w00t and pillage – Captain’s bLog: day 6

Earlier I looked at the security and privacy issues surrounding AIS (the Automatic Identification System) and other navigational aids aboard ships.  Today there was an interesting article about this on the BBC.  Essentially, while commercial vessels are generally required to carry AIS transponders on board, it is also possible to switch them off.  Vessels have therefore been able to bust sanctions by switching off their transponders, e.g. to make deliveries or enter ports that they are not supposed to.  However, satellite imagery combined with big data analysis is being used to combat this.

Surface ships do not really have anywhere to hide on the sea, so they can be tracked by satellite imagery.  Their shadows will change depending on the size of the load they are carrying.  Data is available regarding which ports in which locations typically load or unload which types of cargo.  The result is that it is now proving possible to track shipping and even types of cargo on the high seas, using data and satellites.  Not only does this make it possible to detect when ships are carrying out illegal activity, such as ship-to-ship transfers circumventing sanctions, but also shows changes in the flow of trade, such as oil tankers diverting en-route to new destinations based on fluctuations in oil prices.

I’m concerned about privacy implications.  Once again it shows how actors with access to significant resources – hardware manufacturers, state intelligence agencies, software companies – can extract more data from users (and even non-users!) of seemingly straightforward products and services than we may be aware of or be prepared to accept.  As the resources required for big data decrease, with cloud computing and accessible user platforms, the barrier to entry will also decrease.  If a country’s coast guard is capable of identifying vessels and their cargo on the high seas, that’s one thing – if a RIBload of pirates are able to do so as well, that’s another.

One of the techniques I enjoy for hiding data is steganography, hiding a message in plain sight disguised as something else.  After all, even the best cryptography is susceptible to “ball peen hammer decryption” if someone knows you have something to hide.  Incredibly, the principle of steganography has even been used at sea.

During the Second World War, the Japanese invasion of the Dutch East Indies left the Dutch navy in the area in grave danger.  Their ships tried to escape to Australia, but were all soon sunk – except for one.  The captain of HNLMS Abraham Crijnssen realised that their ship was all too visible at sea from the air – so in a stroke of mad genius, he had the warship disguised as an island!  Moving only at night, and slowly, they evaded detection and arrived safely in Australia 8 days later.  HNLMS Abraham Crijnssen served out the rest of the war operating out of Australia, and well done to the ship and her crew. Read more here!

HNLMS Abraham Crijnssen at sea

w00t and pillage – Captain’s bLog: day 5

The studies continue!  This has been a busy week, so I only got to cover the theory and practice behind cracking WiFi passwords – WEP, WPA, and WPA2.

WEP cracking is fairly straightforward.  Since each transmission contains the key that ultimately has to be cracked, it’s just a matter of gathering enough packets to analyse. Both gathering the packets and cracking they key is done with packages pre-installed in Kali.  The cool thing was speeding up the gathering of packets with ARP replay – forcing more authentication packets without the device owners necessarily noticing.

WPA cracking of course is far more complex. The course covers the exploitation of the WPS feature, a far simpler backdoor into a WPA network, but even around here WPS seems to be disabled by default or push-button-only.

For actual WPA cracking, I suppose it’s a testament to its level of security that the recommended attack is still a brute force dictionary attack. It was interesting to see what sort of ready libraries are available for download for testing – compilations of the top 10,000 passwords, actual dictionaries for different languages, and so on.

From my previous life in the corporate world, I have heard most of the horror stories of password policies. This class is the reason why we keep hearing the same ones – “why is the password to the server with our expensive custom software ‘password1’?” A justification for borderline paranoia regarding information security in the modern world is the “password on a post-it note on the monitor” and social engineering.  You might have strong passwords and encryption, but those you communicate with may not. So you want to collect data? Carry a clipboard and go anywhere.

I enjoyed the discussions of cryptography and password policies in Neal Stephenson’s Cryptonomicon. And still, at times I feel like D. M. Shaftoe’s character, too paranoid to use cryptography as all, since if something is worth keeping secret, it shouldn’t be shared digitally at all.

My secrets are safe, though. Notebooks, illegible handwriting, and fluency in obscure languages.

Midnight sun in a land of obscure languages

w00t and pillage – Captain’s bLog: day 4

My Atheros AR9271 USB device arrived!  Now I’m back into my courses as originally planned.  I now keep my course in one workspace and a Kali VM in another.  I have used Kali before, but never under guidance – just fiddling around with a Live USB.

