Disclosure: Small business and offering “free” WiFi – what NOT to do

In the interest of what I ran into last night, I will share what horrible networking practices this business I stumbled upon was employing. I was driving past a local tire shop, and noticed they had an open Wi-Fi network named “Goodyear”. So I thought to myself “let’s just take a peek at what is accessible to why user”.

There was no authentication agreement once connected, no ‘rules of conduct’ if you will that even most coffee shop networks toss up at users. Lately I have been using my nexus 7 to see just how much mayhem I am able to cause, without looking suspicious with a laptop.

Once I connected to the network, I fired up Dsniff to analyze the network layout. There was a curious hostname, with a Netgear device signature, that I felt warranted a look. So I scanned the services, and noticed a network share was the only service available, signaling this was likely a NAS device. A NAS on a open public WiFi, I could only dream what treasures lay within its storage.

Using ES File Manager’s built in Samba services to connect, for fun I try using the default ‘Guest’ account, and tada, I’m presented with a share and the secret share data. In the root of the ‘My Documents’ folder, I find a fun file named ‘LOGINS.rtf’ and save it to my tablet for later review.

The business is closed, nobody inside, and yet TONS of information, just waiting to be plucked. If the NAS was so easy, I open chrome and browse to the router login page, yet again, default username/password. I have to verify root login so I adjust the filter settings on the router to block all requests for Google.com, Facebook.com, and twitter.com; and low and behold, it was successful.

I am sharing this, so that anyone running a small business will take serious caution to ensure that their sensitive data, is segregated from the public WiFi network. It can be done very simply, even with regular routers from best buy. Please do not think that offering ‘free’ wireless will be positive for your customers. Their data is valuable and if they are compromised because your system was poorly managed, that will reflect poorly on you.


New stupid crime trend

We have all heard of the rising popularity of ransomware, in today’s virus scene. Today I learned about a trend that for the criminal is dangerous and stupid.

Apparently, would be criminals are stealing cell phones, then calling the victim and demanding a ransom at a specified time and place. For those of us who deal with security, this quickly stands out as stupid for many reasons, but most obvious I’d that all phones by law are required to be gps enabled.

Those of us who install anti theft software, are able to remotely track our phone, and provide police with the location data, along with ransom demand details, or if we felt strongly enough, we could just go get it ourselves. Those not so technically inclined can have the police track the phone by aid of the phone company.

Overall, stealing a phone, especially for ransom, just seems idiotic.

Setting up you HackLab

I’ve been thinking about something I hear from people often. “I can’t afford a hacking lab, so how can I practice legally?” It’s something that I have never struggled with, but for some reason, seems to be used as some kind of “Pass” for hacking random systems as long as no damage is done. Let me be clear, Hacking any system without permission is not only illegal but immoral and ill-advised.

The Key Components of a Hacking Lab:
Before we start building the lab, we must first define what the key pieces of the lab are. Since most lab environments are meant to emulate a real life network or situation, what you will need is a server, router, and attack computer. I fall victim to the fantasy of what I “Want” in my lab. The big powerful server(s) and multiple routers, subnets, and a super-powerful elite laptop for attacking it all from. however, that just isn’t the case of what you NEED in most cases.

You can use any old computer for a server, a server simply means a dedicated computer to run software. If you upgrade to a new PC, use your old one as a server and attack it, why not? if all else fails, set up a Virtual machine.

I say you need a router, so you can create your own sub-net on your network, protecting all the other computers from your attacks and traffic manipulation. You can buy a brand new wireless router for $50 at best buy, so if you look around for refurbished, or used routers, you can likely score one for free or near free.

you already have an attacker machine, its the machine you’re sitting in front of right now, or the one you have your hacking tools installed on. if you are just starting with hacking and don’t know what tools you’ll need, boot a live disk of Backtrack Linux, it comes preloaded with many of the tools that pen-testers need.

The bottom line is that there is absolutely no excuse to need to attack a network or computer that is not your own when you do not have permission to do so. Attacking any system that doesn’t belong to you can land you in jail, or at least get you a few hefty fees to pay.

Should DDoS be Protected as Free Speech?

I read an article today, that quoted the lawyer representing some Anonymous folks saying that he thinks DDoS is a form of free speech, and should be protected as such. He equated it to the civil rights demonstrations where people would crowd a venue to the point that “Legitimate” customers were unable to use their services. While I can understand the logic, I find fundamental flaws with this argument.

