Category Archives: Uncategorized

w00t and pillage – Captain’s bLog: day 4

My Atheros AR9271 USB device arrived!  Now I’m back into my courses as originally planned.  I now keep my course in one workspace and a Kali VM in another.  I have used Kali before, but never under guidance – just fiddling around with a Live USB.

Step 1 today was changing the MAC address of my wi-fi adapter.  Reminds me of the first time I lived in shared housing, back at Oxford University.  To get ethernet access for my new PC after the old one packed it in, I had to submit my new computer’s ethernet MAC address for approval by the sysadmin.  I couldn’t be bothered, so I changed the MAC address to match the old one instead.

Step 2 was setting up monitor mode on my wi-fi adapter.  Even without manipulating any of the outputs of airodump-ng wlan0, the potential power here is obvious.  I’m not in a high-tech location. Everyone’s routers are broadcasting freely, and everyone has at least a smartphone turned on and typically connected to publicly visible wi-fi.  Since Viber is more popular than actual phone minutes or SMS, and virtually nobody takes steps towards anonymising themselves, there are privacy implications right off the bat – and I reckon almost nobody here is aware of it.  The data itself is encrypted, of course, but the fact of the data traffic being visible at all is noteworthy – and pretty cool.

Step 3 was my first ever deauthentication signal with aireplay-ng –deauth.  Or, in other words: with $23 of hardware incl. shipping, I booted my phone off my wi-fi, without touching it, and could keep it offline as long as I wanted, after 15 minutes of video lectures.  Only ethics stops me from keeping my neighbours off the internet. This made it sink in just how easy it actually would be to cause general havoc with vulnerability hacking.

I wonder why societies or the media in general don’t seem to take security vulnerabilities very seriously?  Many moons ago when I lived in –redacted–, there were rumours and mutterings followed by a full-blown scandal when it was discovered that the NSA’s Echelon program had a partner station there.  In fairly short order, cries about national sovereignty and privacy violations were silenced with statements like “the data is all encrypted anyway”. Even if encryption in general use by the general public at the time was effective and reliable (spoiler: nope), data flow itself is useful information – such as if your spouse’s phone regularly connects to the router of the attractive neighbour.

That is what struck me most about Edward Snowden’s revelations – enormous outcries for a short period, followed by… essentially nothing.  Despite the revelations that some of our online service providers, probably even chipset and OS manufacturers, are cooperating with foreign intelligence agencies to be able to manipulate or even access our personal data, most people don’t seem to take the slightest measures to protect their own data.

I look forward to learning a lot more about protecting data systems beyond the obvious steps I take already.  Although I now also have to fight the impulse to boot the harbourmaster off his wi-fi.

A bleak winter’s day in –redacted–

w00t and pillage – Captain’s bLog: day 3

Happy New Year! The local sailing club held a New Year’s Eve Regatta in the bay, a dozen vessels of very different sizes and types playing around. I couldn’t participate due to a broken cotter pin on the mast and the lack of a proper reefing system, but I did spend the evening afloat. Looking at the array of vessels from dinghies to superyachts in the bay or moored nearby, I got to thinking of maritime security.

Technology has vastly changed the maritime world. While an 18th-century ship of the line could have in excess of 1,000 souls aboard, and a 19th-century merchant ship could have a crew of hundreds, a modern cargo ship may not even have a dozen people aboard. In the 21st century, IT is everywhere. It is hardly a surprise that every yacht or commercial vessel today will have a GPS, even if only as a mobile device – but the IT aboard is more connected than you may expect.

The International Maritime Organisation’s SOLAS (Safety of Life at Sea) treaty mandates that all vessels of 300 tonnes or more (and all passenger ships regardless of size) must be fitted with AIS – the Automatic Identification System. Anyone with an AIS receiver may then see data of vessels equipped with AIS transponders – ID number and vessel name, position, status (e.g. anchored or under way), speed, and even destination and ETA. You can even see this data now at https://www.marinetraffic.com. I use it myself on occasion to identify superyachts (which, given my location, I affectionately refer to as “mafia tubs”) pulling into the neighbouring luxury marina.

One would think that this system would be designed with security in mind? Well, quite the opposite, according to Trend Micro.  AIS data can be hacked and altered. In theory one could stop marine traffic in busy channels or harbours by exaggerating the size of one’s own vessel – imagine your transponder claiming your vessel was one square kilometer in size, when the transponder could be aboard a rowboat. One could also spoof signals, for example broadcasting warnings about drifting mines, or faking a maritime distress.

The consequences are serious. In the best case, a fake signal would just be an annoyance on a clear day, and backup and visual navigation plus radio communications would move everyone along – although with a number of blaring alarms that could cause chaos either from distraction or by leading to crew ignoring real signals lost in the noise. In the worst case, malicious actors could shut down vessel movement in an area completely, which in the case of poor weather and low visibility, could lead to severe accidents – or the publicly-available data could enable piracy. Combine it with a hack of a corporate database to identify the most lucrative targets, and a modern-day Bart Roberts could make a fortune without exceptional skills.

