Password 101: how to suck at security

Password 101: how to suck at security.

(Totally not a satire post…. Totally…)

1. Always Use a simple password.
2. Always write it down.
3. Always Use the same password for everything.
4. Never change your password. Continue reading

Advertisements

Why hackers should oppose government

I suppose I could sum up an entire article with “because they lie”. However I don’t think that would cover the complexity of the issue at hand. Hackers, by both profession and mentality, question authority and push the status quo. By no means, do I mean “Hacker” as the black hat sitting in mommy’s basement in a poorly lit room purposely stealing credit card and identity information; by hacker, I am talking about someone who tinkers and tries to improve the way things are currently done.

The government, any government, is by it’s nature the opposite of the hacker mentality. We try to empower individuals to be self-reliant and build their own life where nobody can tell them how to live. Government tries to consolidate the power into a central entity that distributes resources to fit its goals, even if those under its authority disagree.

Right now, I see too much support for government from others. It’s starting to feel like everyone has forgotten that America was formed by revolutionaries fighting against oppression. Simply because we didn’t want to be told what we could do, and who we could do it with. Yes, laws have a place, but too many laws are bad because it becomes more possible to break the law.

That is what brings me to hackers. Right now, network security is a very dangerous field, and doing things 100% legally makes it hard to find the security holes. If you stumble upon big security problems but didn’t have a contract set up first, you risk possible jail time for disclosing it to the business, even when done discreetly as to not alert everyone and cause panic. Being a security good Samaritan is strongly discouraged because of government.

Think about it this way. Pretend you’re a kid and the government is your parent. when you were a kid, and your parents had a really stupid rule, or the rule was no longer needed, what did you do? You probably talked to your parents to change the rule, and they likely said “no”. For me, I had to break the rule in a way as to show i could act responsibly and the ONLY thing they could punish me for was breaking a rule that was silly. Sometimes, I would get punished. Sometimes, they would finally get the point. But the point is, for change to happen, rules need to be challenged and broken. This is at the very core of who a hacker is: we question EVERYTHING.

I don’t care if you’re a Republican, Democrat, anarchist, or communist, you should still oppose government intervention into our lives, and everyone’s lives. Do you really think that making a new law is going to stop criminals who are ALREADY breaking the law? No, you’re going to create new criminals. At the very least, current laws need to be enforced in full, so EVERYONE feels the pain of these oppressive laws. If you wouldn’t apply a law to EVERYONE, you shouldn’t have the law in the first place.

Hackers should unite against government power, fight against stupid laws intended to single out people, and fight for the little guy, because guess what, hackers? We’re the little guy. We are the antihero. We walk the thin line between good and bad. We need to push authority. We serve a vital role for change.

Stop wasting it!

I was thinking, after I hit “publish”; When I speak of a hacker, I speak of someone who questions things, someone who needs to know “why”, someone who strives for better than “okay”… I speak of myself, my friends, my family, hopefully, I am speaking to YOU as well.

Privacy, is it dead?

So, it’s been a couple of weeks since the NSA “PRISM” was leaked. Outrage followed, but seems to have died down. Which got me thinking, most people I know are their own worst enemies when it comes to their own privacy and important information.

How many of you have Facebook? Most people do. Now, let me be clear, I don’t use Facebook and haven’t for a long time, but my wife does.

Everyone has started to post play by play updates so EVERYONE can know what they are doing. The problem is then, how can you get mad the government collected the data? You posted it in the internet equivalent of screaming in the downtown square, then getting mad someone wrote down what you yelled.

Don’t get me wrong, what the NSA is doing, is wrong; however most people are not taking even the slightest steps to guard their privacy. This makes it very hard moving forward, because it gives us another “lesser of two evils” scenario: Do we give up, and let the government monitor everything we do? Or do we punish those who even stumble on publicly published information that is sensitive in nature for “hacking”

What I think really needs to happen is that people need to start taking privacy seriously. I can’t count how often I have gotten after my family for posting information that could be used against them, and without fail, they ALWAYS seem surprised that what they posted wasn’t private.

Read the end user license agreements for all of the software, and websites you use, they always list what they do with information that travels through their services. Is unfair to get mad at companies and government for spying when you click “I accept” without reading the terms of service.