In the cases of Sit-in protests, each participant is willingly making the free speech statement involved in shutting down the offending business for that day or period of time. in most, if not all cases of DDoS, it is done with the aid of bot nets, or zombie computers. this means that the people infected with the bot net virus, or other form of compromise, are most times unaware their computer is being used in such a form of protest. That means it is inherently NOT free speech, because the person who is making the statement (each zombie, or bot) is not intentionally making said speech, and would likely not even agree with the protest.

However, if the attack was legitimately conducted by thousands of people jointly flooding the site willingly, I can agree with the argument. That would be pure protest. My issue is that too often it is using unwilling, and unknowing participants to perpetrate the attack.

However, if it is protected free speech, does that mean we as white-hats, or even grey-hats be able to use the same form of attack against our targets or causes that we disagree with? In short, I think that legalizing DDoS attacks because they are “Free Speech” I believe opens a pandora’s box. If it was legalized, I think we would honestly see a much larger scale of attacks against companies, causes, and individuals increase dramatically. That would be the same as giving loaded guns to convicts upon their release from prison. Yes, guns are not illegal, and shouldn’t be, but there are restrictions applied to those who have demonstrated they lack the responsibility to handle guns in a safe way.

I created a poll, to see what you all think

To Cloud or not to Cloud? That is the question.

So today I read a nice little article about Dropbox being hacked again. They claim it was because of a third party leak that hackers were able to use email/password combinations to access some Dropbox accounts, and an employee account that contained user information. In the interest of Full disclosure, I’ll admit I have some Dropbox accounts, but unlike the average user anything I put in mine, I encrypt myself AND I never put anything confidential or sensitive inside my cloud account.

Today’s news however, makes me question even using the service at all. I have closed some of my non-essential accounts and I am debating stopping use of the service all together. Because of my job I have access to people much smarter than I, including those in law enforcement. A police forensic investigator let my department know that out of all the cloud solutions out there, iCloud is currently the only one he would use, because they WILL NOT give up user data to anyone, while literally all others will.

It scares me how quickly the companies we trust with our information, are willing to fold on us. The question that leaves us with is, is it even worth using services for cloud storage anyway? lets take a look at some of the basics of what it really means. With cloud based storage solutions, you are trusting your data to a third party, and in many cases they retain ownership rights to that data (Read the End User License Agreement). This means, if you use it for work any work related documents or information just left your company’s control which could be grounds for termination in many companies. If you use it for personal purposes, even if you delete the files in your accounts, they will still have copies of those files and will be able to read use them as they see fit, I know many of the cloud providers state they will not use your data, but they still have the ability too. Many times your connection information can also be found from your accounts if it was compromised, your computer names, your IP addresses, and the types of devices you use can all be of benefit to hackers and blackhats.

Many companies have policies against using Dropbox and other cloud services for security reasons, and that is of interest to me. There are a lot of times that companies over react to technology, but this is not a rare policy which when you read some of the license agreements you would understand why. I have no trust for third party services, I use them, but cautiously. My important data stays with me at all times, no exceptions.

I guess what I’m really trying to say with this post is be careful who and what you trust.

I love #infosec, but hate Skiddies

I love the Information Security world. I love the free flow of information, and the hard work of great people smarter and more amazing than I who fight every day for your privacy. I’m a hacker, I love to trick you into giving up your privacy, or working on breaking things.

one of the main problems I’ve seen in the current fighting in the interwebs, is that many new hackers try to fight for fame, or their 15 minutes, by releasing some DB. These “hackers” generally use cookie-cutter attacks that they copied off some forum or blog. we “affectionately” call them Script Kiddies (Skiddies) because they have no idea how the attacks they are using work, or WHY, but simply just try everything they can find and hope that SOMETHING sticks. This presents a few problems that I would like to outline.

Collateral Damage:
When a company is compromised, and the entire database is leaked publicly for the “lulz” you’re not really hurting the company. You hurt all the users, most of whom have no way to know that an attack happened, or that their account information just got leaked. Compounding that, many of those users reuse the same email/password or username/password combinations on multiple sites to make things easy. This now has impacted other potential customers and companies than the one you were targeting. Many who hack under the banner of Anonymous claim they are targeting companies and governments for corruption and they are trying to help the users, but by releasing the data in the manner that happens most often lately, they do the opposite.

Trust, or the Lack of:
Our industry is an industry of secrets. A secret is the most important and powerful weapon you can wield, and when you scream to the rooftops that you have no ability to keep a secret, you will not gain the trust of ANYONE. and you stand a great chance of losing any trust you have managed to aquire in a field where trust is everything.

