Password 101: how to suck at security

Password 101: how to suck at security.

(Totally not a satire post…. Totally…)

1. Always Use a simple password.
2. Always write it down.
3. Always Use the same password for everything.
4. Never change your password. Continue reading

Why hackers should oppose government

I suppose I could sum up an entire article with “because they lie”. However I don’t think that would cover the complexity of the issue at hand. Hackers, by both profession and mentality, question authority and push the status quo. By no means, do I mean “Hacker” as the black hat sitting in mommy’s basement in a poorly lit room purposely stealing credit card and identity information; by hacker, I am talking about someone who tinkers and tries to improve the way things are currently done.

The government, any government, is by it’s nature the opposite of the hacker mentality. We try to empower individuals to be self-reliant and build their own life where nobody can tell them how to live. Government tries to consolidate the power into a central entity that distributes resources to fit its goals, even if those under its authority disagree.

Right now, I see too much support for government from others. It’s starting to feel like everyone has forgotten that America was formed by revolutionaries fighting against oppression. Simply because we didn’t want to be told what we could do, and who we could do it with. Yes, laws have a place, but too many laws are bad because it becomes more possible to break the law.

That is what brings me to hackers. Right now, network security is a very dangerous field, and doing things 100% legally makes it hard to find the security holes. If you stumble upon big security problems but didn’t have a contract set up first, you risk possible jail time for disclosing it to the business, even when done discreetly as to not alert everyone and cause panic. Being a security good Samaritan is strongly discouraged because of government.

Think about it this way. Pretend you’re a kid and the government is your parent. when you were a kid, and your parents had a really stupid rule, or the rule was no longer needed, what did you do? You probably talked to your parents to change the rule, and they likely said “no”. For me, I had to break the rule in a way as to show i could act responsibly and the ONLY thing they could punish me for was breaking a rule that was silly. Sometimes, I would get punished. Sometimes, they would finally get the point. But the point is, for change to happen, rules need to be challenged and broken. This is at the very core of who a hacker is: we question EVERYTHING.

I don’t care if you’re a Republican, Democrat, anarchist, or communist, you should still oppose government intervention into our lives, and everyone’s lives. Do you really think that making a new law is going to stop criminals who are ALREADY breaking the law? No, you’re going to create new criminals. At the very least, current laws need to be enforced in full, so EVERYONE feels the pain of these oppressive laws. If you wouldn’t apply a law to EVERYONE, you shouldn’t have the law in the first place.

Hackers should unite against government power, fight against stupid laws intended to single out people, and fight for the little guy, because guess what, hackers? We’re the little guy. We are the antihero. We walk the thin line between good and bad. We need to push authority. We serve a vital role for change.

Stop wasting it!

I was thinking, after I hit “publish”; When I speak of a hacker, I speak of someone who questions things, someone who needs to know “why”, someone who strives for better than “okay”… I speak of myself, my friends, my family, hopefully, I am speaking to YOU as well.

Privacy, is it dead?

So, it’s been a couple of weeks since the NSA “PRISM” was leaked. Outrage followed, but seems to have died down. Which got me thinking, most people I know are their own worst enemies when it comes to their own privacy and important information.

How many of you have Facebook? Most people do. Now, let me be clear, I don’t use Facebook and haven’t for a long time, but my wife does.

Everyone has started to post play by play updates so EVERYONE can know what they are doing. The problem is then, how can you get mad the government collected the data? You posted it in the internet equivalent of screaming in the downtown square, then getting mad someone wrote down what you yelled.

Don’t get me wrong, what the NSA is doing, is wrong; however most people are not taking even the slightest steps to guard their privacy. This makes it very hard moving forward, because it gives us another “lesser of two evils” scenario: Do we give up, and let the government monitor everything we do? Or do we punish those who even stumble on publicly published information that is sensitive in nature for “hacking”

What I think really needs to happen is that people need to start taking privacy seriously. I can’t count how often I have gotten after my family for posting information that could be used against them, and without fail, they ALWAYS seem surprised that what they posted wasn’t private.

Read the end user license agreements for all of the software, and websites you use, they always list what they do with information that travels through their services. Is unfair to get mad at companies and government for spying when you click “I accept” without reading the terms of service.

For this problem to change, it’s going to take a shift in our mentality, not just more useless legislation to supposedly limit the government, even though they already ignore the laws currently on the books, how is another law going to fix things?

Simple solution: Stop being stupid!

