Password 101: how to suck at security

Password 101: how to suck at security.

(Totally not a satire post…. Totally…)

1. Always Use a simple password.
2. Always write it down.
3. Always Use the same password for everything.
4. Never change your password. Continue reading

Advertisements

Privacy, is it dead?

So, it’s been a couple of weeks since the NSA “PRISM” was leaked. Outrage followed, but seems to have died down. Which got me thinking, most people I know are their own worst enemies when it comes to their own privacy and important information.

How many of you have Facebook? Most people do. Now, let me be clear, I don’t use Facebook and haven’t for a long time, but my wife does.

Everyone has started to post play by play updates so EVERYONE can know what they are doing. The problem is then, how can you get mad the government collected the data? You posted it in the internet equivalent of screaming in the downtown square, then getting mad someone wrote down what you yelled.

Don’t get me wrong, what the NSA is doing, is wrong; however most people are not taking even the slightest steps to guard their privacy. This makes it very hard moving forward, because it gives us another “lesser of two evils” scenario: Do we give up, and let the government monitor everything we do? Or do we punish those who even stumble on publicly published information that is sensitive in nature for “hacking”

What I think really needs to happen is that people need to start taking privacy seriously. I can’t count how often I have gotten after my family for posting information that could be used against them, and without fail, they ALWAYS seem surprised that what they posted wasn’t private.

Read the end user license agreements for all of the software, and websites you use, they always list what they do with information that travels through their services. Is unfair to get mad at companies and government for spying when you click “I accept” without reading the terms of service.

For this problem to change, it’s going to take a shift in our mentality, not just more useless legislation to supposedly limit the government, even though they already ignore the laws currently on the books, how is another law going to fix things?

Simple solution: Stop being stupid!

My View on this NSA thing

I have tried to keep my blog as non-political as possible, but with the news that has recently come to light regarding the NSA with both Verizon call data, and the PRISM program that snarfs up all our internet communications; I find myself very hard pressed to ignore the issue, but I will do my best to simply represent my objections to the issue, without getting too political.

Basically, the stories that have come to light indicate that the government, with the consent and direction of the Obama administration (and Bush previously) have been issuing secret programs and warrants to collect all of your communication data. With Verizon wireless, it appears that they are using the call metadata, not your actual call contents but rather your phone number, call time, call length, who you called, and other details but no name. They are getting that information from all Verizon customers, and put it through data-mining to find out who might need to be “watched” more closely.

This presents a very large concern to me. As someone who values both freedom, and privacy, this action bothers me to my core. The government isn’t waiting till they suspect someone of actually communicating with terrorists before looking into their activities; they are looking at everyone, looking for possible bad guys. the problem with the later, is that even if you have done NOTHING wrong, you’re being watched. The government is just WAITING for you to screw up, so they can get more information on you.

It doesn’t just end there however. The NSA is also using a program called PRISM to gobble up all of the internet communications and activities of all Americans online. They are claiming they have agreements with major companies who give them this data. They named, Microsoft, Google, Apple, Facebook and many many more (Some of the companies are denying any knowledge of such a program, or that they do not simply give information to the government or law enforcement, which is completely beside the point) The information they are gathering, consists of email information, VOIP call data, chat history, web habits (like what sites you visit or “like” or “favorite”), shopping information. Essentially they are getting access to all you do, and can study it.

It is important to remember, that in the pursuit to fight “terror” we have systematically given up so many of our civil liberties and freedom for the false promise of “safety” that it simply proves, that which Benjamin Franklin said “Those who would trade liberty for security deserve neither”. This is exactly true. We as a country cannot allow this level of intrusion into our personal lives to continue.

There are important way to fight this, most importantly is voting. Our government is failing us as citizens, and we’re sitting by watching it happen. WAKE THE FUCK UP! it is important to hold EVERY elected official accountable for their actions (how they vote on anything) by literally tossing them out of office. Yes, I said FIRE THEM! Enough with this “we’re just protecting you” bullshit, and GET OFF MY LAWN!

Encryption and android, putting on your digital armor.

How much personal information do you keep on your mobile device? Your phone, or tablet, the devices that follow you everywhere you go, chances are you probably keep a whole lot more than you think you do.

