Category Archives: Security Roots

Posts about Security Roots, press, events and announcements.

w00t and pillage – Captain’s bLog: day 6

Earlier I looked at the security and privacy issues surrounding AIS (the Automatic Identification System) and other navigational aids aboard ships.  Today there was an interesting article about this on the BBC.  Essentially, while commercial vessels are generally required to carry AIS transponders on board, it is also possible to switch them off.  Vessels have therefore been able to bust sanctions by switching off their transponders, e.g. to make deliveries or enter ports that they are not supposed to.  However, satellite imagery combined with big data analysis is being used to combat this.

Surface ships do not really have anywhere to hide on the sea, so they can be tracked by satellite imagery.  Their shadows will change depending on the size of the load they are carrying.  Data is available regarding which ports in which locations typically load or unload which types of cargo.  The result is that it is now proving possible to track shipping and even types of cargo on the high seas, using data and satellites.  Not only does this make it possible to detect when ships are carrying out illegal activity, such as ship-to-ship transfers circumventing sanctions, but also shows changes in the flow of trade, such as oil tankers diverting en-route to new destinations based on fluctuations in oil prices.

I’m concerned about privacy implications.  Once again it shows how actors with access to significant resources – hardware manufacturers, state intelligence agencies, software companies – can extract more data from users (and even non-users!) of seemingly straightforward products and services than we may be aware of or be prepared to accept.  As the resources required for big data decrease, with cloud computing and accessible user platforms, the barrier to entry will also decrease.  If a country’s coast guard is capable of identifying vessels and their cargo on the high seas, that’s one thing – if a RIBload of pirates are able to do so as well, that’s another.

One of the techniques I enjoy for hiding data is steganography, hiding a message in plain sight disguised as something else.  After all, even the best cryptography is susceptible to “ball peen hammer decryption” if someone knows you have something to hide.  Incredibly, the principle of steganography has even been used at sea.

During the Second World War, the Japanese invasion of the Dutch East Indies left the Dutch navy in the area in grave danger.  Their ships tried to escape to Australia, but were all soon sunk – except for one.  The captain of HNLMS Abraham Crijnssen realised that their ship was all too visible at sea from the air – so in a stroke of mad genius, he had the warship disguised as an island!  Moving only at night, and slowly, they evaded detection and arrived safely in Australia 8 days later.  HNLMS Abraham Crijnssen served out the rest of the war operating out of Australia, and well done to the ship and her crew. Read more here!

HNLMS Abraham Crijnssen at sea

w00t and pillage – Captain’s bLog: day 5

The studies continue!  This has been a busy week, so I only got to cover the theory and practice behind cracking WiFi passwords – WEP, WPA, and WPA2.

WEP cracking is fairly straightforward.  Since each transmission contains the key that ultimately has to be cracked, it’s just a matter of gathering enough packets to analyse. Both gathering the packets and cracking they key is done with packages pre-installed in Kali.  The cool thing was speeding up the gathering of packets with ARP replay – forcing more authentication packets without the device owners necessarily noticing.

WPA cracking of course is far more complex. The course covers the exploitation of the WPS feature, a far simpler backdoor into a WPA network, but even around here WPS seems to be disabled by default or push-button-only.

For actual WPA cracking, I suppose it’s a testament to its level of security that the recommended attack is still a brute force dictionary attack. It was interesting to see what sort of ready libraries are available for download for testing – compilations of the top 10,000 passwords, actual dictionaries for different languages, and so on.

From my previous life in the corporate world, I have heard most of the horror stories of password policies. This class is the reason why we keep hearing the same ones – “why is the password to the server with our expensive custom software ‘password1’?” A justification for borderline paranoia regarding information security in the modern world is the “password on a post-it note on the monitor” and social engineering.  You might have strong passwords and encryption, but those you communicate with may not. So you want to collect data? Carry a clipboard and go anywhere.

I enjoyed the discussions of cryptography and password policies in Neal Stephenson’s Cryptonomicon. And still, at times I feel like D. M. Shaftoe’s character, too paranoid to use cryptography as all, since if something is worth keeping secret, it shouldn’t be shared digitally at all.

