pseudocode
Tesco is breached and yet again the BBC misreport a cyber event

"Thousands hit in Tesco.com attack"

​A rather dramatic headline from this BBC news story. 2000+ accounts are accessed but by using passwords and emails from other sites who have had breaches, like for example the Adobe breach which was, frankly, a hackers goldmine. The accounts have been deactivated but not before vouchers had been stolen. The second headline in the story says “weak passwords” then seems to make no reference to this.

What this story is really about is the fact that people all too often just reuse passwords on multiple sites. Rather than seizing this as an opportunity to make this point, the BBC and their woefully inadequate cyber reporting, just framed it as a Tesco breach. There is a knock on effect in counsumer confidence and reputational damage in a situation where it is (arguably) not totally their fault.

Ok, maybe 2000 logins from one or two IPs on 2000 different accounts (if that’s how it happened, you’d have to script it and only a percentage would work) should have been blocked earlier. However, this is a user education problem in my book and general user laziness. Even educated and aware people just reuse passwords over and over and seem to think that password management is so hard they are in some way exempt. It’s back to the old “I’m not interesting, nobody would hack me” issue. Frankly it makes me angry. We all agree passwords are not the answer, but then neither are biometrics which just makes the user a target. What’s the solution? I don’t know but I wish the BBC got it’s act together when reporting this stuff.

Here is the full story: http://www.bbc.co.uk/news/technology-26171130   

and I’d love to hear your comments on this.

Lastpass: Security 101 Flaw or Sound Business Sense? You Decide.

Last year, well before I started a job in security, I discovered three security flaws in Lastpass.com, the well known password storage system. Two of these were simple “good practice” in procedures problems. One of them was a technical issue. I responsibly disclosed these issues and received a reply. We are going to look at one of the more simple problems which Lastpass is a problem at all.

In essence it is a simple login problem which you may have seen on every website you use when you make a mistake logging in. A web login, usually, requires two things. A username and a password. When one or both of those variables are incorrect the site will display an error message. What that error message says is up to the discretion of the people maintaining that site. In the case of content systems like wordpress or drupal this is usually preset but can be modified.

The content of this error message can tell an attacker much more than you would think. Let’s look at an example: if I login with a correct username but incorrect password and the site says “Incorrect Password” it has just told the attacker that they have a valid username. The same goes the other way round: get the username wrong and see “Username not found” and we know that either the user is not on the system or is using a different username. Given that almost all usernames are email addresses nowadays this is rather useful from an attacker’s point of view if they are trying to hack an individual or a company by hacking an individual employee. Also given that over 70% of people reuse passwords and even more use similar or related passwords this is very useful. If an attacker wants into site A and can find that the user is registered on sites B through Z they can attack those other sites maybe with weaker or no lockout policy, eventually get a password and that password may be a clue to what passwords the person uses or in fact the actual password to site A if they reuse their passwords a lot.

This is one of the reasons why “normal” people should pay attention to which big site gets hacked or not. When Adobe was hacked and all the password hashes and reminder prompts leaked we actually saw other sites indexing that and telling their users to change their passwords, because people reuse their passwords so often.

The best security practice is for a site to say “Username or password not found” when you get your password wrong. This tells the attacker nothing. Sites which say “Username not found” are employing poor basic security for their users.

So to Lastpass. Lastpass exists to help users manager their passwords. They are in fact a great service, providing random complex passwords and even cross-checking passwords and password complexity for you. I recommend them to anyone, even though I am writing a blog post complaining about their security.

When you log on to Lastpass with an incorrect username this is what you see:

image

Now this, to me at least is a little worrying. First of all we have gone over why you should never see this. Secondly, Lastpass is a password site, it prides itself on its security, it encourages you to trust them and pour all your sensitive password information into their servers which they promise to protect. So seeing this is worrying. However, they are also a business. Notice how it asks you if you’d like to create an account? There is perhaps a small argument that it is just sound business sense for them to do this.

When I approached Lastpass about this problem I used responsible disclosure techniques (and yes I will do a post on how to do this). I asked for their PGP key and sent my concerns in such a way that the email was encrypted only for them. I also attached my own key so they could reply in kind. Plain text email is not secure so I was a little surprised when they replied in a plain text email thanking me and telling me that they didn’t think it was a problem. Since over six months have passed now, it is not resolved and they don’t think it is a problem here is their exact reply:

Thanks Paul,

We appreciate the message.
We had this conversation internally about 4.5 years ago. The decision was made to display the error as such because any motivated user can determine if a username is used through a variety of ways (most notably, the create account form) and because of the high frequency of people getting locked out of their account because they typed in the wrong email (either initially when they setup the account or when they tried to login). 
Well, it is their company and what they do with it is their choice but I would argue that none of their arguments are sound and, given that they are a password storage service, they should be leading the way for others. Well, at least they had the discussion over 5 years ago now!
So, security flaw or just business sense? It’s up to you and your perspective. I would say security flaw, massive security flaw and here’s why. If a company, and many do, use Lastpass and tell all their employees to use it an attacker can go and check who has an account and who hasn’t bothered to sign up. From there an attacker could target that employee who is likely not to care about security and be breaking other security policies or could set about trying the top 10-100 most common passwords against Lastpass knowing that the odds of getting in have just dramatically reduced.
The only way Lastpass will stop this stupid and frankly dangerous policy is if users complain about it. So if you use Lastpass and agree with me send them an email. At the end of the day it’s either poor basic policy on their part or a good way to get more users. I’d be interested to hear your thoughts on it. You can comment below.
Oh and what were the other two flaws I found? Well, you will just have to wait for a future blog post on them because they are even better than this basic, basic mistake.
Setting up Ubuntu on a VPS: First Steps

In this post I’ll be assuming no linux knowledge whatsoever. I’ll be showing the first couple of things you need to do with a new server and will also be introducing you to some basic commands and programs.

I have frequently extolled the virtues of getting a VPS. There are a great many advantages for people wanting to learn more about the Net, Linux and security in general. A Virtual Private Server is simply a server that is hosted as a virtual machine for you. This allows you to reformat it with a variety of operating systems very quickly. You can experiment with different distros without having to dual boot or make lots of usb drives or even have a dedicated machine running linux. Another advantage of using a VPS is that you are getting a server, rather than a desktop, image. Also, when you pick an operating system your system is pretty much up and running from the very start.

For those of you who want to get started but don’t want to sacrifice your precious windows machine this is ideal. I must admit this was how I felt a few years ago. Thankfully, that time has long passed. You can use putty (an SSH/telnet client) to access your server from your windows system. Putty has all the options you could wish for. It even saves profiles so you can login with one click. Putty is also available for linux, however, you can just use the command line which is what I will be doing.

I use Bhost as their basic Iron package is very cheap, their uptime is good and there is plenty of bandwidth and storage for the simple tasks I want to do. So we will be using Bhost as our example service, however it is a similar process with other providers. When you first get into the control panel of your VPS, accessed through your web browser, you will have to decide which distro to install. I will be working with Ubuntu, though this example should work nearly identically for any debian based distro.

After you have selected your distro, you will need to make a root password. This should conform to the usual good password rules: long, uses lower case and caps, uses numbers and special characters, is NOT a dictionary word!

The responsibility for running a server is a great way to learn but it is a serious responsibility and you should approach the process with that in mind. Why is it a responsibility? Well, this is a whole server, live on the internet. It’s not like a blog or hosted site where really your only responsibility is keeping your password secure so your site can’t be easily hacked. This server is going to be totally under your control so, perhaps for the first time, you are in charge of the whole thing. This means if it is hacked, and later I’ll show you example of how aggressive these people are, it’s not just spam comments and dodgy links on a website but someone potentially in control of your whole system. This means they could add you to their botnet say and launch attacks from your server. And when those who are attacked start looking for who is responsible, which IP address do you think they’ll find? That’s right, it’s going to be yours.

Don’t be put off by this, just be aware that the security of this system is going to be your responsibility. Ok, lecture over, you’ve got your server set up, got your root password, what’s next?

Well, you have 5-6 things to do:

  1. Login VIA SSH
  2. Create a user for yourself
  3. Give the new user sudo (root) privileges
  4. Disable root login via SSH
  5. Update your system
  6. Configure firewall
  7. Enjoy your new VPS (optional!)

Let’s go through them:

Login VIA SSH

Once ready, your VPS will have an IP address, it will be in the options or details in your VPS control panel. Note it down.

SSH uses the format user@hostname for access. Exactly the same format as an email address. Just now, your VPS won’t have a hostname so we will use the IP address in the same way. In our example we will pretend that your IP address is 123.456.12.21. The only user you have currently is root so the format will be:

root@123.456.12.21

If you are using putty enter that in the top bar, check that it is set to SSH on port 22 and click connect. If you do not specify a user, and just put in the IP or hostname, you will be prompted to enter a user, so it’s just better to get into the habit of using the user@hostname format. If you are using a linux machine (my examples will be for Ubuntu) it is a much simpler process. Simply press ctrl+atl+t to open a terminal window and enter:

ssh root@123.456.12.21

Whichever method you use you will be promoted for your password, enter it and you’re in.

(Note: some VPS services allow you to set a hostname [url], and also extra users, if you have set a hostname use it instead of the IP) 

Create a user for yourself

Ok, you are in. You should be seeing something like:

Welcome to Ubuntu 11.10 (GNU/Linux 2.6.18-308.8.2.el5.028stab101.1 i686)

 * Documentation:  https://help.ubuntu.com/

Last login: Mon Feb 18 20:37:14 2013 from XXXXXXX

Note that you are shown both the last time and the last IP that you signed in from. Get into the habit of scanning that line every time. Be on the lookout for logins from a time or place that you don’t recognise. This can be an indication that your machine has been compromised. Be aware that this is not by any means a 100% infallible method, as a competent hacker would change this to hide their tracks, however, it’s one possible way to catch an intrusion.