It gets better! AIS is rarely an isolated system. In modern vessels larger than a pleasure craft, AIS is likely to be integrated with the other navigational systems, such as GPS, ECDIS (Electronic Chart Display), and by extension potentially the entire control system of a vessel. One alleged hack in 2017 of a vessel travelling to Djibouti led to the captain being unable to maneuver at all for 10 hours, with the intention being to direct the vessel into waters where pirates could board and seize the vessel.

Modern commercial shipping relies so much on integrated computer systems that losing access to those systems, or receiving deliberately deceptive data from those systems, can raise absolute havoc. Cargo ships are not exceptionally maneuverable at the best of times – witness the recent Norwegian frigate collision, with a frigate sunk and a ship damaged even with all their computer systems working, due primarily to human factors and low visibility.

I recommend the Trend Micro report for further reading, as well as this.

I do not see a clear solution, nor a legal alternative for commercial vessels, beyond pressing ship owners to harden their security as much as they are able. As for myself – I’m well below the tonnage to require AIS and have no need of it, and can use a radar reflector on the mast to be more visible to ships less able to maneuver easily. I have a VHF radio and paper charts and am fully capable of navigating safely enough day or night by dead reckoning, charts, binnacle compass, and even celestial navigation and sextant if I were to head offshore. Low visibility? Down anchor, break out the rum.

Simpler rules for simpler vessels from a simpler time

w00t and pillage – Captain’s bLog: day 2

Today I got started with the basics of wireless network hacking.  The instructor went through the basics of what networking is and how it functions.  Obviously the key is that in any network, the assets (like individual laptops, mobiles, tablets) do not connect to the end resource (a server, or the internet) directly, but all go through a router or similar.  With wireless networking, that provides ample possibilities for pre-connection attacks, attacks by gaining access, and post-connection attacks.

I ran into a small hardware roadblock at this point.  Since I’m now doing things “properly” with a Kali VM for learning and practise, my VM can’t properly access my wireless card.  Therefore I need a USB wireless adapter so the VM can access the wireless hardware through the USB. The instructor recommends the Atheros AR9271 chipset, and sells them alongside the course… since I live in a tiny agriculture-based non-EU nation that doesn’t even exist in many online stores’ dropdown menus, my options for buying a suitable device were limited.  So the instructor made another $23 off me with his online store. Well, merry Christmas to me.

While I’m waiting on shipping, I get to think about connectivity through the ages.  I grew up in Africa, and my first experience with the internet was borrowing my dad’s connection at work to find out in real-time how Garry Kasparov’s chess match against Deep Blue was going.  Yep, I was that kind of teenager. In later years in Africa I would get my own connections at home, with the 28.8 modem running across the phone line, which meant the connection would drop if anyone picked up the phone.  Later there was a habit of phone lines getting crossed, which meant that when I was trying to get online I could hear diplomats’ phone conversations through my modem – quite a security problem in itself, especially as I spoke their language as well.

Now, of course, wi-fi is ubiquitous, and most people don’t give a second thought to their network access at the local bar or coffee shop.  I was in Cuba some time ago, and there, internet access is controlled by the state (with domestic LAN-based alternatives replicating a surprising amount of internet functionality on the island for free).  Every hotel would have its outside walls lined with Cubans accessing the outside world on their Android devices. How security-conscious are they, I wonder? As for myself, I thought it safer to stick to the rum and cigars, offline.

I look forward to learning more about the intricacies of networks.  Networks aren’t my strong point. Fortunately, they are my girlfriend’s strong point, so she advises me whenever I’m stuck.

Old and new in Havana

w00t and pillage – Captain’s bLog: day 1

I am venturing into the as-now uncharted waters of ethical hacking…

For context: I have been using computers daily since the age of 4, where I would sneak in my brother’s room to borrow his Commodore 128 (who remembers 5 1/4 inch flippy disks?).  Growing up in Africa I got addicted to flight simulators and would reprogram my joysticks. Internet access arrived in 1996 where I lived, on a 28.8 modem on an “iffy” phone line. My formal studies were in history, but my work ultimately took me to overseeing bespoke simulator software and antivirus tech support. Even so, I stuck with operations and administration – until I got a Google scholarship for Android development, which brought me into Java programming. It turns out that was addictive.

Thus, by the time I joined Security Roots to join the Dradis Support team, I had a fair bit of IT operations experience, an awareness of best security practices, and a budding interest in programming and development. My skills are being tested daily, and growing as a result. So now I want to get deeper into the InfoSec and security testing worlds!

