise the server loads the default IIS page, and with the Header Spy information and look of the page I confirmed it was running IIS 8.5 on Windows (of course).

So I searched for vulnerabilities on IIS 8.5 and came up with MS15-034 bulletin so to make sure, I did manual check using curl with the following lien of code:

curl -v http(s)://hostname (or ip)/ -H “Host: anything” -H “Range: bytes=018446744073709551615” -k


So I used some vulnerability checks from Offensive Security DB and a PoC on Python to be 100% sure and it was confirmed.

So the funny part: A DDoS prevention announcement on a DoS vulnerable host with a 1 year old vulnerability.  Isn’t it funny? #LOL

Ping with creativity … on windows

Recently saw a blog post on netstat , so I tough that if someone could blog about netstat I can blog about ping.  #insidejoke

First of all,  ping is a windows/unix command used to check connectivity between to points using ICMP protocol, but that’s not all you can do with it.

Disclaimer:  Many networks block ICMP, so this may not help you in any way.

First let see our options:


As you can see there are a lot of options, but lets test three (3) of the most common ones.

Check connectivity to target

Check for DNS resolution on target

Manipulate TTL,  lets check the third (3rd) hop on a route to target

So let’s be creative with it:

Traceroute & check 30 hops

Do a ping sweep discovery on a /24 subnet

Now we can do  a reverse DNS walk

So now you see how an everyday  “insignificant” command can be of very much use.

In unix we have more tools available to manipulate strings and with the power of Bash more so.  But in essence you can do the same. I will cover this in a future post.


Skeleton Key from Open Source Intelligence


Recently I sawScreenshot 2016-03-07 07.52.46 tweet by @gsuberland that blew my mind.  Not because it was special but because it was common.  He tweeted a photo of a NY Post article on a particular key that was been sold on eBay for $8.  This key allegedly can get you access to subways and elevators in NY City.  Scary right? it gets worst.


When you analyze this, its wrong in so many ways that its scary.

  1. The NY Post publishes a photo of the real key,  a Yale 1620.
  2. @gsuberland tweets about it and gets more that 770 RTs. (at the time of this post)
  3. In the thread it gets disclosed that this is a Yale large pin key
  4. … and later on the same thread some one tweets a high resolution photo of the key in question from the NY Post website.

Ok, this guy accuses the NY Post of been morons for publishing a photo on the paper and he is right, but his accusation unleashes a series of events that multiplies that error by X factor.  Just add the NY Post print circulation + NY Post Web Traffic + The Followers of every one who retweeted + the 5 people who read my blog).  That’s millions + 5, and that’s a lot.

The article in question is from September 20, 2015, that 5 months back, but after reading the articles and tweets (if you believe them), this is old news. Someone claims that way before the articles he got a 1620 key from a friend.  But knowing first hand how things move in government a I can safely assume that this problem will persist long after everyone on the twitter-verse forgets about it.

Finally the web post of the NY Post tells that eBay stopped selling the key.  Hooray! … NOT, well actually a quick search on eBay confirms it (i could not find it).  But now its EVERYWHRE!  With the information on the print + web + twitter we can get a Yale blank and make one, or just take one of the high resolution images and convert it to a 3D model (youtube is your friend) and just print it.  NO eBay, NO underground connections and NO special abilities.

NEW YORK - SEPTEMBER 18: For Sunday News. Fireman elevator keys purchased online pictured in the studio on September 18, 2015. (Anne Wermiel/NY Post)
NEW YORK POST- SEPTEMBER 18: For Sunday News. Fireman elevator keys purchased online pictured in the studio on September 18, 2015. (Anne Wermiel/NY Post)

This is a prime example of how OSINT works and while many people have the best interest at heart, the road to hell is paved with good intentions (if you believe in that). We have to be careful with the information we put out.  I believe in responsible disclosure, but I also know sometimes the ones responsible just don’t care.

… and thats how you can get a skeleton key using open source intelligence.

jq – 2016

Como protegerse del “ransomware” #Locky


Recientemente varios usuarios han sido afectados por un nuevo virus de modalidad “ransomware” llamado Locky.  Las preguntas son muchas  al igual que la confusión, así que les dejo este corto artículo para ayudarles.

 ¿Qué es ransomware?

Rasomware es un tipo de virus de cifra los datos del usuario y solicita un rescate para descifrarlos, en efecto secuestrando los datos de usuario. Estos pagos son solicitados utilizando Bitcoin, una moneda digital casi imposible de rastrear como si fuera efectivo digital.

 ¿Cómo los hace?

El virus utiliza una llave criptográfica imposible de quebrantar la cual es almacenada en servidores controlados por el programador del mismo. Estas llaves solo pueden ser accedidas pagando el rescate solicitado.

 ¿Hay exfiltración de datos?

Hasta el momento no se ha confirmado que los datos del usuario sean transmitidos fuera del sistema.  Existe la posibilidad que otras versiones del virus tengan la funcionalidad de robo de datos.  Por tanto toda persona que maneje datos sensitivos debe tomar todas las medidas de seguridad posibles.

