Password 101: how to suck at security

Password 101: how to suck at security.

(Totally not a satire post…. Totally…)

1. Always Use a simple password.
2. Always write it down.
3. Always Use the same password for everything.
4. Never change your password. Continue reading

Advertisements

Why hackers should oppose government

I suppose I could sum up an entire article with “because they lie”. However I don’t think that would cover the complexity of the issue at hand. Hackers, by both profession and mentality, question authority and push the status quo. By no means, do I mean “Hacker” as the black hat sitting in mommy’s basement in a poorly lit room purposely stealing credit card and identity information; by hacker, I am talking about someone who tinkers and tries to improve the way things are currently done.

The government, any government, is by it’s nature the opposite of the hacker mentality. We try to empower individuals to be self-reliant and build their own life where nobody can tell them how to live. Government tries to consolidate the power into a central entity that distributes resources to fit its goals, even if those under its authority disagree.

Right now, I see too much support for government from others. It’s starting to feel like everyone has forgotten that America was formed by revolutionaries fighting against oppression. Simply because we didn’t want to be told what we could do, and who we could do it with. Yes, laws have a place, but too many laws are bad because it becomes more possible to break the law.

That is what brings me to hackers. Right now, network security is a very dangerous field, and doing things 100% legally makes it hard to find the security holes. If you stumble upon big security problems but didn’t have a contract set up first, you risk possible jail time for disclosing it to the business, even when done discreetly as to not alert everyone and cause panic. Being a security good Samaritan is strongly discouraged because of government.

Think about it this way. Pretend you’re a kid and the government is your parent. when you were a kid, and your parents had a really stupid rule, or the rule was no longer needed, what did you do? You probably talked to your parents to change the rule, and they likely said “no”. For me, I had to break the rule in a way as to show i could act responsibly and the ONLY thing they could punish me for was breaking a rule that was silly. Sometimes, I would get punished. Sometimes, they would finally get the point. But the point is, for change to happen, rules need to be challenged and broken. This is at the very core of who a hacker is: we question EVERYTHING.

I don’t care if you’re a Republican, Democrat, anarchist, or communist, you should still oppose government intervention into our lives, and everyone’s lives. Do you really think that making a new law is going to stop criminals who are ALREADY breaking the law? No, you’re going to create new criminals. At the very least, current laws need to be enforced in full, so EVERYONE feels the pain of these oppressive laws. If you wouldn’t apply a law to EVERYONE, you shouldn’t have the law in the first place.

Hackers should unite against government power, fight against stupid laws intended to single out people, and fight for the little guy, because guess what, hackers? We’re the little guy. We are the antihero. We walk the thin line between good and bad. We need to push authority. We serve a vital role for change.

Stop wasting it!

I was thinking, after I hit “publish”; When I speak of a hacker, I speak of someone who questions things, someone who needs to know “why”, someone who strives for better than “okay”… I speak of myself, my friends, my family, hopefully, I am speaking to YOU as well.

Privacy, is it dead?

So, it’s been a couple of weeks since the NSA “PRISM” was leaked. Outrage followed, but seems to have died down. Which got me thinking, most people I know are their own worst enemies when it comes to their own privacy and important information.

How many of you have Facebook? Most people do. Now, let me be clear, I don’t use Facebook and haven’t for a long time, but my wife does.

Everyone has started to post play by play updates so EVERYONE can know what they are doing. The problem is then, how can you get mad the government collected the data? You posted it in the internet equivalent of screaming in the downtown square, then getting mad someone wrote down what you yelled.

Don’t get me wrong, what the NSA is doing, is wrong; however most people are not taking even the slightest steps to guard their privacy. This makes it very hard moving forward, because it gives us another “lesser of two evils” scenario: Do we give up, and let the government monitor everything we do? Or do we punish those who even stumble on publicly published information that is sensitive in nature for “hacking”

What I think really needs to happen is that people need to start taking privacy seriously. I can’t count how often I have gotten after my family for posting information that could be used against them, and without fail, they ALWAYS seem surprised that what they posted wasn’t private.

Read the end user license agreements for all of the software, and websites you use, they always list what they do with information that travels through their services. Is unfair to get mad at companies and government for spying when you click “I accept” without reading the terms of service.

For this problem to change, it’s going to take a shift in our mentality, not just more useless legislation to supposedly limit the government, even though they already ignore the laws currently on the books, how is another law going to fix things?

Simple solution: Stop being stupid!

Disclosure: Small business and offering “free” WiFi – what NOT to do

In the interest of what I ran into last night, I will share what horrible networking practices this business I stumbled upon was employing. I was driving past a local tire shop, and noticed they had an open Wi-Fi network named “Goodyear”. So I thought to myself “let’s just take a peek at what is accessible to why user”.