I have signed up to a number of online security courses about Ethical Hacking and purchased a virtual pile of books for my e-book reader for long nights aboard my sailing yacht. I will start with a general course covering most aspects of Ethical Hacking going into practical exercises for each realm. Next, I have a particular interest in learning about Android security and wireless hacking. To start my journey I have set up a fresh Kali virtual machine, and my first semi-formal training in network hacking begins tomorrow. I feel at home with Linux (even being no stranger to Kali and Tails, which I explored earlier out of curiosity), less so with networks. Let’s go!

Tales from the Other Side: we survived our first security review

In a dimly lit room with Doritos and Mountain Dew on my side, I was ready to begin the assessment and be like Hackerman. – Aaron

Recently, the Dradis team was presented with the opportunity to conduct a security review for a funded startup. Our original team comes from a background in security consulting. But, we also have team members who come from the software or support worlds. Basically, some of us (Aaron, Rachael, and Xavi) were n00bs and had never pwned anything before.

As someone who unintentionally adds holes in an application for a living (aka web developer), finding vulnerabilities in an app sounds like a fun activity that could give me a new perspective on my profession. – Aaron

Why did we decide to take on this project? We wanted to experience what you experience every day. The Dradis team doesn’t (usually) deliver security reports, we release software. We exhaustively test new releases and fix the bugs that you report to us. But, we rarely (if ever) get the chance to use Dradis in a real-world scenario. This time, we had a client, the team needed to collaborate despite time zone differences, and there was a deadline looming. Yes, we crossed over to the other side. And, we survived.

What we did:

  • Performed a security review on 3 components of a single web application
  • Drank a lot of coffee and/or mountain dew
  • Followed the WAHH methodology (with some custom checks added in)
  • Found, verified, and reported on roughly 3 dozen Issues
  • Generated a Word report that was organized by Risk Rating (based on the CVSSv3 score) and by affected component
  • Delivered the report to the client, answered their questions, then wished we could celebrate in person as a team

We learned a lot. We delivered a report to our client that we’re proud of and we covered a lot of ground in a short period of time. The technical team did a great job transitioning from their day jobs as Ruby developers and becoming pentesters for a week. Aaron summed up the learning curve perfectly, it was “like a scientist trying to do ballet for the first time.”. Everyone ran into at least a few walls. But, with some teamwork, fantastic resources, coffee, and a little Google, we got it all done. During the process of the security review, we learned about you, we learned about us, and we’re excited to apply these lessons as we continue building Dradis.

 

We learned a lot about you

No, not about you as a person, but we did learn a lot about our customers in the whole “walk a mile in their shoes” sense. By using Dradis to perform a real-world security review, we got insight into how we can make Dradis so much better for you in the future.

Here’s an example:

We’re a remote team. On this project, team members were collaborating between 3 different continents. Team members jumped in and worked during their own daylight hours. After about day 2 of the project, we realized that we were pasting links from the Dradis project into Slack with messages like “Hey, I don’t understand this part, can you clarify?”. Then, the author of the Issue would have to log back into Dradis, edit the content over there, and then update the Slack thread saying “I fixed it! How does that look now?”.

You know what we needed instead? The ability for all of those conversations to take place within Dradis. This wasn’t our only lightbulb moment, but it was one of the biggest. We can’t wait to roll out new features and improvements to give you the features that we were looking for!

 

We learned a lot about reporting (and deadlines)

Dradis is a collaboration and reporting tool. So, learning about reporting and deadlines is really the same as learning about ourselves. Some of us also learned more about our caffeine tolerance during the security review, but you want to hear about Dradis, right?

I (Rachael) spend a whole lot of time with your report templates. I’ve made friends with Microsoft Word (ok, it’s still a rocky relationship sometimes) and can break and fix just about anything you throw at me. But, I’d never experienced generating a report with Dradis while under an external deadline before. This time, I knew that there was a client waiting for me to review the findings and export the report.

We’ve always had a “we will go above and beyond for our customers” approach to support. But, the next time we get an email like “MY REPORT WAS DUE YESTERDAY AND IT’S BROKEN OH GOD PLEASE HELP ME” (not a direct quote), we can understand you even better. That extra understanding of what you’re going through was worth every hour we spent on this security review.

And it’s not just on the support side. We want to take our newfound understanding and help take away even more of the work (and stress) of the reporting process. How? By improving Dradis.

Improvements: Big and Small

We found plenty of small (and big!) improvements that we can’t wait to implement. We quickly identified a few UI tweaks. In some cases, they’re as simple as moving a button or adding different scrolling options. But, if we were internally screaming for them, we think you’ll like them too.

Some of the takeaways were bigger. For example, after going through the QA process ourselves, we feel very strongly that we need a more seamless QA process within Dradis.

Back to the other side

In the end, we all ended the security review with a deeper respect for what you all do every day. Walking the digital equivalent of a mile in your shoes left us with a list of improvements that we think will make the road a little less rocky for you next time. But, we’re ready to head back to the other side (the software development side) and leave the security reviewing to all of you again. You find the vulns, we’ll keep making Dradis better for you. Stay tuned for more Dradis improvements in the coming months!