For this problem to change, it’s going to take a shift in our mentality, not just more useless legislation to supposedly limit the government, even though they already ignore the laws currently on the books, how is another law going to fix things?

Simple solution: Stop being stupid!

Do you know who’s using your WiFi? Or how to check?

This may sound like a stupid question, but in reality most people don’t. I work in IT support, the customers I support all work from home, or on the road. Many have no idea even what devices are connected to their network, let alone how to set encryption.

My goal for this post is to show you some easy ways to map your network, to ensure only devices you want are using your network. Rogue devices can negativity impact your network in a variety of ways. An attacker could steal your passwords or files, a poorly functioning device could cause internet speeds to drop to a crawl, or even disconnect your computers from the net.

That said, it is easy to monitor your network, and at a very minimum you should audit network usage twice a month (I do it almost daily, because it really only takes seconds to check).

The quickest way to get an idea of who or what is connected on your network is a ping scan, there is an app built specifically for network mapping and even some troubleshooting on android called ‘Fing’ it will report all live ip addresses, along with the manufacturer of the devices network card. Once you have the list of connected/live devices, Fing will let you troubleshoot each device. Some of the things I do with Fing are; port scanning, connecting to windows shared drives, ftp. here is a link to Fing in the play store.

image

Here is a shot of Fing in action

Some of us that are hyper focused on the security of our networks, even go so far as building lightweight intrusion detection systems, but I would not expect that an average person would take the time to learn how to set one up, or even pay the huge prices charged by others to do it. Simply scanning your network is a great step in protecting your digital privacy, if you notice connected devices that shouldn’t be there, you can adjust settings within your routers configuration to block the device.

I will write a follow-up post, with some windows, and Linux tools that are user friendly, and give similar function to Fing on android. I would also like to note that Fing is also available on iOS, but it has been awhile since I used it as I avoid my iPad like the plague.

If you have concerns or questions, feel free to hit me up on Twitter @DarkLordZim or email DarkLordZim@gmail.com

Disclosure: Small business and offering “free” WiFi – what NOT to do

In the interest of what I ran into last night, I will share what horrible networking practices this business I stumbled upon was employing. I was driving past a local tire shop, and noticed they had an open Wi-Fi network named “Goodyear”. So I thought to myself “let’s just take a peek at what is accessible to why user”.

There was no authentication agreement once connected, no ‘rules of conduct’ if you will that even most coffee shop networks toss up at users. Lately I have been using my nexus 7 to see just how much mayhem I am able to cause, without looking suspicious with a laptop.

Once I connected to the network, I fired up Dsniff to analyze the network layout. There was a curious hostname, with a Netgear device signature, that I felt warranted a look. So I scanned the services, and noticed a network share was the only service available, signaling this was likely a NAS device. A NAS on a open public WiFi, I could only dream what treasures lay within its storage.

Using ES File Manager’s built in Samba services to connect, for fun I try using the default ‘Guest’ account, and tada, I’m presented with a share and the secret share data. In the root of the ‘My Documents’ folder, I find a fun file named ‘LOGINS.rtf’ and save it to my tablet for later review.

The business is closed, nobody inside, and yet TONS of information, just waiting to be plucked. If the NAS was so easy, I open chrome and browse to the router login page, yet again, default username/password. I have to verify root login so I adjust the filter settings on the router to block all requests for Google.com, Facebook.com, and twitter.com; and low and behold, it was successful.

I am sharing this, so that anyone running a small business will take serious caution to ensure that their sensitive data, is segregated from the public WiFi network. It can be done very simply, even with regular routers from best buy. Please do not think that offering ‘free’ wireless will be positive for your customers. Their data is valuable and if they are compromised because your system was poorly managed, that will reflect poorly on you.

Setting up you HackLab

I’ve been thinking about something I hear from people often. “I can’t afford a hacking lab, so how can I practice legally?” It’s something that I have never struggled with, but for some reason, seems to be used as some kind of “Pass” for hacking random systems as long as no damage is done. Let me be clear, Hacking any system without permission is not only illegal but immoral and ill-advised.

The Key Components of a Hacking Lab:
Before we start building the lab, we must first define what the key pieces of the lab are. Since most lab environments are meant to emulate a real life network or situation, what you will need is a server, router, and attack computer. I fall victim to the fantasy of what I “Want” in my lab. The big powerful server(s) and multiple routers, subnets, and a super-powerful elite laptop for attacking it all from. however, that just isn’t the case of what you NEED in most cases.