Now, you are going to need to make a user for yourself. Why not cruise around and do everything as root? Well, in the linux world that’s about the worst crime you can commit. The root user can do anything and while that sounds attractive, the goal here is to make a user and give them the same privileges in a controlled setting. To make a user you use the adduser command. Let’s call our new user bob

adduser bob

Go through the steps, you don’t have to enter anything like name or room or phone, just leave them blank and hit enter to go through them. You will be prompted for a password, use the usual good password techniques and do not under any circumstances use the same password as the root password.

Now you have created a user for yourself and it is set up automatically to have a home directory and space on the system. Adduser is a command in linux and, like so many linux commands, it has multiple additional options. To see what additional options are available you can read the manual entry for a command. To do this simply type man and then the name of the command. So:

man adduser

will show us all the options available for that command. Sometimes if man doesn’t appear to give you what you want try using the info command in the same way. To exit a man page just press q.

Give the new user sudo (root) privileges

Now that you have your user you will need to give it the permissions required to actually do things on the system. The goal here is to equip the user with the power of root, to perform tasks like updating or loading new software, without having to use the root account.

Why? Well, quite simply when your user does any of there actions they will be executed through the command/program sudo this will require a your password to do things and a record of this will be kept. This means on larger systems, for example, you could have multiple users without the sudo privilege and just one or two with it. This means that a “normal” everyday user can use the system, use the programs, create and save files in their own area and not have the power to do anything that could interfere, corrupt or damage the system (that said they could of course still bring in malware via USB or web/email links).

You should have a few users with the sudo privilege and they are in effect the system administrators. Because they have this privilege  they can make changes to the system and its users but will be doing so from their own accounts and with their own passwords: there will be a record in essence of who did what. That is, as everything is in the linux world, a really simple explanation, you can tailor privileges and powers for users in linux in a much more finely tuned way, however, just now we are concerned with getting you up and running so the bottom line is you need to give your account the power of root via sudo.

It is also possible to create sudo powers that are not “root” privileges, but rather the privileges of another specialized user. A prime example of this is at Web software companies like Amazon or Yahoo where they may have “builder” scripts that can build parts of the system using new code contributed by developers. Sudo is used to run those scripts under the special builder user rather than with full root privileges.

So, how do we give bob sudo power? Well, we need to add him into what is called the sudoers file in the main root directory. The sudoers file is located in /etc/sudoers and there are many ways to edit it.

If  you are new to linux you probably have not encountered the wonderful world of text editors yet. Text editors are programs which allow you to open, edit, save and create new files. There are several text editors to choose from and several are preloaded into your system. A very simple text editor is nano which is great for popping into a file making a simple change and getting back out again. To try it out just type nano into the command line and there it is. You’ll notice helpful instructions at the bottom. Don’t be confused by the inclusion of the ^ symbol next to the commands, it just means ctrl. So to exit nano just press ctrl+x. To open a particular file in nano you can just type nano followed by the file name if you are in the same directory as it or you can specify the path. So if you are still in the system as root and just type 

nano /etc/sudoers

You can open the sudoers file. 

You will notice at the top of the file a line which says

# This file MUST be edited with the ‘visudo’ command as root.

So, we won’t actually make changes to the file from here. For now, hit ctrl-x to exit nano. We’ll get back to the sudoers file in a minute…

First, you should know that there are many other editors to try, vi is a popular one which comes standard almost everywhere. Personally I use an editor called emacs which people jokingly describe as an operating system in itself. Emacs is much more than editor and allows fine control over virtually everything. It uses a lot of shortcut style key combinations and can appear a little confusing at first, however, a lot of the combinations, like ctrl+e to get to the end of a line, are actually the same as you would use in the terminal window. So not only is emacs great in its own right but learning it has a major extra benefit in making you better with the command line in general. Emacs also has a GUI option so it can be run in the desktop. Shockingly emacs is not installed by default in ubuntu. We’ll get into installing software later but if you want to use it just type: apt-get install emacs as root and then it will run with the emacs command in the same way nano and vi does.

Now, back to the sudoers file and visudo…

Visudo is a special script which uses your preferred editor to change the sudoers file in a safe way, protecting you from the scourge of typos and other mistakes that could render your sudoers file useless or worse — insecure. By default, most Ubuntu systems use nano as the prefered editor for visudo. You can check this and change the preferred editor using the select-editor command. (See here for more information.)

Now you can open the sudoers file with:

sudo visudo

So, you’ve got the sudoers file open to edit with visudo, what do you actually do? Well, you are simply going to add your user in to the bottom section like this:

#includedir /etc/sudoers.d

bob ALL=(ALL) ALL

And then save the file. (In nano, that’s ctrl-o to save and ctrl-x to exit.)

Now that bob has sudo rights lets check that it’s all working. First we need to switch to user bob. So let’s use the su command. 

su bob

Since you were running as root, you didn’t have to type in bob’s password. If you’d been running as any other user, su bob would have required you to know bob’s password to move on.