If you lost your phone, I bet it likely you’d feel naked, exposed and vulnerable. All your contacts, search history, GPS history, email, and a wealth of personal and private information would be available to anyone who happened to come across it. Most people only use the slide to unlock that leaves all your data open for any person with nefarious, dastardly intentions to steal or use against you.

Tonight I’m going to discuss one option that android offers to help protect you from just that scenario. Since the release of Honeycomb, it has been possible to fully encrypt your device. Once you choose to encrypt your device, you cannot undo it without a factory reset, meaning to remove the encryption, you will have to destroy all the data on your mobile device, so please, proceed with caution.

If like to take a moment to discuss encryption, and what it actually does, because many people are lead to a false sense of security thinking since their device is encrypted that their data is completely protected, and unreadable to anyone else. This is a false statement, and there is no such thing as a security silver bullet. There will ALWAYS be a way around your security, but leaving your door open just screams “rob me blind, I don’t even shut my door”. Digital security is often the same. If you leave your phone laying unattended with no protection, even a person who means no harm might be tempted to look at its contents.

An encrypted phone or tablet, will lock your data with a PIN or password. Without the password, the data on the device looks like garbage. It looks like garbage that is, when it’s locked. While you’re using it, your data is readable. So if you leave a delay timer to prevent the phone from locking, you are leaving the door open for a small amount of time.

I suggest setting the power button to automatically lock, and also to avoid any delay in screen lock after the screen powers off. This will help to ensure that while you are not using your device, nobody else is either.

If encryption sounds like something you are interested in, I will be more than happy to wall you through the setup.

Before you can start full device encryption you will need to take the following steps:
1) set either a PIN or password in the “security” section of the settings menu
2) plug in the device

image

Once you have taken the previous two steps, click on the “encryption” section and click the button to start the encryption process. The encryption took almost a full hour on my nexus 7, so I would expect at least that, unless you only have a very small amount of internal storage.

Once you have encrypted your device, you will need your PIN or password for the following situations; powering on, rebooting, or waking the device from sleep, booting into recovery. To be honest, you will type it so often, it becomes second nature to you.

I encrypted my tablet a few weeks ago, and I have not noticed any performance difference, or had any negative experiences due to the device being encrypted. You can still use lock screen widgets, I use my tablet for alarms, and you don’t need to type a password to silence or shut off the alarm, only to gain access to the device.

image

As usual, if you have questions or comments feel free to contact me on Twitter (@DarkLordZim) or via email (DarkLordZim@gmail.com)

Wireless hacking on android

With the power of the tablets coming out now, and the open platform that Linux provides, there is a great opportunity for hacking from an easily hidden, Trojan style device with lots of power to allow us to do many different wireless attacks.

Possible attacks:
1. ARP spoofing
2. Ssl stripping
3. Session hijacking
4. Vuln scanning
5. Port and service scams

These are just a few features available in a tool called

Dsploit

. Using the application you can select all kinds of attack vectors, you can capture packets in a pcap dump for reading in Whitehall later.

It works well in a small networks and labs, but my next task is to blow up a public network and see what I’m able to find. If the located information is enough, I will approach face to face with data, and options on how to fix their problems.

Other WiFi tools in my toolbox include, droidsheep, ding (network scanner), connectbot, and sshdroid.

I will be writing a follow up on how to use the tools, and talk about the other tools.

Always, ALWAYS be mindful of what you share online.

With your privacy under attack by so many organizations, and governments; it is important to remember that anything you share can come back to haunt you. Facebook recently changed its privacy policies to include a statement that anything you post (be it pictures, posts, stories, poems, status updates, etc…) is owned by Facebook, and can be used as they please because all users are capital entities.

I also just read about an iPhone/iPad app called “snapchat” that purports to automatically delete pictures sent after a max of 10 seconds since it was received. This is done in an effort to protect teens from “accidently” sharing photos of themselves that could cause trouble for them (think the Amanda Todd incident) however, there is nothing stopping anyone from taking a screenshot of the picture or even doing a few other ways of capturing the content before it is auto deleted.

It is important to stay educated when sharing anything online, as once it has been released in a digital format, there will ALWAYS be a trace of it somewhere on the internet. The only way to truly protect your pictures, or information is to keep it off the web to begin with.

If you are worried about maintaining your copyright for your works that you post online, make sure you carefully read ALL the privacy and content notices under the end user license agreements for any company or website that you use. In a best case scenario you would be using your own private server, and private storage that would allow you to maintain ownership of all your intellectual property.