There was no authentication agreement once connected, no ‘rules of conduct’ if you will that even most coffee shop networks toss up at users. Lately I have been using my nexus 7 to see just how much mayhem I am able to cause, without looking suspicious with a laptop.

Once I connected to the network, I fired up Dsniff to analyze the network layout. There was a curious hostname, with a Netgear device signature, that I felt warranted a look. So I scanned the services, and noticed a network share was the only service available, signaling this was likely a NAS device. A NAS on a open public WiFi, I could only dream what treasures lay within its storage.

Using ES File Manager’s built in Samba services to connect, for fun I try using the default ‘Guest’ account, and tada, I’m presented with a share and the secret share data. In the root of the ‘My Documents’ folder, I find a fun file named ‘LOGINS.rtf’ and save it to my tablet for later review.

The business is closed, nobody inside, and yet TONS of information, just waiting to be plucked. If the NAS was so easy, I open chrome and browse to the router login page, yet again, default username/password. I have to verify root login so I adjust the filter settings on the router to block all requests for Google.com, Facebook.com, and twitter.com; and low and behold, it was successful.

I am sharing this, so that anyone running a small business will take serious caution to ensure that their sensitive data, is segregated from the public WiFi network. It can be done very simply, even with regular routers from best buy. Please do not think that offering ‘free’ wireless will be positive for your customers. Their data is valuable and if they are compromised because your system was poorly managed, that will reflect poorly on you.

Wireless hacking on android

With the power of the tablets coming out now, and the open platform that Linux provides, there is a great opportunity for hacking from an easily hidden, Trojan style device with lots of power to allow us to do many different wireless attacks.

Possible attacks:
1. ARP spoofing
2. Ssl stripping
3. Session hijacking
4. Vuln scanning
5. Port and service scams

These are just a few features available in a tool called

Dsploit

. Using the application you can select all kinds of attack vectors, you can capture packets in a pcap dump for reading in Whitehall later.

It works well in a small networks and labs, but my next task is to blow up a public network and see what I’m able to find. If the located information is enough, I will approach face to face with data, and options on how to fix their problems.

Other WiFi tools in my toolbox include, droidsheep, ding (network scanner), connectbot, and sshdroid.

I will be writing a follow up on how to use the tools, and talk about the other tools.

New stupid crime trend

We have all heard of the rising popularity of ransomware, in today’s virus scene. Today I learned about a trend that for the criminal is dangerous and stupid.

Apparently, would be criminals are stealing cell phones, then calling the victim and demanding a ransom at a specified time and place. For those of us who deal with security, this quickly stands out as stupid for many reasons, but most obvious I’d that all phones by law are required to be gps enabled.

Those of us who install anti theft software, are able to remotely track our phone, and provide police with the location data, along with ransom demand details, or if we felt strongly enough, we could just go get it ourselves. Those not so technically inclined can have the police track the phone by aid of the phone company.

Overall, stealing a phone, especially for ransom, just seems idiotic.

Should DDoS be Protected as Free Speech?

I read an article today, that quoted the lawyer representing some Anonymous folks saying that he thinks DDoS is a form of free speech, and should be protected as such. He equated it to the civil rights demonstrations where people would crowd a venue to the point that “Legitimate” customers were unable to use their services. While I can understand the logic, I find fundamental flaws with this argument.

In the cases of Sit-in protests, each participant is willingly making the free speech statement involved in shutting down the offending business for that day or period of time. in most, if not all cases of DDoS, it is done with the aid of bot nets, or zombie computers. this means that the people infected with the bot net virus, or other form of compromise, are most times unaware their computer is being used in such a form of protest. That means it is inherently NOT free speech, because the person who is making the statement (each zombie, or bot) is not intentionally making said speech, and would likely not even agree with the protest.

However, if the attack was legitimately conducted by thousands of people jointly flooding the site willingly, I can agree with the argument. That would be pure protest. My issue is that too often it is using unwilling, and unknowing participants to perpetrate the attack.

However, if it is protected free speech, does that mean we as white-hats, or even grey-hats be able to use the same form of attack against our targets or causes that we disagree with? In short, I think that legalizing DDoS attacks because they are “Free Speech” I believe opens a pandora’s box. If it was legalized, I think we would honestly see a much larger scale of attacks against companies, causes, and individuals increase dramatically. That would be the same as giving loaded guns to convicts upon their release from prison. Yes, guns are not illegal, and shouldn’t be, but there are restrictions applied to those who have demonstrated they lack the responsibility to handle guns in a safe way.

I created a poll, to see what you all think