Now we are bob. We can make sure that’s the case with the command

whoami

Now, let’s try to use sudo. 

sudo ls

ls is the command that lists the contents of a directory. When you run sudo ls, the system will ask you for bob’s password. Type it in correctly and you will see one of two results. If bob has sudoer privileges, you’ll see a list of files. If bob does NOT have the privileges, you will see an error that says

bob is not in the sudoers file. This incident will be reported.

We have to switch back to root to issue some command. Since we switched into bob from root typing exit should get us back. If in doubt, log back in as root. 

Disable root login via SSH

You are almost there, but there’s one more thing to do while you are setting up. You should disable root login via SSH.

There are several things that you should do when using SSH to ensure good security and security of your server. However, disabling root login is the first thing to do.

SSH runs on port 22 of your server. Hackers and bots set up by them constantly scan the internet and look at which ports are open on a machine. When they find port 22 open frequently bots or scripts try to login. When you look at the logs of these attempts (stored in /var/logs) you will see that what is actually happening is an attempt to login as root (often they try admin as well) the idea being that if you can get into a server which has left root available via SSH you have all the power.

These attempts are going to happen to any server on the Net and you should not think that you are special in any way if you find that you are being attacked in such a manner. Mostly these attempts use wordlists as passwords so if you are following the good passwords rules then you are safer, but you should still take the time to remove root access.

Another thing you can do is to move your SSH away from port 22, we’ll cover that in another post.

We’ll edit the configuration file for SSH using nano. In linux nearly all configuration happens in text files, so get used to it!

nano /etc/ssh/sshd_config

This assumes that you are root. If you are bob, the command would be

sudo nano /etc/ssh/sshd_config

Now read down the lines in the file until you find PermitRootLogin. Change the “yes” to “no”, save the file (ctrl-o) and exit (ctrl-x).

The last thing to do here is restart your ssh server. 

sudo service ssh restart

If you are root, you do not need to use sudo. However, you can use sudo with root, and this is quite good, as all events are logged. Consider this a habit you might want to get into.

When you restart the ssh, it may kick you out. If not, type exit. Now, try logging in as bob@123.456.12.21

ssh bob@123.456.12.21

You should get in.

These are the very basic things to do when setting up a VPS. I will cover firewalls and other commands in future posts, but for now you can login to your VPS safely knowing that root access will be denied.

BBC get their Twitter “hacked” then mismanages reporting the event

Those of you who follow me on twitter will know that I was quite angry about this whole affair. So you won’t really be surprised to see this post. However, the reason that I am still annoyed by the whole affair is deeper than just mere anger at, yet again, the press getting their cybersecurity reporting wrong.

A point I have been keen to make for some time is that organisations which prepare for attacks seem to miss an important point. It can be summed up briefly: how you respond publicly is also part of preparedness. The BBC “twitter hack” is a perfect example of this and we’ll use it here to illustrate this point in greater depth.

Let’s start with some considerations of what the damage cause by an intrusion actually is. When a major company suffers a breach, we often hear that the damage done is into the millions. It is both interesting and instructive to break down what these costs actually are. Now, of course, this varies from company to company, from attack to attack and from what different attackers are trying to achive. Never the less, it’s possible to draw up some general catagories.

One category often cited is the cost to repair the damage. This seems to break down into three categories.

  • Investigating the attack — assessing the extent of the compromise.
  • Repairing the actual damage — resetting systems, scanning for backdoors, etc…
  • Rebuilding the defences. 

This last category rather annoys me. These companies surley have a duty to protect their, actually our, information. To read endlessly that major companies are breached due to simple and avoidable vulnerabilities, such as sql injection, because they have not sanitised their code, or, XSS vulnerabilities, frankly makes me angry. That feeling is compounded when reading that the costs of fixing a thing which should never have been a problem in the first place, are being rolled into the public total estimation of the cost of the attack is frustrating. 

If it were, for example, a bus company which did its MOTs in house, but never checked the brakes, when an accident happened they would never get away with just lumping the costs of now checking the brakes into the costs of the damages. There would be public outcry, confidence in the company would be lost and it’s reputation would be forever scarred. This “reputational” cost is exactly what I am getting at and the point exemplified by the BBC “twitter hack” becomes an instructive example.

Let’s begin by looking at the story and where better to get if from than the BBC itself. For people from the States unfamiliar with how the BBC actually works bear in mind two things as you read on. Firstly that the BBC is paid for by the British public: everyone who owns a device capable of receiving TV (this includes computers) must, by law, pay a fee of over £100 a year. Secondly that the BBC is, at a very basic level, required to "educate, inform, entertain", in that order! http://www.bbc.co.uk/aboutthebbc/insidethebbc/whoweare/mission_and_values/

Here is the story posted by BBC news detailing the incident:

"Hackers attack several BBC Twitter accounts"

http://www.bbc.co.uk/news/technology-21879230 

First of all note that it is in the technology section. Not the general news. I would argue that is an attempt to bury the story or at least hide it from a great section of the regular audience of the site.