Disclosure: Small business and offering “free” WiFi – what NOT to do

In the interest of what I ran into last night, I will share what horrible networking practices this business I stumbled upon was employing. I was driving past a local tire shop, and noticed they had an open Wi-Fi network named “Goodyear”. So I thought to myself “let’s just take a peek at what is accessible to why user”.

There was no authentication agreement once connected, no ‘rules of conduct’ if you will that even most coffee shop networks toss up at users. Lately I have been using my nexus 7 to see just how much mayhem I am able to cause, without looking suspicious with a laptop.

Once I connected to the network, I fired up Dsniff to analyze the network layout. There was a curious hostname, with a Netgear device signature, that I felt warranted a look. So I scanned the services, and noticed a network share was the only service available, signaling this was likely a NAS device. A NAS on a open public WiFi, I could only dream what treasures lay within its storage.

Using ES File Manager’s built in Samba services to connect, for fun I try using the default ‘Guest’ account, and tada, I’m presented with a share and the secret share data. In the root of the ‘My Documents’ folder, I find a fun file named ‘LOGINS.rtf’ and save it to my tablet for later review.

The business is closed, nobody inside, and yet TONS of information, just waiting to be plucked. If the NAS was so easy, I open chrome and browse to the router login page, yet again, default username/password. I have to verify root login so I adjust the filter settings on the router to block all requests for Google.com, Facebook.com, and twitter.com; and low and behold, it was successful.

I am sharing this, so that anyone running a small business will take serious caution to ensure that their sensitive data, is segregated from the public WiFi network. It can be done very simply, even with regular routers from best buy. Please do not think that offering ‘free’ wireless will be positive for your customers. Their data is valuable and if they are compromised because your system was poorly managed, that will reflect poorly on you.

Wireless hacking on android

With the power of the tablets coming out now, and the open platform that Linux provides, there is a great opportunity for hacking from an easily hidden, Trojan style device with lots of power to allow us to do many different wireless attacks.

Possible attacks:
1. ARP spoofing
2. Ssl stripping
3. Session hijacking
4. Vuln scanning
5. Port and service scams

These are just a few features available in a tool called

Dsploit

. Using the application you can select all kinds of attack vectors, you can capture packets in a pcap dump for reading in Whitehall later.

It works well in a small networks and labs, but my next task is to blow up a public network and see what I’m able to find. If the located information is enough, I will approach face to face with data, and options on how to fix their problems.

Other WiFi tools in my toolbox include, droidsheep, ding (network scanner), connectbot, and sshdroid.

I will be writing a follow up on how to use the tools, and talk about the other tools.

New stupid crime trend

We have all heard of the rising popularity of ransomware, in today’s virus scene. Today I learned about a trend that for the criminal is dangerous and stupid.

Apparently, would be criminals are stealing cell phones, then calling the victim and demanding a ransom at a specified time and place. For those of us who deal with security, this quickly stands out as stupid for many reasons, but most obvious I’d that all phones by law are required to be gps enabled.

Those of us who install anti theft software, are able to remotely track our phone, and provide police with the location data, along with ransom demand details, or if we felt strongly enough, we could just go get it ourselves. Those not so technically inclined can have the police track the phone by aid of the phone company.

Overall, stealing a phone, especially for ransom, just seems idiotic.

Should DDoS be Protected as Free Speech?

I read an article today, that quoted the lawyer representing some Anonymous folks saying that he thinks DDoS is a form of free speech, and should be protected as such. He equated it to the civil rights demonstrations where people would crowd a venue to the point that “Legitimate” customers were unable to use their services. While I can understand the logic, I find fundamental flaws with this argument.

In the cases of Sit-in protests, each participant is willingly making the free speech statement involved in shutting down the offending business for that day or period of time. in most, if not all cases of DDoS, it is done with the aid of bot nets, or zombie computers. this means that the people infected with the bot net virus, or other form of compromise, are most times unaware their computer is being used in such a form of protest. That means it is inherently NOT free speech, because the person who is making the statement (each zombie, or bot) is not intentionally making said speech, and would likely not even agree with the protest.

However, if the attack was legitimately conducted by thousands of people jointly flooding the site willingly, I can agree with the argument. That would be pure protest. My issue is that too often it is using unwilling, and unknowing participants to perpetrate the attack.

However, if it is protected free speech, does that mean we as white-hats, or even grey-hats be able to use the same form of attack against our targets or causes that we disagree with? In short, I think that legalizing DDoS attacks because they are “Free Speech” I believe opens a pandora’s box. If it was legalized, I think we would honestly see a much larger scale of attacks against companies, causes, and individuals increase dramatically. That would be the same as giving loaded guns to convicts upon their release from prison. Yes, guns are not illegal, and shouldn’t be, but there are restrictions applied to those who have demonstrated they lack the responsibility to handle guns in a safe way.