Step 1 today was changing the MAC address of my wi-fi adapter.  Reminds me of the first time I lived in shared housing, back at Oxford University.  To get ethernet access for my new PC after the old one packed it in, I had to submit my new computer’s ethernet MAC address for approval by the sysadmin.  I couldn’t be bothered, so I changed the MAC address to match the old one instead.

Step 2 was setting up monitor mode on my wi-fi adapter.  Even without manipulating any of the outputs of airodump-ng wlan0, the potential power here is obvious.  I’m not in a high-tech location. Everyone’s routers are broadcasting freely, and everyone has at least a smartphone turned on and typically connected to publicly visible wi-fi.  Since Viber is more popular than actual phone minutes or SMS, and virtually nobody takes steps towards anonymising themselves, there are privacy implications right off the bat – and I reckon almost nobody here is aware of it.  The data itself is encrypted, of course, but the fact of the data traffic being visible at all is noteworthy – and pretty cool.

Step 3 was my first ever deauthentication signal with aireplay-ng –deauth.  Or, in other words: with $23 of hardware incl. shipping, I booted my phone off my wi-fi, without touching it, and could keep it offline as long as I wanted, after 15 minutes of video lectures.  Only ethics stops me from keeping my neighbours off the internet. This made it sink in just how easy it actually would be to cause general havoc with vulnerability hacking.

I wonder why societies or the media in general don’t seem to take security vulnerabilities very seriously?  Many moons ago when I lived in –redacted–, there were rumours and mutterings followed by a full-blown scandal when it was discovered that the NSA’s Echelon program had a partner station there.  In fairly short order, cries about national sovereignty and privacy violations were silenced with statements like “the data is all encrypted anyway”. Even if encryption in general use by the general public at the time was effective and reliable (spoiler: nope), data flow itself is useful information – such as if your spouse’s phone regularly connects to the router of the attractive neighbour.

That is what struck me most about Edward Snowden’s revelations – enormous outcries for a short period, followed by… essentially nothing.  Despite the revelations that some of our online service providers, probably even chipset and OS manufacturers, are cooperating with foreign intelligence agencies to be able to manipulate or even access our personal data, most people don’t seem to take the slightest measures to protect their own data.

I look forward to learning a lot more about protecting data systems beyond the obvious steps I take already.  Although I now also have to fight the impulse to boot the harbourmaster off his wi-fi.

A bleak winter’s day in –redacted–

w00t and pillage – Captain’s bLog: day 3

Happy New Year! The local sailing club held a New Year’s Eve Regatta in the bay, a dozen vessels of very different sizes and types playing around. I couldn’t participate due to a broken cotter pin on the mast and the lack of a proper reefing system, but I did spend the evening afloat. Looking at the array of vessels from dinghies to superyachts in the bay or moored nearby, I got to thinking of maritime security.

Technology has vastly changed the maritime world. While an 18th-century ship of the line could have in excess of 1,000 souls aboard, and a 19th-century merchant ship could have a crew of hundreds, a modern cargo ship may not even have a dozen people aboard. In the 21st century, IT is everywhere. It is hardly a surprise that every yacht or commercial vessel today will have a GPS, even if only as a mobile device – but the IT aboard is more connected than you may expect.

The International Maritime Organisation’s SOLAS (Safety of Life at Sea) treaty mandates that all vessels of 300 tonnes or more (and all passenger ships regardless of size) must be fitted with AIS – the Automatic Identification System. Anyone with an AIS receiver may then see data of vessels equipped with AIS transponders – ID number and vessel name, position, status (e.g. anchored or under way), speed, and even destination and ETA. You can even see this data now at https://www.marinetraffic.com. I use it myself on occasion to identify superyachts (which, given my location, I affectionately refer to as “mafia tubs”) pulling into the neighbouring luxury marina.

One would think that this system would be designed with security in mind? Well, quite the opposite, according to Trend Micro.  AIS data can be hacked and altered. In theory one could stop marine traffic in busy channels or harbours by exaggerating the size of one’s own vessel – imagine your transponder claiming your vessel was one square kilometer in size, when the transponder could be aboard a rowboat. One could also spoof signals, for example broadcasting warnings about drifting mines, or faking a maritime distress.