 ¿Que tiene este virus que lo hace especial y nocivo?

Este virus al momento conocido como “Locky” está atacando a instituciones de salud en particular debido a la importancia de los datos que manejan.  Todo dispositivo (computadora, móvil, tableta, etc.) que contenga datos de pacientes está cubierto bajo la ley HIPAA la cual impone multas por la exfiltración de datos de pacientes si no se toman las medidas de seguridad necesarias.

 ¿Cómo nos protegemos?

  1. Actualizar antivirus (AV) y escanear el sistema diariamente.  Recordemos que los AV solo detectan lo que conocen y lo que pueden ver.
  2. Actualizar sistema operativo (Updates) por lo menos una vez en semana.
  3. Actualizar aplicaciones (PDF, Flash, Zip, etc) por lo menos una vez en semana.
  4. Hacer resguardo de datos fuera del sistema y en un medio desconectado (offline). Ej. USB o DVD
  5. Si es posible deshabilitar Macros en Productos de Office

  1. NO abrir correos enviados por personas que usted no conoce.
  2. NO abrir documentos del SPAM/Junk mail bajo ninguna circunstancia.


¿Qué hago si detecto que mi equipo ha sido infectado?

Apague el equipo inmediatamente y comuníquese con el personal de apoyo técnico lo antes posible.

Al momento de esta publicación no hay forma de recuperar los datos más allá de pagar el rescate.  :-(

— jq

My reading list for 2015 … so far

Last year I did a post on my top 10 entertainment books for hackers and I decided its time to update the list and let you know what I’ve been reading this year.

(#1) Influx, Daniel Suarez delivers yet another tech-thriller/science fiction novel that will blow your mind.  What happens when a shadow organization controls the technology evolution of the world? Geniuses, Researchers & Inventors are the target to stop these disrupting technologies.  See what happens, you wont regret it.

(#2) The Fold by Peter Clines. I usually don’t read horror stories, but its like Science Fiction Horror with a flavor of The Twilight Zone and its is just genius.. He’s got thing with cockroaches but I imagine every writer has his thing.  Also I got hooked with his writing when I read the (#3) Ex-Heroes saga (Zombies + Heroes) either you love it or hate it.  It’s  action-comedy- hero-fiction zombocalypse … I loved it!

(#4) The Phoenix Project by Gene Kim, Kevin Behr and George Spafford.  If  you work in IT you either get nightmares, experience dejavu or get inspired;  I went for all of them at the same time.  This is the story of how an IT leader and his team can evolve into something that really works and helps the business without getting in the way.  Ah!, also teaches a lot of management philosophy, project management, and DevOps in an engaging and entertaining way. Trust me, should read this at least twice, one to enjoy and one to take notes and enjoy again.

(#5) Wizard: the Life and Times of Nicola Tesla: Biography of a Genius. If you consider yourself a technologist and hacker at heart you have to read this.  This biography is based on Tesla’s writings and patents.  Its not the best written biography but the content is gold.  Get to know more of this important man.  Tesla is always good reading, there no wrong choice with this one.

Hope you enjoy …


Drone Wars: Weaponizing your drone

Drones, UAVs, UASs, whatever you want to call them are getting a lot of attention lately, bad press mostly.  There is a lot of talk of how drones are bad for privacy, used by drug lords, terrorist and some other shit.

Things can get really interesting when you combine your Xcopter with WiFi, Bluetooth, SDR, DevBoards or Digital Video. Did you know it can actually become a remote controlled turret? , Interesting or scary, you decide.

Its a matter of time until legislators start to make stupid laws for stupid people.  I say be creative, innovate, experiment but use common sense and don’t get mad if you get in trouble for doing something stupid.

Recently at Security B Sides Puerto Rico 2015, I presented on weaponizing drones.  Here is my preso …

… and video recording of it.


Securing your business …

By José L. Quiñones (@josequinones)

1512801_359775770847771_3214556159751524632_nA couple of weeks back I did a presentation for the Cyber Security Awareness Month at Turabo University  with Obsidis Consortia and the Internet Society PR Chapter, titled:  “Securing your Business”.

So , for those who asked for it or could not make it,  here is my presentation:

Hope this helps, and don’t hesitate to contact me for questions or help.

InfoSec Gamification

By: Jose Quinones (@josequinones)


On the last Init6 InfoSec Group meeting I did a short talk about InfoSec Gamification and them we did some “gaming”.

While there I talked about how its done and about my experience with it.  I would like to encourage other professionals, students and enthusiasts to participate in various CTFs and “competitions” out there.

There are many, many open CTFs out there, but I would like you to consider SANS NetWars Tournaments, Course, Continuous and CyberCity.  Although they are paid services (really worth the money) these are designed by Ed Skoudis, The Grand Master Jedi of InfoSec (in my opinion) and just top notch.  NetWars is structured and design not only to test your skills, but to learn and have fun at the same time.  Not many CTFs can state the same.

My First experience with  CTF’s was a couple of years ago and I just fell in love with them. They are a great experience and mostly a lot of fun.

Well,  … here is my presentation from the meet, enjoy and remember to comment:

See you on the wire …