My secrets are safe, though. Notebooks, illegible handwriting, and fluency in obscure languages.

Midnight sun in a land of obscure languages

w00t and pillage – Captain’s bLog: day 4

My Atheros AR9271 USB device arrived!  Now I’m back into my courses as originally planned.  I now keep my course in one workspace and a Kali VM in another.  I have used Kali before, but never under guidance – just fiddling around with a Live USB.

Step 1 today was changing the MAC address of my wi-fi adapter.  Reminds me of the first time I lived in shared housing, back at Oxford University.  To get ethernet access for my new PC after the old one packed it in, I had to submit my new computer’s ethernet MAC address for approval by the sysadmin.  I couldn’t be bothered, so I changed the MAC address to match the old one instead.

Step 2 was setting up monitor mode on my wi-fi adapter.  Even without manipulating any of the outputs of airodump-ng wlan0, the potential power here is obvious.  I’m not in a high-tech location. Everyone’s routers are broadcasting freely, and everyone has at least a smartphone turned on and typically connected to publicly visible wi-fi.  Since Viber is more popular than actual phone minutes or SMS, and virtually nobody takes steps towards anonymising themselves, there are privacy implications right off the bat – and I reckon almost nobody here is aware of it.  The data itself is encrypted, of course, but the fact of the data traffic being visible at all is noteworthy – and pretty cool.

Step 3 was my first ever deauthentication signal with aireplay-ng –deauth.  Or, in other words: with $23 of hardware incl. shipping, I booted my phone off my wi-fi, without touching it, and could keep it offline as long as I wanted, after 15 minutes of video lectures.  Only ethics stops me from keeping my neighbours off the internet. This made it sink in just how easy it actually would be to cause general havoc with vulnerability hacking.

I wonder why societies or the media in general don’t seem to take security vulnerabilities very seriously?  Many moons ago when I lived in –redacted–, there were rumours and mutterings followed by a full-blown scandal when it was discovered that the NSA’s Echelon program had a partner station there.  In fairly short order, cries about national sovereignty and privacy violations were silenced with statements like “the data is all encrypted anyway”. Even if encryption in general use by the general public at the time was effective and reliable (spoiler: nope), data flow itself is useful information – such as if your spouse’s phone regularly connects to the router of the attractive neighbour.

That is what struck me most about Edward Snowden’s revelations – enormous outcries for a short period, followed by… essentially nothing.  Despite the revelations that some of our online service providers, probably even chipset and OS manufacturers, are cooperating with foreign intelligence agencies to be able to manipulate or even access our personal data, most people don’t seem to take the slightest measures to protect their own data.

I look forward to learning a lot more about protecting data systems beyond the obvious steps I take already.  Although I now also have to fight the impulse to boot the harbourmaster off his wi-fi.

A bleak winter’s day in –redacted–

w00t and pillage – Captain’s bLog: day 3

Happy New Year! The local sailing club held a New Year’s Eve Regatta in the bay, a dozen vessels of very different sizes and types playing around. I couldn’t participate due to a broken cotter pin on the mast and the lack of a proper reefing system, but I did spend the evening afloat. Looking at the array of vessels from dinghies to superyachts in the bay or moored nearby, I got to thinking of maritime security.

Technology has vastly changed the maritime world. While an 18th-century ship of the line could have in excess of 1,000 souls aboard, and a 19th-century merchant ship could have a crew of hundreds, a modern cargo ship may not even have a dozen people aboard. In the 21st century, IT is everywhere. It is hardly a surprise that every yacht or commercial vessel today will have a GPS, even if only as a mobile device – but the IT aboard is more connected than you may expect.