The consequences are serious. In the best case, a fake signal would just be an annoyance on a clear day, and backup and visual navigation plus radio communications would move everyone along – although with a number of blaring alarms that could cause chaos either from distraction or by leading to crew ignoring real signals lost in the noise. In the worst case, malicious actors could shut down vessel movement in an area completely, which in the case of poor weather and low visibility, could lead to severe accidents – or the publicly-available data could enable piracy. Combine it with a hack of a corporate database to identify the most lucrative targets, and a modern-day Bart Roberts could make a fortune without exceptional skills.

It gets better! AIS is rarely an isolated system. In modern vessels larger than a pleasure craft, AIS is likely to be integrated with the other navigational systems, such as GPS, ECDIS (Electronic Chart Display), and by extension potentially the entire control system of a vessel. One alleged hack in 2017 of a vessel travelling to Djibouti led to the captain being unable to maneuver at all for 10 hours, with the intention being to direct the vessel into waters where pirates could board and seize the vessel.

Modern commercial shipping relies so much on integrated computer systems that losing access to those systems, or receiving deliberately deceptive data from those systems, can raise absolute havoc. Cargo ships are not exceptionally maneuverable at the best of times – witness the recent Norwegian frigate collision, with a frigate sunk and a ship damaged even with all their computer systems working, due primarily to human factors and low visibility.

I recommend the Trend Micro report for further reading, as well as this.

I do not see a clear solution, nor a legal alternative for commercial vessels, beyond pressing ship owners to harden their security as much as they are able. As for myself – I’m well below the tonnage to require AIS and have no need of it, and can use a radar reflector on the mast to be more visible to ships less able to maneuver easily. I have a VHF radio and paper charts and am fully capable of navigating safely enough day or night by dead reckoning, charts, binnacle compass, and even celestial navigation and sextant if I were to head offshore. Low visibility? Down anchor, break out the rum.

Simpler rules for simpler vessels from a simpler time

w00t and pillage – Captain’s bLog: day 2

Today I got started with the basics of wireless network hacking.  The instructor went through the basics of what networking is and how it functions.  Obviously the key is that in any network, the assets (like individual laptops, mobiles, tablets) do not connect to the end resource (a server, or the internet) directly, but all go through a router or similar.  With wireless networking, that provides ample possibilities for pre-connection attacks, attacks by gaining access, and post-connection attacks.

I ran into a small hardware roadblock at this point.  Since I’m now doing things “properly” with a Kali VM for learning and practise, my VM can’t properly access my wireless card.  Therefore I need a USB wireless adapter so the VM can access the wireless hardware through the USB. The instructor recommends the Atheros AR9271 chipset, and sells them alongside the course… since I live in a tiny agriculture-based non-EU nation that doesn’t even exist in many online stores’ dropdown menus, my options for buying a suitable device were limited.  So the instructor made another $23 off me with his online store. Well, merry Christmas to me.

While I’m waiting on shipping, I get to think about connectivity through the ages.  I grew up in Africa, and my first experience with the internet was borrowing my dad’s connection at work to find out in real-time how Garry Kasparov’s chess match against Deep Blue was going.  Yep, I was that kind of teenager. In later years in Africa I would get my own connections at home, with the 28.8 modem running across the phone line, which meant the connection would drop if anyone picked up the phone.  Later there was a habit of phone lines getting crossed, which meant that when I was trying to get online I could hear diplomats’ phone conversations through my modem – quite a security problem in itself, especially as I spoke their language as well.

Now, of course, wi-fi is ubiquitous, and most people don’t give a second thought to their network access at the local bar or coffee shop.  I was in Cuba some time ago, and there, internet access is controlled by the state (with domestic LAN-based alternatives replicating a surprising amount of internet functionality on the island for free).  Every hotel would have its outside walls lined with Cubans accessing the outside world on their Android devices. How security-conscious are they, I wonder? As for myself, I thought it safer to stick to the rum and cigars, offline.

I look forward to learning more about the intricacies of networks.  Networks aren’t my strong point. Fortunately, they are my girlfriend’s strong point, so she advises me whenever I’m stuck.

