My View on this NSA thing

I have tried to keep my blog as non-political as possible, but with the news that has recently come to light regarding the NSA with both Verizon call data, and the PRISM program that snarfs up all our internet communications; I find myself very hard pressed to ignore the issue, but I will do my best to simply represent my objections to the issue, without getting too political.

Basically, the stories that have come to light indicate that the government, with the consent and direction of the Obama administration (and Bush previously) have been issuing secret programs and warrants to collect all of your communication data. With Verizon wireless, it appears that they are using the call metadata, not your actual call contents but rather your phone number, call time, call length, who you called, and other details but no name. They are getting that information from all Verizon customers, and put it through data-mining to find out who might need to be “watched” more closely.

This presents a very large concern to me. As someone who values both freedom, and privacy, this action bothers me to my core. The government isn’t waiting till they suspect someone of actually communicating with terrorists before looking into their activities; they are looking at everyone, looking for possible bad guys. the problem with the later, is that even if you have done NOTHING wrong, you’re being watched. The government is just WAITING for you to screw up, so they can get more information on you.

It doesn’t just end there however. The NSA is also using a program called PRISM to gobble up all of the internet communications and activities of all Americans online. They are claiming they have agreements with major companies who give them this data. They named, Microsoft, Google, Apple, Facebook and many many more (Some of the companies are denying any knowledge of such a program, or that they do not simply give information to the government or law enforcement, which is completely beside the point) The information they are gathering, consists of email information, VOIP call data, chat history, web habits (like what sites you visit or “like” or “favorite”), shopping information. Essentially they are getting access to all you do, and can study it.

It is important to remember, that in the pursuit to fight “terror” we have systematically given up so many of our civil liberties and freedom for the false promise of “safety” that it simply proves, that which Benjamin Franklin said “Those who would trade liberty for security deserve neither”. This is exactly true. We as a country cannot allow this level of intrusion into our personal lives to continue.

There are important way to fight this, most importantly is voting. Our government is failing us as citizens, and we’re sitting by watching it happen. WAKE THE FUCK UP! it is important to hold EVERY elected official accountable for their actions (how they vote on anything) by literally tossing them out of office. Yes, I said FIRE THEM! Enough with this “we’re just protecting you” bullshit, and GET OFF MY LAWN!

Always, ALWAYS be mindful of what you share online.

With your privacy under attack by so many organizations, and governments; it is important to remember that anything you share can come back to haunt you. Facebook recently changed its privacy policies to include a statement that anything you post (be it pictures, posts, stories, poems, status updates, etc…) is owned by Facebook, and can be used as they please because all users are capital entities.

I also just read about an iPhone/iPad app called “snapchat” that purports to automatically delete pictures sent after a max of 10 seconds since it was received. This is done in an effort to protect teens from “accidently” sharing photos of themselves that could cause trouble for them (think the Amanda Todd incident) however, there is nothing stopping anyone from taking a screenshot of the picture or even doing a few other ways of capturing the content before it is auto deleted.

It is important to stay educated when sharing anything online, as once it has been released in a digital format, there will ALWAYS be a trace of it somewhere on the internet. The only way to truly protect your pictures, or information is to keep it off the web to begin with.

If you are worried about maintaining your copyright for your works that you post online, make sure you carefully read ALL the privacy and content notices under the end user license agreements for any company or website that you use. In a best case scenario you would be using your own private server, and private storage that would allow you to maintain ownership of all your intellectual property.

Privacy and intellectual property is a huge concern in today’s world. Governments, and companies will seek to profit and use your information for their gain, and most times with little concern for how it impacts you.

Facebook: If you don’t use it, why have it?

Today at work I was lucky enough to attend an InfoSec session, and the speaker was very knowledgeable. The target audience was a less tech-savvy crowed, and mainly focused on teaching the basics of how to avoid the “human” factor in getting taken advantage of on-line.

One of the things that came up, is something I’ve been thinking for quite some time. Regarding social media sites and the myriad accounts that most people have. Technology is a great thing, and the access to information we have today is simply amazing, but with all the access, all the smart phones, all the computers, and websites you have also increased your on-line footprint, and made yourself a much larger target for ID theft, Scamming, or any other possible attack.

Some of the points I’ve touched on before:
1. Don’t use public wireless networks
2. On your phone, disable wifi. Use the 3g/4g data, because most phones just connect to an open wireless without warning
3. Be careful what you put on your public facing profiles
4. Don’t simply click links in emails, open your browser and MANUALLY go to the site.