Placing Bullseye on your back:
The last drawback I’ll cover regarding public release of data, is that you instantly place a target on your back. The government really seems to be working hard lately on busting hackers, so when you announce “HEY LOOK OVER HERE, I’M DOING ILLEGAL THINGS” all it does is get you in trouble.

I enjoy hacking as much as anyone else, I just worry that all the negative attention thats coming from skiddies is going to undo much of the hard work to bring hacking to the front lines as a legitimate industry.

Getting into InfoSec, Staying out of trouble

When people find out what I do for a hobby, I get very mixed reactions. Some people hear “Hacking” and think I’m an evil person trying to steal their Identity, Credit Card or any number of things for personal gain, and yet other’s approach with a more “ZOMG THATS KEWL!!!!!!!!ONE!!!!”. I’d like to say both reactions tend to get annoying, which has caused me to stop openly talking about InfoSec unless I know the person I’m talking to shares interest with me.

On my blog, I could care less if you agree with me or not… its my blog, you don’t like it? Leave. Makes no difference to me. However, what DOES bother me, is that it seems that 99% of people out there still don’t view InfoSec/Hacking as a needed function in business, and life.

One obsticle that faces anyone trying to break into the Security world is getting hands on knowledge, without breaking the law and putting a quick end to your hobby by ending up in jail. I’ve also heard that people cant set up a lab because they don’t have money for multiple computers, or cant risk breaking a desktop with a bad exploit. While I understand that, you ARE going to have to take some risks. These risks can be minimized by using a Virtualized Lab solution, I personally use VirtualBox and run any of the test hosts I would like. I even have a Virtual copy of my Real server so I can test the impact of Patches/Hacks on the virtual copy without causing downtime to the server itself.

VirtualBox gives you a lot of leverage to test things, while you will need to supply your own licenses for Windows (Microsoft does offer 90day demo versions of some of their products online). With a virtual host, you can then test any number of tools, commands, client side attacks, play to your hearts content because its YOUR system, how can it be wrong to break your own passwords, or steal your own facebook session? Its NOT. But just because you’re on a Virtual machine, DOESN”T mean it’s okay to hack into a website, or service you don’t own or have explicit permission from. Its one thing to steal a session ID from your Host, its another to brute-force against Facebook.com … they would likely press charges, even for you hacking only your own account, because your attack would put their other customers at risk of breach.

Pay attention to the Law of unintended consequences, Just because you didn’t MEAN to do something, doesn’t make it “okay”. I once was mentoring a kid, who came to me saying “I’m trying to brute force TELNET on this IP, but I can’t get in”. Instead of just simply offering help, I first looked at the target (which happened to be a BANK), then told the kid to make sure he actually does recon on his targets before he tries to randomly attack some host he found with an nmap scan. This is why I suggest working inside a Lab environment, you know your hosts, you have control of the boxes and its up to you. If you start looking to the internet for targets, you WILL put a bullseye on your own forehead.

What should you do if you accidently breach something you didn’t intend? Well… LEAKING it is a horrible idea. That’s one thing that has shocked me about the Anonymous community at large (and all the little sub factions). While some have honest intentions, the methods are wrong, and leave collateral damage everywhere. If you get tracked, and someone asks you if you did something, be forthcoming and offer to help fix the problem, or at least offer to SHOW them how you breached their security.

When I find a problem on my corporate wireless network, I bring it straight to the networking, and security teams, and work with them to show them the problems and scope. In turn, they ask me to find everything i can, because they don’t have the staff to spend 24/7 hunting for bugs or exploits on the corporate network while they are putting out fires from users downloading viruses and trying to secure the Intellectual Property.

Use encryption, and employ good passwords. Yes, I said passwords, pluralized. It is not enough to have a single strong password that you use for all your accounts. This is a topic for another time, but ties into staying out of trouble by making sure that any of the data you DO have is encrypted, and not readable to anyone who might breach you.

I would suggest picking your friends wisely and not making enemies. Not everyone in this business has your best interests in heart, and if you are really interested in InfoSec, you should practice the greatest trade secret (Keeping Secrets, starting with your own identity or personal information) Don’t go around screaming your name, don’t draw attention to yourself. and for heaven’s sake… if someone DOES help you, thank them. If they tell you confidential secrets…. don’t open your mouth. This community is tight knit and if you are found to be untrustworthy, word will spread within minutes and you will get no help from anyone again.

so the overall moral of the story. Set up a Lab (Virtual machines, or physical if you have the resources), make friends not enemies, and lastly, for the love of god, Keep your head out of your ass!