Privacy and intellectual property is a huge concern in today’s world. Governments, and companies will seek to profit and use your information for their gain, and most times with little concern for how it impacts you.

Getting into InfoSec, Staying out of trouble

When people find out what I do for a hobby, I get very mixed reactions. Some people hear “Hacking” and think I’m an evil person trying to steal their Identity, Credit Card or any number of things for personal gain, and yet other’s approach with a more “ZOMG THATS KEWL!!!!!!!!ONE!!!!”. I’d like to say both reactions tend to get annoying, which has caused me to stop openly talking about InfoSec unless I know the person I’m talking to shares interest with me.

On my blog, I could care less if you agree with me or not… its my blog, you don’t like it? Leave. Makes no difference to me. However, what DOES bother me, is that it seems that 99% of people out there still don’t view InfoSec/Hacking as a needed function in business, and life.

One obsticle that faces anyone trying to break into the Security world is getting hands on knowledge, without breaking the law and putting a quick end to your hobby by ending up in jail. I’ve also heard that people cant set up a lab because they don’t have money for multiple computers, or cant risk breaking a desktop with a bad exploit. While I understand that, you ARE going to have to take some risks. These risks can be minimized by using a Virtualized Lab solution, I personally use VirtualBox and run any of the test hosts I would like. I even have a Virtual copy of my Real server so I can test the impact of Patches/Hacks on the virtual copy without causing downtime to the server itself.

VirtualBox gives you a lot of leverage to test things, while you will need to supply your own licenses for Windows (Microsoft does offer 90day demo versions of some of their products online). With a virtual host, you can then test any number of tools, commands, client side attacks, play to your hearts content because its YOUR system, how can it be wrong to break your own passwords, or steal your own facebook session? Its NOT. But just because you’re on a Virtual machine, DOESN”T mean it’s okay to hack into a website, or service you don’t own or have explicit permission from. Its one thing to steal a session ID from your Host, its another to brute-force against Facebook.com … they would likely press charges, even for you hacking only your own account, because your attack would put their other customers at risk of breach.

Pay attention to the Law of unintended consequences, Just because you didn’t MEAN to do something, doesn’t make it “okay”. I once was mentoring a kid, who came to me saying “I’m trying to brute force TELNET on this IP, but I can’t get in”. Instead of just simply offering help, I first looked at the target (which happened to be a BANK), then told the kid to make sure he actually does recon on his targets before he tries to randomly attack some host he found with an nmap scan. This is why I suggest working inside a Lab environment, you know your hosts, you have control of the boxes and its up to you. If you start looking to the internet for targets, you WILL put a bullseye on your own forehead.

What should you do if you accidently breach something you didn’t intend? Well… LEAKING it is a horrible idea. That’s one thing that has shocked me about the Anonymous community at large (and all the little sub factions). While some have honest intentions, the methods are wrong, and leave collateral damage everywhere. If you get tracked, and someone asks you if you did something, be forthcoming and offer to help fix the problem, or at least offer to SHOW them how you breached their security.

When I find a problem on my corporate wireless network, I bring it straight to the networking, and security teams, and work with them to show them the problems and scope. In turn, they ask me to find everything i can, because they don’t have the staff to spend 24/7 hunting for bugs or exploits on the corporate network while they are putting out fires from users downloading viruses and trying to secure the Intellectual Property.

Use encryption, and employ good passwords. Yes, I said passwords, pluralized. It is not enough to have a single strong password that you use for all your accounts. This is a topic for another time, but ties into staying out of trouble by making sure that any of the data you DO have is encrypted, and not readable to anyone who might breach you.

I would suggest picking your friends wisely and not making enemies. Not everyone in this business has your best interests in heart, and if you are really interested in InfoSec, you should practice the greatest trade secret (Keeping Secrets, starting with your own identity or personal information) Don’t go around screaming your name, don’t draw attention to yourself. and for heaven’s sake… if someone DOES help you, thank them. If they tell you confidential secrets…. don’t open your mouth. This community is tight knit and if you are found to be untrustworthy, word will spread within minutes and you will get no help from anyone again.

so the overall moral of the story. Set up a Lab (Virtual machines, or physical if you have the resources), make friends not enemies, and lastly, for the love of god, Keep your head out of your ass!