You can use any old computer for a server, a server simply means a dedicated computer to run software. If you upgrade to a new PC, use your old one as a server and attack it, why not? if all else fails, set up a Virtual machine.

I say you need a router, so you can create your own sub-net on your network, protecting all the other computers from your attacks and traffic manipulation. You can buy a brand new wireless router for $50 at best buy, so if you look around for refurbished, or used routers, you can likely score one for free or near free.

you already have an attacker machine, its the machine you’re sitting in front of right now, or the one you have your hacking tools installed on. if you are just starting with hacking and don’t know what tools you’ll need, boot a live disk of Backtrack Linux, it comes preloaded with many of the tools that pen-testers need.

The bottom line is that there is absolutely no excuse to need to attack a network or computer that is not your own when you do not have permission to do so. Attacking any system that doesn’t belong to you can land you in jail, or at least get you a few hefty fees to pay.

Profiling a network, before you attack

My heart grows sad everyday when I see yet another news blurb about how some new skiddie crew just PWNED some network and wanted their 15 minutes of e-fame. Many of these attacks are executed sloppily which is why, before long, most of these crews end up in front of a jury. Getting their just rewards, if you will.

Last time, I spoke about the need to keep things secret in this industry. Some people think that is as simple as “I wanna post this secret, so I’ll do it from an alter-ego” there is still a major problem with that; OTHER PEOPLE KNOW YOU KNOW THE SECRET, and therefore your leak is still traceable back to you. even if nobody knew about your alter-ego, simply by leaking data you get cross-contamination.

Wow.. off topic already. Back to the point at hand. When you start on an attack (in your lab, or by legal means) it is throughly unwise to simply just start attacking with every known vector in your tool-belt hoping to compromise a system from the very start. Being a ninja, is all about stealth, and attacking the weakest, MOST damaging weakness, One strike to take down a titan.

Your first goal, should be to gather information, or “listen” for those who can’t seem to understand what i’m talking about. If you make noise on a network, you run the risk of alerting someone to your presence and having them start patching holes, before you ever even have a chance to use it.

It makes me sick, when I’m setting up attacks, and some Skiddie connects to my fake AP, and all my filters and logs are flooded with garbage. TURN OFF YOUR APPLICATIONS, today almost ALL your software makes calls to the Internet. When you’re attacking, or even listening. do you really think your Dropbox sync is helping? no, its sending and receiving more packets and filling up your logs with data you just have to filter out later. Twitter? BE SILENT FOOL! some of us are watching you.

When I’m gathering intel, I don’t even have music playing, you need your senses to be aware of your surroundings. you’d be surprised what you hear. In a coffee shop, where I was setting up an attack with a fake “Free Public Wifi” I overheard some customers talking to each other and it went something like this:
Customer1: “What network are you using?
Customer2: “This ‘Free Public Wifi’, its an open network, and its working pretty quick”

Any idea what we just learned? that there are 2 people using my Fake AP, and any number of other customers that overheard them, will likely log on soon too. If I had headphones on, I would not have heard that and yes, I might have noticed more traffic, but I can now listen for more information. For instance, since these two customers are friends and talking to each other, listen for Names, or relationship connections that you might be able to exploit. Don’t just dive into attacking, because its not going to get you all the information you will need down the road.

Something to try, would be to MITM one (or more) of the connections, and spy on their streams. Again, here I see people get anxious and start major attacks once they have a confirmed phish on the line. Keep in mind, much like with fishing, you need to get the hook set, so your prey doesn’t just flop off the line. In the case of Phishing, its no different. If you disrupt their internet connection, or make things work poorly, they will likely just look for a different network that doesn’t have problems. so KEEP YOUR LINES CLEAR so you can monitor the flow of data.

Finally, once you’re certain that the phish has taken your bait, SET THE HOOK and REEL them in. With hacking, and network security, the biggest phish are worth waiting for, you can be sure you’re not wasting your effort to catch a ‘minnow’ and actually catch the Great White.

Thank you for reading my ranting about you bastards polluting my networks with your noise. I hope this helps you to think before acting, and as always, ALL actions have consiquences, make sure you can HANDLE the phish you’re trying to catch, and that it wont EAT you when you pull it out of the water.

-That is all