So, lets now look in more detail at what happened  Three of their accounts are hijacked and unwanted tweets are posted. So clearly this is not some massive hack but really the compromise of three twitter passwords, allowing the attackers to gain control. Now, there are two ways to achive this from outside of a system, both require clicking on a link which brings up a page looking like the twitter login page and prompting for password and login. This page is not twitter’s but rather a spoof page hosted by the attackers. Often the clue to this is in the url. “login.twitter.net” or somesuch devation form the true url. Because people tend not to check these things, because the page looks exactly like what they are used to seeing and because people are impatient and just want their stuff to work, people tend to enter their details without a second thought. Once the details are entered something rather clever happens. As the attackers have the login detail they redirect their fake twitter page to the real twitter, log the person on and present them with their twitter account. As far as the victim is concerned they have just logged in. From the attacker’s point of view they now have the details needed to login to the account.

So that’s the mechanics of how this is normally pulled off. Why did I say there were two ways this is achieved? Well, frequently these links come in the form of DMs on twitter. Normally saying something along the lines of “OMG there is a picture of you on this website…” or “Someone is saying bad things about you here…” It is normally something very generic but hinting at something personal. Who wouldn’t want to find out what it was? This works in a chain, once one person’s account is compromised it sends out DMs to all the people the account follows. This is rather effective as the DM seems to come from someone you may know, adding to the perceived authenticity of the message. The kind thing to do if you receive these messages is to get in contact with the person you got them from and tell them to check their account and change their password. Don’t just ignore it. This is a horrible analogy but an apt one: it’s like getting a positive result for a sexual disease  You may not want to contact all your past sexual partners but you must. Ignoring either case is the highest form of irresponsibility  The other method that this can happen is through phishing emails, emails looking like they come from twitter which contain a link which does the same thing. 

Though phishing is common and it is almost beyond belief how easy it is to send an email appearing to come from anybody you like, it requires a more direct approach. Without knowing the content of the phishing emails the BBC may have received it’s impossible to figure out which way this “hack” was achieved. However, a phishing email can do much more that just getting your twitter password. Clicking on a link can load all sorts of malware onto your system and give an attacker full control of… well… everything. So points to the BBC for being honest when they say: 

The attacks began in the early afternoon on Thursday. At the same time, BBC staff were alerted to a phishing email that had been sent to some BBC email accounts. It is not yet clear if the two are related.

The email contained a link that if clicked on could expose password details.

But it is worrying that they are so openly admitting that they have no idea yet what is going on. Minus several million reputation points there. I think it’s a safe bet to say that the two are related.

What is most annoying is that the chances that the link just lifted the twitter password out of a person’s browser is unlikely. From the explanation above I hope you can all see that what is much more likely is that someone actually put the password into the fake twitter site that came up. Look, if these people can craft and attack, we would call it a “payload”, that just magicked the twitter password out of the browser, they are of the standard to also be able to get into the system, take it over, avoid detection and get the keys to the main websites and much more. If you are that good you don’t call mission completed just by taking over a twitter account. If the BBC know this, why the above quote? Take away some reputation points for that.

Also, if it was the more likely “person put in the password” attack, why are the people dealing with social media not better trained? It’s our money that is paying them, and no doubt paying them well. Subtract more reputation points for that.

So, it’s all pretty bad at this stage, but wait it’s about to get worse. Skip past the “what the bad men did” bit. We don’t care about who it was and what they did. A teenager could have done this. Let’s get to the bit titled social engineering and let’s be nice and give them a few points back because surely now they are going to do the “educate and inform” part of what they are meant to do. Come on BBC, use this as an opportunity to help clue up the public and keep them safe…

The attacks on the BBC are the latest in a series of hacks on high-profile Twitter accounts.

Last month Burger King and Chrysler saw their Twitter feeds hijacked while a quarter of a million Twitter users had their passwords stolen.”

Now, to me at least, the first sentence smacks of justification. It reads like “well, it’s happening to everyone, so it’s OK that it happened to us.” It’s not OK that it happened to them and it’s not OK that they didn’t report it properly. They are meant to “educate” and not build hysteria with false and misleading information. Poor work, BBC. Poor work.

#BletchleyNetwars An Adventure with Netwars (round 2) in Bletchley

Last weekend I was one of the 30 or so people who had the chance to play NETWARS at Bletchley Park. This was one of the Face to Face events run by the UK Cyber Security Competition and the top 6 people got through to the Masterclass Final in March.

image

It was all in all quite an amazing day. The very fact that it was in Bletchley, home of code breaking during the Second World War made it extra special. For those of you unfamiliar with netwars this video will help.

Basically it is a staged game of 5 levels. The first two are played on virtual machines and you score points by answering increasingly difficult questions. What I like about Netwars is that it is a real test of skill. It doesn’t stick to one domain, instead you will find yourself probing SQL databases, hunting through mailboxes and even cracking the odd password or two.

Level 3 is where the fun begins. To get to Level 3 you are given an SSH key and a port to connect on. This along with the hostname and your username gets you in and helpfully provides you with a flag which opens up the Level 3 questions. A word on Flags… flags in these competitions are usually MD5 or SHA1 strings and not actual flags. You might be asked to SHA1 the answer and provide that. Not knowing this can cause confusion for novice players.