I created a poll, to see what you all think

Profiling a network, before you attack

My heart grows sad everyday when I see yet another news blurb about how some new skiddie crew just PWNED some network and wanted their 15 minutes of e-fame. Many of these attacks are executed sloppily which is why, before long, most of these crews end up in front of a jury. Getting their just rewards, if you will.

Last time, I spoke about the need to keep things secret in this industry. Some people think that is as simple as “I wanna post this secret, so I’ll do it from an alter-ego” there is still a major problem with that; OTHER PEOPLE KNOW YOU KNOW THE SECRET, and therefore your leak is still traceable back to you. even if nobody knew about your alter-ego, simply by leaking data you get cross-contamination.

Wow.. off topic already. Back to the point at hand. When you start on an attack (in your lab, or by legal means) it is throughly unwise to simply just start attacking with every known vector in your tool-belt hoping to compromise a system from the very start. Being a ninja, is all about stealth, and attacking the weakest, MOST damaging weakness, One strike to take down a titan.

Your first goal, should be to gather information, or “listen” for those who can’t seem to understand what i’m talking about. If you make noise on a network, you run the risk of alerting someone to your presence and having them start patching holes, before you ever even have a chance to use it.

It makes me sick, when I’m setting up attacks, and some Skiddie connects to my fake AP, and all my filters and logs are flooded with garbage. TURN OFF YOUR APPLICATIONS, today almost ALL your software makes calls to the Internet. When you’re attacking, or even listening. do you really think your Dropbox sync is helping? no, its sending and receiving more packets and filling up your logs with data you just have to filter out later. Twitter? BE SILENT FOOL! some of us are watching you.

When I’m gathering intel, I don’t even have music playing, you need your senses to be aware of your surroundings. you’d be surprised what you hear. In a coffee shop, where I was setting up an attack with a fake “Free Public Wifi” I overheard some customers talking to each other and it went something like this:
Customer1: “What network are you using?
Customer2: “This ‘Free Public Wifi’, its an open network, and its working pretty quick”

Any idea what we just learned? that there are 2 people using my Fake AP, and any number of other customers that overheard them, will likely log on soon too. If I had headphones on, I would not have heard that and yes, I might have noticed more traffic, but I can now listen for more information. For instance, since these two customers are friends and talking to each other, listen for Names, or relationship connections that you might be able to exploit. Don’t just dive into attacking, because its not going to get you all the information you will need down the road.

Something to try, would be to MITM one (or more) of the connections, and spy on their streams. Again, here I see people get anxious and start major attacks once they have a confirmed phish on the line. Keep in mind, much like with fishing, you need to get the hook set, so your prey doesn’t just flop off the line. In the case of Phishing, its no different. If you disrupt their internet connection, or make things work poorly, they will likely just look for a different network that doesn’t have problems. so KEEP YOUR LINES CLEAR so you can monitor the flow of data.

Finally, once you’re certain that the phish has taken your bait, SET THE HOOK and REEL them in. With hacking, and network security, the biggest phish are worth waiting for, you can be sure you’re not wasting your effort to catch a ‘minnow’ and actually catch the Great White.

Thank you for reading my ranting about you bastards polluting my networks with your noise. I hope this helps you to think before acting, and as always, ALL actions have consiquences, make sure you can HANDLE the phish you’re trying to catch, and that it wont EAT you when you pull it out of the water.

-That is all

I love #infosec, but hate Skiddies

I love the Information Security world. I love the free flow of information, and the hard work of great people smarter and more amazing than I who fight every day for your privacy. I’m a hacker, I love to trick you into giving up your privacy, or working on breaking things.

one of the main problems I’ve seen in the current fighting in the interwebs, is that many new hackers try to fight for fame, or their 15 minutes, by releasing some DB. These “hackers” generally use cookie-cutter attacks that they copied off some forum or blog. we “affectionately” call them Script Kiddies (Skiddies) because they have no idea how the attacks they are using work, or WHY, but simply just try everything they can find and hope that SOMETHING sticks. This presents a few problems that I would like to outline.

Collateral Damage:
When a company is compromised, and the entire database is leaked publicly for the “lulz” you’re not really hurting the company. You hurt all the users, most of whom have no way to know that an attack happened, or that their account information just got leaked. Compounding that, many of those users reuse the same email/password or username/password combinations on multiple sites to make things easy. This now has impacted other potential customers and companies than the one you were targeting. Many who hack under the banner of Anonymous claim they are targeting companies and governments for corruption and they are trying to help the users, but by releasing the data in the manner that happens most often lately, they do the opposite.