But the final point that finally sank home with me, was regarding Facebook and other sites like LinkedIn. Most people use those sites to connect with “trusted friends”, but don’t stop to think who else can access that information. With the recent hack of LinkedIn, millions of users user-names/passwords/email etc was leaked to the public simply because someone got bored and wanted some excitement (it will be plenty exciting for them in prison, but thats another story). But just think for a second, how likely is it that many of the users that were compromised, don’t log in and use the service? Now their account is compromised along with all the personal information therein and they will never know. It begs the question:

If you aren’t going to use a service, why have an account at all?

The simple answer is, “Don’t” why leave personal information out there? By default most sites will simply only “deactivate” your account, and will still retain all your data. You will need to hunt for the permanently delete, but its there, sites are required to have it, just not required to make it easy.

So today, I finally did what I’ve wrestled with for some time, and DELETED all the accounts I never use. There is no need for extra accounts, if someone wants to reach you, they likely already know how.

Just some more food for thought.

Virus Removal Tool

Doing phone based remote tech support all day, one of the things I run across often is a user who has gotten a virus. In a corporate environment its important to watch the EULA on free programs because you could get your company into a heap of trouble. There are tools we are not able to use anymore due to changes in the EULA (Yes I mean you MalwareBytes). While I still like MalwareBytes, in the search for a new tool to provide quick anti-virus support for those nasty little critters that get through our corporate solution (no anti-virus is a one-stop shop, no matter how good they claim to be) we stumbled across ComboFix.

The main problem with ComboFix, is there is only one place we know of that is safe to get it from. Because it works so well, Hackers try to spoof it, or distribute fake versions of it. Walking a user through going then going to the combofix download section can be difficult at times, so I wrote a script to automatically download ComboFix to your desktop.

ComboFix doesn’t have a built in update feature, so I made my script with that in mind, it will delete the older copy from your desktop, then download the new one and tell you when its done.

ComboFix works kind of like a “Fire and Forget” missile for Virus and Malware, once you run it, it takes off and doesn’t stop until its done. Once its done, you reboot, and IF your virus is fixable, its gone.

the site we get ComboFix from is bleeping computer<dot>com and the link is here

If anyone wants a copy of my AutoIT script, let me know.

Tech Support Hell

Today I woke up in a place I call “Tech Support Hell”. The following post will be a rant, if you don’t want to hear me complain about a user.. don’t read the post.

For my job I do full spectrum tech support, easy questions, hard questions it doesn’t matter My team does it all. We also configure and test machines for deployment, and those requests are supposed to come in advance of a user starting under our support to ensure we have appropriate time to prepare a laptop for them. Today we had the department admins (not the technology admins) submit 3 new hire requests for people starting on Monday. Its not unmanagable, just unfriendly.

I have to configure the Domain accounts, and Machines, plus get them ready to mail out all by close of business today (hence the reason they normally come a few weeks in advance). But I’m taking my task in stride and still hammering out tech support phone calls like a champ, when I get a call that pushed me over the edge.

*phone rings*
me: “Hello, this is tech support, how can I help you”
Customer: “My toolbar is missing, I need it back”
Me: “What toolbar? What program are you using?”
Customer: “I dunno, I think its ‘Microsoft’.”
Me: “No, ma’am like what software are you using? Microsoft Word? Excel? IE?”
Customer: “Right now i’m using <Web app>, but I can use whatever you want me to, I just need my toolbar”
Me: “Okay, So you’re in Internet Explorer, which Toolbar is missing?”
Customer: “THE TOOLBAR.. ”

So I remotely connected to the customer’s computer and it turned out she didn’t have her “Menu Bar” enabled but I never thought I would hear a conversation that dumb. Isn’t this supposed to be the technology age? Isn’t everyone supposed to know how to save a file or open a website? At least I know, if you’ve navigated to this blog post, you know how to work a browser.

sorry, I just had to rant about this.

Curiosity can be your friend

When it comes to hacking, and network security, most holes are found by accident. It’s important to pro actively scan your network for problems so that you are not caught by surprise later. With computer and network security you have to make sure you have permission to do the scanning, or you could find yourself in a world of hurt. It is illegal to access data that is not yours and you don’t have permission to access. I’m writing this post for personal networking purposes, so that you can protect your own networks, not so that you can do harm to another person.