The International Maritime Organisation’s SOLAS (Safety of Life at Sea) treaty mandates that all vessels of 300 tonnes or more (and all passenger ships regardless of size) must be fitted with AIS – the Automatic Identification System. Anyone with an AIS receiver may then see data of vessels equipped with AIS transponders – ID number and vessel name, position, status (e.g. anchored or under way), speed, and even destination and ETA. You can even see this data now at https://www.marinetraffic.com. I use it myself on occasion to identify superyachts (which, given my location, I affectionately refer to as “mafia tubs”) pulling into the neighbouring luxury marina.

One would think that this system would be designed with security in mind? Well, quite the opposite, according to Trend Micro.  AIS data can be hacked and altered. In theory one could stop marine traffic in busy channels or harbours by exaggerating the size of one’s own vessel – imagine your transponder claiming your vessel was one square kilometer in size, when the transponder could be aboard a rowboat. One could also spoof signals, for example broadcasting warnings about drifting mines, or faking a maritime distress.

The consequences are serious. In the best case, a fake signal would just be an annoyance on a clear day, and backup and visual navigation plus radio communications would move everyone along – although with a number of blaring alarms that could cause chaos either from distraction or by leading to crew ignoring real signals lost in the noise. In the worst case, malicious actors could shut down vessel movement in an area completely, which in the case of poor weather and low visibility, could lead to severe accidents – or the publicly-available data could enable piracy. Combine it with a hack of a corporate database to identify the most lucrative targets, and a modern-day Bart Roberts could make a fortune without exceptional skills.

It gets better! AIS is rarely an isolated system. In modern vessels larger than a pleasure craft, AIS is likely to be integrated with the other navigational systems, such as GPS, ECDIS (Electronic Chart Display), and by extension potentially the entire control system of a vessel. One alleged hack in 2017 of a vessel travelling to Djibouti led to the captain being unable to maneuver at all for 10 hours, with the intention being to direct the vessel into waters where pirates could board and seize the vessel.

Modern commercial shipping relies so much on integrated computer systems that losing access to those systems, or receiving deliberately deceptive data from those systems, can raise absolute havoc. Cargo ships are not exceptionally maneuverable at the best of times – witness the recent Norwegian frigate collision, with a frigate sunk and a ship damaged even with all their computer systems working, due primarily to human factors and low visibility.

I recommend the Trend Micro report for further reading, as well as this.

I do not see a clear solution, nor a legal alternative for commercial vessels, beyond pressing ship owners to harden their security as much as they are able. As for myself – I’m well below the tonnage to require AIS and have no need of it, and can use a radar reflector on the mast to be more visible to ships less able to maneuver easily. I have a VHF radio and paper charts and am fully capable of navigating safely enough day or night by dead reckoning, charts, binnacle compass, and even celestial navigation and sextant if I were to head offshore. Low visibility? Down anchor, break out the rum.

Simpler rules for simpler vessels from a simpler time

w00t and pillage – Captain’s bLog: day 2

Today I got started with the basics of wireless network hacking.  The instructor went through the basics of what networking is and how it functions.  Obviously the key is that in any network, the assets (like individual laptops, mobiles, tablets) do not connect to the end resource (a server, or the internet) directly, but all go through a router or similar.  With wireless networking, that provides ample possibilities for pre-connection attacks, attacks by gaining access, and post-connection attacks.

I ran into a small hardware roadblock at this point.  Since I’m now doing things “properly” with a Kali VM for learning and practise, my VM can’t properly access my wireless card.  Therefore I need a USB wireless adapter so the VM can access the wireless hardware through the USB. The instructor recommends the Atheros AR9271 chipset, and sells them alongside the course… since I live in a tiny agriculture-based non-EU nation that doesn’t even exist in many online stores’ dropdown menus, my options for buying a suitable device were limited.  So the instructor made another $23 off me with his online store. Well, merry Christmas to me.

While I’m waiting on shipping, I get to think about connectivity through the ages.  I grew up in Africa, and my first experience with the internet was borrowing my dad’s connection at work to find out in real-time how Garry Kasparov’s chess match against Deep Blue was going.  Yep, I was that kind of teenager. In later years in Africa I would get my own connections at home, with the 28.8 modem running across the phone line, which meant the connection would drop if anyone picked up the phone.  Later there was a habit of phone lines getting crossed, which meant that when I was trying to get online I could hear diplomats’ phone conversations through my modem – quite a security problem in itself, especially as I spoke their language as well.