Trust, or the Lack of:
Our industry is an industry of secrets. A secret is the most important and powerful weapon you can wield, and when you scream to the rooftops that you have no ability to keep a secret, you will not gain the trust of ANYONE. and you stand a great chance of losing any trust you have managed to aquire in a field where trust is everything.

Placing Bullseye on your back:
The last drawback I’ll cover regarding public release of data, is that you instantly place a target on your back. The government really seems to be working hard lately on busting hackers, so when you announce “HEY LOOK OVER HERE, I’M DOING ILLEGAL THINGS” all it does is get you in trouble.

I enjoy hacking as much as anyone else, I just worry that all the negative attention thats coming from skiddies is going to undo much of the hard work to bring hacking to the front lines as a legitimate industry.

Wardriving and how a business should NOT host a wireless hotspot

The other day I was out wardriving, and testing out some android apps. I found that I really like WiGLE, it syncs with GPS and Google Maps all while having a pretty decent refresh rate for each network scan. While no android app I’ve used, nor the hardware can match the robust power of a laptop running kismet, the nice thing about the android apps, is the size of phone, and the ease of charging while driving. Most people use their android phone for their turn by turn GPS, so it doesn’t draw attention when mounted in the car (running a map program) while you’re really logging all networks in the area.

While I was driving around, I found many companies are still running open wireless networks, which peeked my interest. I started with a coffee shop, but they were smart enough to password protect their routers, and there were no customers for me to attack. I kept driving around and noticed another shop that had a wireless network going. I stopped outside, and fired up my laptop. The first thing I did was run ‘netstat -nr’ to find the router’s address. When I opened the router in Firefox, I was alarmed that I was not even prompted for a username or password and I was able to modify any of the administration settings. To confirm that I wasn’t just getting read-only access, I used the website filter to block Twitter, Facebook, and Google. Once I got the screenshots confirming that devices trying to access those resources were blocked … I turn the blocking off, don’t need any one to know i’d been here.

Next Steps require a root term, so i fire one up. fire up netdiscover -i wlan0 -r 192.168.0.0/24 -P > netdiscover.txt ( this will give me a quick list of hosts alive on the network) I immediately make sure i grab an nmap scan too for some extra data to help in my picking of victim;
nmap 192.168.0.0/24 > nmap.txt, I then set my sights on a PC with a samba port open, connect to it as guest, and get access to all shares, so the My Documents share is where I really was interested to look. To my horrified surprise, I found a treasure trove of information, a file titled “Logins.doc” and thought “I wonder what that is?” and sure enough, it was a username/password file that held all the website usernames and passwords they use for various ordering websites.  The folder “My Scans” well, you guessed it.. Scanned invoices, complete with Customer contact, address, service, and so much more.

All this prompted me to post this blog post detailing what NOT to do on your small business wireless network. And I will lay out a few minor things that would help this poor company from leaving them, and their customers vulnerable to data theft.

Step 1) Put a password on the router. Their router was an “Actiontec PK5000” and with a quick google search I found the user manual which states that by default there is no password for the router to allow for “easy” configuration. It also states that as long as no password is set, there it will not prompt for login information. Simply putting a password on the router would cause it to require a login to view and edit the configurations.

Step 2) Don’t name your desktop after the Store, That gave me a bullseye to start looking for where the best information is. Instead use random names that will mean NOTHING to an attacker, or even someone who is looking around.

Step 3) Enable WPA2 encryption on the wireless access point. Even if you want your customers to be able to access the network while they are waiting for service, or eating or whatever you might do at your particular business, putting a password on your wireless network will prevent most attackers from starting an attack from your parking lot, where you might never even know something is happening. All you would need to do is have the customer ask you for your password, and they can connect. Granted, an attacker could do the same thing, but then he’s been on camera, you’ve seen his face, and likely he’s a customer and you have his information to give to the police in case something bad DOES happen.

Step 4) Backup sensitive data to an encrypted external device, and do not keep it on the network for everyone to access. you could use a portable hard drive, USB key, or any number of devices that you would be able to lock in your company safe and only remove to do your backup. once the data is backed up, delete it off the computer.

Even following these four simple steps would protect your small business from a lazy or impatient hacker. There is a saying, “If my friend and I are being chased by a bear, I don’t have to outrun the bear, I just need to outrun my friend” the same is true for security. If you have a better protected network than your neighbor, your neighbor is the one with the target.

Just some advice from your friendly neighborhood network ninja.

-DarkLordZim