At work, I’m not on the LAN team, nor am I ‘officially’ part of the network security team, but I have permission from both teams to help test our public wireless network since they know I enjoy hacking and network security. They are short-staffed and do not have the manpower or time to manage every aspect of such a large wireless network, 100% of the time. I have personally found a few other security holes on our wireless network, and helped to secure it because I have found banking data, and other account information floating around for anyone to see, and now those things are closed and secured again the way they should be.

Today I found a problem, that caused me to alert the LAN team immediately without even taking the time to get multiple tests, and extra proof, since they know I know what I’m talking about, having proof of concept is enough for them to take me seriously. Today I was using rediscover (which I’ve posted about before) and found a few MAC addresses that were by non standard manufactures (at least our company standard.) Since it was a manufacture I don’t normally see, it drew my curiosity and I decided to nmap the host. I found normal ports running like windows file sharing (smb) and Remote Desktop, but nmap was also able to give me the user ID, and operating system.

The first point of alarm is that all peer communication is supposed to be turned off on our public network, and I should not even be able to tell a host is live, let alone see what services are running. To make sure I was seeing a true report of services, I fired up my RDP client, and was presented with a windows login screen. Since this is a security issue of itself, so I did a user lookup, and went to the internal IT group who supports this user. My friend who supports him, noticed that he was using a hard-wired connection to the LAN, which means that he was connected both to the corporate LAN (with all the sensitive data, AND the wide open wireless network) so if an attacker was able to compromise this users machine, they would have access to a treasure trove of intellectual Property.

The moral of the story is this; Constantly check your network for its security, and ONLY use one connection at a time. If you are using a wired connection, disable your wireless, because otherwise you open your LAN to attack, and if you are using wireless, don’t plug into a LAN.

I’m a ninja, whacha gonna do about it?!

When it comes to hacking, I find myself in a place that many other’s do. I don’t have a vast pool of magical wealth, with which to build a security weapon of mass destruction. I find that the only people with the money to spend on building the BEST hacking machines are one of two people. The first is a Whitehat hacker who is backed by a large pen-testing company, the company will fund the hacker’s machine to the best of their ability because the better he can do on a PenTest, the more profit they will make. This I understand, but being that I am not a Blackhat and I hack as part of my job, it causes a bit of envy of people who can afford the “right” tool for the job.

The other type of person that can devote massive amounts of money onto a hacking computer, would be a Highschool student or early college student (that hasn’t yet come to terms with his massive debt) and has all the free time in the world to learn to do something fun for a while. I have seen many of these computers go to waste, because the person THOUGHT they wanted to learn hacking, but when they learned it was nothing like the movies, and it’s actually quite a bit of work, they give up, and that computer becomes agaming computer.

In the title I state that I am a Ninja, and this is why I think MOST hackers today, could fit better into this bucket. Back in Japan, when the ninja was used as a spy of the day, they were poor people, farmers or average people who HID their identity for fear of being discovered. They also didn’t have money for amazing swords, or armor like the Samurai did, they had to fashion their weapons and armor out of things they could find, and would need to know how to use ANYTHING they found as a means of defending themselves, or attacking the enemy. Sticks, brooms, rakes, chains, kitchen knives, towels, anything you can imagine has a use in attack or defense if needed.

I think we hackers today, are doing this more often than we would stop to notice. We “make do” with the tools we have, we mold other devices into new tools, and push hardware to do things that were never even imagined when it was built. Ninja’s also were not good, they were not bad. They had a job to do, and if they didn’t MANY people would die. A ninja’s main goal was to NOT get caught, so I don’t think some of the big names in the scene are acting as ninja’s.

The scene has become some kind of “Status Club” even among groups like Anonymous, or any of the groups dumping/bragging about their exploits and hacks. when will people see that all that does is draw attention square on yourself. Go ahead, keep claiming your victims publicly, keep bragging about how 1337 you are, as long as focus is on you, it’s not on anyone else who might actually be trying to do some good.


sorry.. I got side tracked, but had to get that off my chest.

also, not ALL people who fall into my description of a ninja are ninja’s, I didn’t mention that on top of not getting caught, most times ninja’s were not allowed to kill unless absolutely necessary for the completion of the mission, there were to AVOID conflict at ALL costs. so that the information they collected could be used at a later time, by the ENTIRE armed force.

this translates well to the hacking culture also, so many people are running around “killing” anyone that’s in front of them, but what is the end goal? did you ACCOMPLISH anything? what’s worse is you could have COMPROMISED everything a group has been working on, because you started making too much noise.

they secret in our field is SECRETS, trust, and yes HONOR.

if you aren’t going to help, get out-of-the-way.