Back to Level 3, Level 3 is a whole network of about 10 boxes, some have web apps on them, some have other ways in, some don’t even show up on your basic nmap unless you drop the ping probes. Like Levels 1 and 2 there is something for everyone. To succeed fully at Netwars you need to be able to do “one of every kind of exploit”, that seems to be the key. It’s a test of how well rounded your skills are.

So how did I do? Well not the best and far from the worst. I had played Levels 1 and 2 before so going through them did not cause major problems. Level 3 is where everyone slows down. Also in netwars if you get a question wrong once you get that for free but subsequent wrong answers drop a point. Stupidly I hashed the path to a file and not the file itself and lost four marks by repeatedly trying it. Another thing which adds to the tension is the fact that there is a live running scoreboard so you can see where you are and who has just overtaken you! I managed a few questions on level 3 and ended up 9th by the final scorecard. Here are the top 15

image

There were not many points in it at all. Some of the players above me had already won a place in the final and were playing for fun. Once you took them out I was actually 5th, winning myself a place in the Masterclass Final of the UK Cyber Security Competition for a second year in a row.

Netwars also sends you an individual card to let you know where your strengths and weaknesses are. Mine is below:

image

As you may notice there’s nothing for Level 4, this makes me suspect that I had actually accrued enough points to enter Level 4 but didn’t notice as there is a lot in three to be done. This of course could be a mistake. Either way it was a learning experience and we were all rewarded with a tour of Bletchley Park and a one year passport to come back as often as we like. It was a great day out, a great competition and a fantastic learning experience. I would like to thank SANS for letting us play and the UK Cyber Security Competition for organising the event. Not to mention Bletchley who were excellent hosts. I was mostly pleased to advance my score from last time which you can see in my previous post.

More info on Netwars and the UK Cyber Security Competition can be found here:

https://www.sans.org/netwars

https://cybersecuritychallenge.org.uk/



Cybercamp and Netwars Round 1

A few weeks ago I took part in the UK Cyber Security Competition’s #cybercamp. It was all in all a fascinating experience. The camp ran over three days, four if you count registration, an evening meal and all accommodation was provided by Glasgow Caledonian University (GCU). This was the first time they had run such a thing in Scotland and frankly I was glad not to have to drag my ass via train to some place in England. In fact it was very nice being in Glasgow as I got to act as the host, explaining all the dos and don’ts of Glasgow on a Saturday night. A set of rules which are more complicated that any firewall you have ever seen.

The three days broke down as follows…

On day one we were put into groups and given the day to “pitch” a new security product “Dragon’s Den” style. Not too hard a task some of you may say, and yes, a soft skills task which allows me again to say “try out the challenge, even if you think you can’t do it you can… or at least you will learn something”. Dinner was provided by RBS and several interesting talks were given.

Day two was quite amazing as they took us to Tulliallan the Police Scotland training centre.

image

In the first part of the morning we had talks from various officers from the E-crime squad who explained their role in digital forensics and the legal framework they had to comply to. Then we were put into groups and given a sealed phone in a bag and three statements. One suspect was living way beyond his means, the second was a known associate who claimed he was scared of him and the third was from the girlfriend of the suspect who was suspicious about his spending. Because he was “a person of interest” the police had picked him up and we had his phone. His phone was however locked with a pin. Rather than trying to crack the pin I suggested we use RIPA which is a law which allows police to demand that a suspect give up his passwords and keys if the is suspected of an offence. Needles to say the suspect refused.

So we were exposed to police phone forensic software which could decode the phone and mount it forensically. I’m not going to tell you all the details in case they want to use the scenario again. However, I will say through a combination of the phone and something hidden on the SD card we could prove that he was involved in a scheme to rip off people’s bank accounts and had an insider in the bank syphoning the money out. It’s always useful when criminals keep proper accounts! The last part of the day involved a “mock” courtroom. In fact, it was far from “mock”, and looked like a proper court. They had a defense lawyer, a prosecution lawyer and a judge. All of them were high up in the Scottish legal system. We were given a fleshed out version of the report which we had hastily written and told any two of our group could be called to give evidence. Luckily, they didn’t call me. The report we were working from had inaccuracies, for example the phone was referred to as an iPhone, not a Blackberry. This allowed the defense to “go to town” on the people that were giving evidence. The main lesson from this is the extreme accuracy and precision required when doing forensics. Though it was all lighthearted and in good fun, for me that message was hammered home. After that Police Scotland treated us to a fantastic dinner along with a piper to pipe us in. Splendid.