Now, of course, wi-fi is ubiquitous, and most people don’t give a second thought to their network access at the local bar or coffee shop.  I was in Cuba some time ago, and there, internet access is controlled by the state (with domestic LAN-based alternatives replicating a surprising amount of internet functionality on the island for free).  Every hotel would have its outside walls lined with Cubans accessing the outside world on their Android devices. How security-conscious are they, I wonder? As for myself, I thought it safer to stick to the rum and cigars, offline.

I look forward to learning more about the intricacies of networks.  Networks aren’t my strong point. Fortunately, they are my girlfriend’s strong point, so she advises me whenever I’m stuck.

Old and new in Havana

w00t and pillage – Captain’s bLog: day 1

I am venturing into the as-now uncharted waters of ethical hacking…

For context: I have been using computers daily since the age of 4, where I would sneak in my brother’s room to borrow his Commodore 128 (who remembers 5 1/4 inch flippy disks?).  Growing up in Africa I got addicted to flight simulators and would reprogram my joysticks. Internet access arrived in 1996 where I lived, on a 28.8 modem on an “iffy” phone line. My formal studies were in history, but my work ultimately took me to overseeing bespoke simulator software and antivirus tech support. Even so, I stuck with operations and administration – until I got a Google scholarship for Android development, which brought me into Java programming. It turns out that was addictive.

Thus, by the time I joined Security Roots to join the Dradis Support team, I had a fair bit of IT operations experience, an awareness of best security practices, and a budding interest in programming and development. My skills are being tested daily, and growing as a result. So now I want to get deeper into the InfoSec and security testing worlds!

I have signed up to a number of online security courses about Ethical Hacking and purchased a virtual pile of books for my e-book reader for long nights aboard my sailing yacht. I will start with a general course covering most aspects of Ethical Hacking going into practical exercises for each realm. Next, I have a particular interest in learning about Android security and wireless hacking. To start my journey I have set up a fresh Kali virtual machine, and my first semi-formal training in network hacking begins tomorrow. I feel at home with Linux (even being no stranger to Kali and Tails, which I explored earlier out of curiosity), less so with networks. Let’s go!

Dradis Framework Founder’s Letter – 2017

Good Software Takes Ten Years. I didn’t know that when we started back in 2007, but I’ve come to terms with that rule since then. A lot can change in 9 years. You can go from the first commit of an internal project released as open-source to a small, independent, self-funded software team that is making a difference for 300+ teams in 34 countries around the world.

Did I have a clue about where we’d get in 9 years when I pushed that first commit? Most definitely not. Was I confident that we’d be working with 1,000s of InfoSec experts every day when I quit my security consulting job over 2 years ago to concentrate my efforts on Dradis Pro full time? Not even close. Do we have a clue about where we’re heading over the next 2 years? We have clues but most likely, we really don’t know. But that’s fine, we’re not alone in this journey. We’re bringing our entire community along with us. And most importantly, we have the freedom to choose where we’re heading.

We don’t have investors so we can keep our users front and center. Were trying to grow as slowly as possible. By focusing on the fundamentals, we’ve managed to get this far. And, we’re sticking to the same approach going forwards: do the work, keep our users happy, and care about their long term success.

A brief history of our project

Just to put things into perspective, here is what working on the same piece of software every single day for 9 years did:

  • Dec 2007: Start working on an internal tool for pentest collaboration.
  • Jan 2008: Release Dradis Framework as open-source.
  • …3,000 code commits.
  • Jul 2011: Launch a side-business offering additional functionality and official support (Dradis Professional announcement).
  • …work with 140 teams, 17 new releases, 2,967 commits.
  • Feb 2014: Make the side-business our main business.
  • …7 new releases, 782 commits.
  • Mar 2015: Welcome Rachael, our second full-time member of the team
  • …13 new releases, 2,503 commits…

The last 12 months

With the growth in the Dradis Pro side of things, we have been able to reinvest a lot of man-hours in Dradis Community Edition. It’s our way to give back to the community that helped us along the way. The code was refreshed and updated. Many of the enhancements that were created for the Pro edition were backported to CE. Plus, the documentation was rewritten, step-by-step guides were created, and screencasts were recorded. We also created and released OWASP, PTES, HIPAA and OSCP compliance packages with testing checklists, report templates and more.