Old and new in Havana

w00t and pillage – Captain’s bLog: day 1

I am venturing into the as-now uncharted waters of ethical hacking…

For context: I have been using computers daily since the age of 4, where I would sneak in my brother’s room to borrow his Commodore 128 (who remembers 5 1/4 inch flippy disks?).  Growing up in Africa I got addicted to flight simulators and would reprogram my joysticks. Internet access arrived in 1996 where I lived, on a 28.8 modem on an “iffy” phone line. My formal studies were in history, but my work ultimately took me to overseeing bespoke simulator software and antivirus tech support. Even so, I stuck with operations and administration – until I got a Google scholarship for Android development, which brought me into Java programming. It turns out that was addictive.

Thus, by the time I joined Security Roots to join the Dradis Support team, I had a fair bit of IT operations experience, an awareness of best security practices, and a budding interest in programming and development. My skills are being tested daily, and growing as a result. So now I want to get deeper into the InfoSec and security testing worlds!

I have signed up to a number of online security courses about Ethical Hacking and purchased a virtual pile of books for my e-book reader for long nights aboard my sailing yacht. I will start with a general course covering most aspects of Ethical Hacking going into practical exercises for each realm. Next, I have a particular interest in learning about Android security and wireless hacking. To start my journey I have set up a fresh Kali virtual machine, and my first semi-formal training in network hacking begins tomorrow. I feel at home with Linux (even being no stranger to Kali and Tails, which I explored earlier out of curiosity), less so with networks. Let’s go!

New in Dradis Pro v3.1

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create reports, in a fraction of the time.

For this release, we’ve squashed some pesky bugs and updated the system and its add-ons with new features that will make your team’s life easier.

The highlights of Dradis Pro v3.1

  • Added comments, subscriptions and notifications to notes
  • Added comments, subscriptions and notifications to evidence
  • Added comments, subscriptions and notifications to methodology cards
  • Pre-flight tool upload validator
  • Fix default tags creation bug
  • Allow numeric fields to be 0 when validating
  • Fix BI engine load error (hook into model load and not ActiveRecord load)
  • Fix overflow bug when editing report templates (issue sorting tab)
  • Updated how add-ons hook into the main menu
  • Fix error pages
  • Renamed clients to teams in the backend
  • Fix blockcode characters displaying incorrectly
  • Fix red dot still being displayed on the first visit to the page that caused the single unread notification
  • Fix wrong ‘There are no comments’ message
  • Escape HTML in comments
  • Track activities when multiple-creating evidence
  • Fix BI custom project properties
  • Better engine manifest hooks
  • Keep lists and cards order when exporting as XML
  • When errors found validating evidence, report with evidence id
  • Add-on enhancements:
    • Note and evidence comments in export/import in dradis-projects
    • Fix usage of set_property to use set_service in Nexpose plugin
    • Netsparker: Update cleanup_html to format content + add new fields
A quick video summary of what’s new in this release:

Comments for methodology cards, evidence, and notes

Comments, notifications, and subscriptions introduced in Dradis v3.0 have been extended to include methodology cards, notes, and evidence in projects. You can leave a comment tagging another user, subscribe to be notified of comments and receive notifications for cards, notes, evidence, and issues. All comments are included during project import/export with dradis-project.

Checking for empty fields

Dradis will check for empty fields when saving a field required by your template and when validating your project before exporting a report. Catching and correcting these empty fields before generating your report will help prevent the dreaded ambiguous cell mapping Word error.

Pre-flight tool upload validator

While uploading output from a tool into a project, Dradis will check your Plugin Manager configuration against your report template configuration. If your template is configured to require a “Recommendations” field but no #[recommendation]# field is defined in the Plugin Manager for this output file type, Dradis will throw a warning.

Showing the preflight validation

Ready to upgrade to v3.1?

Not using Dradis Pro on your team?

These are some of the benefits you are missing out on:

Read more about Dradis Pro’s time-saving features or what our users are saying.

New in Dradis Pro v3.0

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

For this release, we’ve squashed some pesky bugs and updated the system and its add-ons with new features that will make your team’s life easier.