Day three was my first time at Netwars. Because there was a cybercamp in England and Scotland we were pitched against each other. I managed Levels 1 and 2 however due to technical problems nobody in Scotland could SSH into level 3. Really this was nobody’s fault just a technical oversight. I eventually managed to get into Level 3 with a tethered phone and my own laptop but it was incredibly slow. In the end, because we were fighting England, we worked as a team and were commended for that approach. We each got a copy of the top 15 scorecard and our individual cards. These are below. 

image

image

So for a first attempt I was quite pleased with myself. Remember I am an English Teacher by trade and self-taught so anything in the top 10 is excellent. The good news is that I’ll be playing netwars again in a few weeks so I should have a better go at Level 3. I’ll blog about that then too.

Try Doing it Right: Using SCP to copy files over SSH

Most of you will be familiar with the cp command and any of you will be quite happy with SSHing into a server to do things. But how do you use SSH to copy files or directories across from one box to another? ftp (File Transfer Protocol) is really insecure, you’d be better off just shouting the files at the server and hoping for the best and, yes there is sftp (Secure FTP) but let’s face it if you know where you are going it’s much faster using scp. Also, in practical terms SSH is a much, much more robust  encryption protocol with a longer predicted useable life.

So we’re going to have a quick rundown of using scp to copy over SSH and for this we’ll assume that you haven’t yet got round to creating SSH keypairs and are therefore using passwords. In a later post we’ll cover keypair generation and all the wonderful things which that can be used for.

So I’m at home (or on a box in the office) and I want to quickly send over some files to my server. We’ll call myself “user” and we’ll call my computer “hostname” ‘cause yes I am THAT creative. We’ll call my server user “server_user” and we’ll call my server “server_hostname”. We’ll copy “file.txt” over- the most popular file on the internet, that file is EVERYWHERE!

Ah, yes the inspiration continues. 

So the general format to achieve this would be

 scp /home/user/file.txt server_user@server_hostname:/home/server_user/file.txt

You’ll be prompted for server_users’s password and then you’ll get a nice little line which will show you the name, when it’s 100%, the transmitted size and the time it took. Neat huh?

Some things to remember here: scp is going to assume that the SSH port on your server will be the default port 22. If you’re a clever little Admin and moved your SSH port off 22 you’ll need to use:

scp -P (port_number) /home/user/file.txt server_user@server_hostname:/home/server_user/file.txt

Note here the -P is a capital rather than the lower case -p you’d use if you were just connecting in on a non standard port.

So now let’s do the same thing but copy from a remote server back to a home machine:

scp server_user@server_hostname:/home/server_user/file.txt /home/user/file.txt

So we can copy back and forth files from one machine to another but let’s say we’re at home (let’s face it we all get more work done there)  and we want to copy files from one server to another but without it going through our machine. We’ll call the second server “hostname1” and the user “server_user1”. Told you I was good with names. The format would look like this:

scp server_user@hostname:/home/server_user/file.txt server_user1@hostname1:/home/server_user1/file.txt

The great thing about this is that the files will be SCP’d from server to server without passing through your machine. So we can copy a file but what if we want to move a whole directory or a group of directories like a  whole /home/server_user/ Here we’d basically migrate the whole home folder over. To achieve this we use -r just like using recursion in the cp command. So this would look like.

scp -r server_user@hostname:/home/server_user/ server_user1@hostname1:/home/server_user1/

Remember, as with cp, any time you use -r it’s going to copy over and rewrite all files it finds with the same names so be aware of that.

Some other Interesting Aspects of SCP

SCP encrypts the data before it sends it, so even though we are using SSH as a tunnel the actual data is encrypted. By default I believe it uses 128-AES (which is fine but coming to end of life and believe me it will fall in the next few years.) You can use -c to change to another cypher so if, for example you were a blowfish fan then you’d only need to add

scp -c blowfish ...

at the start and you are off. There are many other scp options and typing 

man scp

is certainly worth it.

A Word on Security

scp over SSH is set to use SSH protocol 1 by default. Now SSH1 has known exploits and you should be using SSH2. You can check you are on protocol 2 in /etc/shh/ssh_config and edit it with your text editor of choice (ahem emacs!). If you are on SSH2 SCP will fallback to it by default. If you are a crazy person and have both SSH1 and SSH2 running you can force SCP to use protocol to with -2

Beacons Beacons Everywhere: Using MDK3 for SSID Flood

Introduction to MDK3

MDK3 is a wireless tool which comes packaged in Backtrack and Kali distros. It doesn’t seem to be available via package managers in other distros but the tarball can be downloaded here. For the purposes of this tutorial we will be assuming you are working with the Kali distro. Some of these commands would require sudo under other distros as in Kali you run as root, we’ll include the sudo command where it would be necessary.

The program is very versatile and contains a great many options which take advantage of various weaknesses in the 802.11 protocol. It should be considered a proof of concept exploit tool and should not be run without the permission of the network owner. However, when working with a home lab setup it is very useful in developing an understanding of how wifi works and how vulnerable wifi networks can be. With the increasing adoption of wifi within business, attacks which gain entry over wifi are becoming more common and wifi penetration testing is now a skill in demand. Over a series of blog posts we’ll look at wifi and tools used to test it, but for now back to MDK3.