Dradis Community edition GitHub repo commits in 2016

The activity in the Dradis CE repo shows how a lot of this effort was concentrated earlier in the year to sync the CE and Pro code bases (kudos to the GitLab team for the inspiration).

Our community is growing stronger than ever. We’re averaging 400 git clones each week. Plus, we have a thriving Slack channel and dozens of new threads in our community forums.

Dradis community edition is being downloaded an average of 400 times per weekWhat we are going to be focusing on over the next 12 months

Over the last 12 months, we’ve pushed 11 new releases of Dradis Pro. From performance and interface to functionality and stability, we’ve noticeably improved every single aspect of the app. The product today is in a completely different category from where it was 12 months ago. And still,  there is so much room to grow, refine, and improve!

2017 is exciting for us in many ways. We’re now working with over 300+ teams. This is a challenge, but we wouldn’t have it any other way. Plus, this the first time that we have a small team of very talented people working full time on taking care of product development and user experience.

I’m sure that the speed at which we’ll be making progress is going to feel break-neck. I can’t wait to see the things that we’re going to be able to build with you and for you and the rest our community.

To our best year ever,

Daniel

Giving back to the InfoSec community

Today is a good day, 3 years and 19 days after the last release of the Dradis Framework open-source project the team announced a new release: Dradis Framework 3.0: A New Hope.

For a very long time the Community Edition of the framework had been put on hold trying to get Security Roots off the ground. When starting a new venture you’ve got more questions than you’ve got answers and you never know who things are going to play out. In fact, the jury is still out.

A few years ago we had to make a hard decision: as a newborn organization we didn’t have the resources to maintain active development of two different editions of the framework and had to decide what to do: to try to keep both editions (semi) alive and running or to focus 100% in the recently created Dradis Professional edition with the premise that if we were successful a day would come in which we’d have the time and resources to really give the Community Edition the attention it deserved.

Today there are over 200 teams in 31 countries around the world using Dradis Pro. We’ve achieved what we set out to achieve back then, and it is time to give back to the same InfoSec community that made Dradis a successful project with over 25k+ downloads.

And when I say today I don’t mean literally today 20th of February. Today’s release of Dradis Community Edition 3.0 has been months in the making (check the hectic activity across the board in all the of Dradis’ repos on GitHub). But today we get a chance to tell you about it, to show the results of that work and to give back.

Dradis Framework started as an open source project and will die as an open source project. Whether we can make Security Roots as successful as the open source project has been, only time will tell, we most definitely hope so.

Please visit the redesigned project website, the new community forums and get involved in any way you see fit.

Dradis Pro is sponsoring BSides London 2014

Dradis Professional is sponsoring the next edition of the B-Sides London security conference:

http://www.securitybsides.org.uk/

B-Sides London 2014 will be held at the Kensington and Chelsea Town Hall on April 28, 2014 in London, UK.

We’ve put together a page for the event and are raffling a Dradis Pro license, read more at:

http://securityroots.com/dradispro/events/bsideslondon2014.html

Are you planing to attend or want to get in touch? Contact us or ping us on Twitter: @dradispro

Happy 5th Birthday to Corelan Team from Dradis Pro

Corelan Teams's logo
&
Dradis Professional Edition logo
 

Today is the 5th anniversary of the amazing Corelan Team. Through their blog, their articles, their tools and their forums they have contributed like very few other communities to spread and enhance the knowledge of the security community at large.

We’ve prepared a few anniversary presents for the team and their community. To find out more, please head on over to the official blog post at:

Keep up the good work guys, everyone is looking forward to what the next 5 years will bring!