The highlights of Dradis Pro v3.0

  • Add comments for issues
  • Add notifications for comments
  • Add subscriptions for issues in a project
  • Nest the dradis elements under the project scope
  • Add ‘Send to…’ menu for issues
  • Add better handling of the Services table
  • Use puma for the development and test server
  • Remove resque dependency
  • Improve redirect on Evidence#edit
  • Alphabetically sort ContentBlocks
  • Validate empty fields
  • Fix exporting with bc.. prepended with a newline
  • Fix password reset thor task
  • Fix cookie overflow
  • Fix license redirection
  • Fix missing lists bug
  • Add-on enhancements:
    • Add references and vulnerability_classifications fields in the Burp plugin
    • Fix formatting errors and hostname Node property in the Burp plugin
    • Fix vertical buttons for the CVSS calculator
    • Fix issue sorting in HTML export
    • Split services data in the Metasploit, Nessus, Nmap plugin
    • Update fields template in Nessus plugin
    • Add CVSS fields for the Netsparker plugin
    • Resolve nested duplicate content in Paragraph tags in the Nexpose plugin
    • Better handle finding `id`s in Nikto plugin
    • Smart table header for the IssueLibrary
  • Bugs fixed: #102, #118, #321
The IssueLibrary must be updated after you upgrade! Contact support for the files.
A quick video summary of what’s new in this release:

Comments, notifications, and subscriptions

You can now comment on issues within projects.  You can also tag other members of your team in a comment, or subscribe to a conversation.

If a team member is tagged in a comment or subscribed to a conversation that has received a comment, they will see a notification when they open their project.

One project per tab

You may now have multiple projects open in several tabs of your browser.  You are now able to switch freely between projects and tabs altering their content in any order – a boon for multitaskers!

API endpoints for Content Blocks and Document Properties

For users of our REST API, we have now added endpoints for Content Blocks and Document Properties. Now you may create, update, retrieve, and delete Content Blocks and Document Properties through the API.

Ready to upgrade to v3.0?

Still not using Dradis in your team?

These are some of the benefits you are missing out on:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.

Comments, notifications, & subscriptions

Efficiently collaborate with your team using comments, notifications, and subscriptions inside of Dradis.

We heard you. There are times that you need to discuss a Dradis project with your team. Gone are the days of jumping on Slack or sending an email with a question or request for edits. Instead, leave a comment! Keep all of your Dradis talk inside Dradis.

Comments, notifications, and subscriptions are brand new in Dradis Community Edition (CE) v3.10 (and coming in the next release of Dradis Pro!).

Let’s jump straight into an example of how these new features improve team collaboration:

I’m working on Dradis CE (username rachkor) and have a question for another team member (username daniel). He wrote up a new Issue, but I think that the solution needs expanding. Instead of writing an email or finding him on chat, I scroll to the comment form at the bottom of the Issue:

Add comments to your Dradis Issues

Not only can I comment on the Issue, but I can also mention @daniel by name:

Mention other Dradis users in your comments

The next time Daniel logs in to Dradis, he’ll be greeted by a notification from me:

Get notifications from any mentions in Dradis comments

Comments are included in the Recent activity feed so that you can keep up with your team as a whole, even if you aren’t involved in a specific conversation.

When you comment on an Issue or a teammate mentions you in a comment, you’ll be automatically subscribed to that Issue. If you need to subscribe (or unsubscribe!) from notifications on a specific Issue, click the subscribe/unsubscribe button:

Subscribe or unsubscribe from comment notifications

We’re excited to unveil this new phase of collaboration within Dradis and can’t wait to hear what you think! Want to check it out? Grab the latest version of Dradis CE from GitHub with these instructions and test out the comments, notifications, and subscriptions. These new features will ship in the next release of Dradis Pro. If you’re a Pro user, stay tuned for a release notice soon!

Not using Dradis yet? Learn more about the Dradis Framework and all the time you could save.

That silly moment when a ruby gem doesn’t install

A few days ago I was helping a user to install a custom Dradis plugin.

As you may already know, Dradis plugins are ruby gems and we manage them with bundler.

The final step in the installation process usually looks something like this:

bundle install --without development,test

or

bundle update --without development,test [custom_gem]

But at some point in the installation history, a mix of both commands was run, probably something like:

bundle install --without development,test [custom_gem]

This command is wrong, bundle install does not expect a specific gem as a parameter. So the custom_gem parameter is handled by bundler as one of the groups of gems not to be installed. Bundler notifies us about that:

Gems in the groups developement,test and custom_gem were not installed.

We may notice that warning (or not), and try to execute the command correctly:

bundle install --without development,test

But we will see the same warning about custom_gem not being installed. This is because bundler uses a config file to cache some configuration options, like the –without option. That file probably in the same app folder under:

.bundler/config

If we check its contents, it looks like:

---
BUNDLE_WITHOUT: "developement,test:custom_gem"

Until we delete that file or edit it to remove the custom_gem from it, we may have a hard time installing our gem.