As I’ve said MDK3 has a variety of options, amongst its uses include options to perform a DoS attack by sending multiple authentication packets; sending deauthentication packets which kick computers off a network and an option to try a variety of known MAC addresses to authenticate to a network while dynamically changing the timeout period.

MDK3 does not have a man page and info won’t help either. It’s basic options can be listed simply by typing:

mdk3

Fuller help is found via:

mdk3 --fullhelp

The general format of MDK3 commands run:

mdk3 <interface to use> <mode to use> <options specific to mode>

Wifi Basics and Commands to Interact with the Network Card

Let’s run through a fun example. You can use MDK3 to send out packets, known in wifi terminology as “frames”, which imitate a wifi router’s SSID. Standing for Service Set Identifier, the SSID is the public name of a wifi network, the name you see when your computer connects to a network. The routers in wifi terminology are known as APs- Access Points. MDK3’s beacon mode sends out a frame with the name of your choice, not only that but it can cycle through a list of SSIDs stored in a text file.

The first thing you will need to do is create a text file. Name it whatever you like, ending in .txt, and list the names of the fake APs you want to see on each line. A SSID cannot be longer than 32 characters and can be alphanumeric. Once you have the file you’ll need to check what the name of your wireless interface is. This is most likely to be wlan0 however this is a good time to get to know the ifconfig command. Issuing ifconfig from the terminal brings up a list of what is known as your network interfaces. If you have a ethernet port you will most likely see eth0 for example, your wifi interface will most likely be named wlan0 or similar. If you are currently connected to the internet via wifi you will see a lot of useful information via ifconfig like the ip address your computer has been assigned. You can also turn off and turn on your wifi card with the commands:

sudo ifconfig wlan0 down or sudo ifconfig wlan0 up.

Ifconfig is not the only way to manage your network interfaces, it is worth learning the iwconfig and nmcli commands as well.

Next we are going to put our wifi card into monitor mode. There are six different modes that a wifi card can be put into and they deserve a blog post all of their own. Most people are only familiar, or indeed interested, in managed (also known as infrastructure) mode. This is the mode which connects a single computer to a wifi network. The mode that we need here is monitor (also known as promiscuous) mode. Monitor mode allows you to monitor the traffic on the network that you are connected to, known as packet sniffing. It is also the mode that MDK3 requires you to be in so as to send out fake AP SSIDs

Here you have two choices… you can simply disconnect from your current network, set your card into monitor mode and use MDK3 or you can use the Airmon script from the Aircrack tools to change to monitor mode and rename the interface to avoid confusion.

Method One- Engage Monitor Mode Manually

To disconnect from you current network let’s use nmcli:

nmcli dev disconnect iface wlan0

If you use ifconfig now you’ll see that your wlan0 is still up it is just not connected to the network. Next take your wifi card down using:

sudo ifconfig wlan0 down

Next lets change the mode of the wifi card with iwconfig:

sudo iwconfig wlan0 mode monitor

Now let’s bring the interface back up:

sudo ifconfig wlan0 up

And we’re done! You can check with the iwconfig command and you should see the mode listed as monitor

Method Two- Using Airmon to Engage Monitor Mode

Airmon is part of the Aircrack suite of tools, another incredibly powerful set of tools to work with wifi networks. More of this in another post. For now it’s best to know that if you are serious about learning to manipulate wifi and are not using Backtrack or Kali you’ll want to visit the Aircrack site and sudo apt-get install aircrack-ng.

Using Airmon to engage monitor mode is really simple:

sudo ifconfig wlan0 down

sudo airmon-ng start wlan0

If everything has worked after a few lines of output you should be able to use iwconfig to see that your wlan0 has been turned into mon0, monitor mode is enabled and the interface is up. Airmon has some other useful options like being able to specify which wifi channel you are using and to run a check to make sure that there are no other processes running which would interfere with engaging mon0. Being able to specify the wifi channel is very useful later on when attacking, spoofing or otherwise investigating a specific network

Running MDK3

After all of this actually running mdk3 is quite simple. Make sure you are in the directory with your text file then if you have used Method One issue:

mdk3 wlan0 b -f file.txt

If you used Method Two then it would be:

mdk3 mon0 b -f file.txt

Assuming that everything is working properly the output should look something like this:

Current MAC: xx:xx:xx:xx:xx:xx on Channel x with SSID: "text1"

Current MAC: xx:xx:xx:xx:xx:xx on Channel x with SSID: "text2"

Current MAC: xx:xx:xx:xx:xx:xx on Channel x with SSID: "text3"

Current MAC: xx:xx:xx:xx:xx:xx on Channel x with SSID: "text4"

If you leave it for a few seconds and then check another device for available networks you will see them listed. If for some reason they don’t appear on a specific device then disconnect it from whatever network it is connected to and search again. So that’s it. I hope you’ve learnt a little more about the wonders of wifi and are encouraged to look into the tools more deeply. In future posts we’ll cover other aspects of wifi and tools that can be used to manipulate it

Some Thoughts on the Space Apps Challenge

On April 20th Glasgow will be hosting a site for the NASA Spaceapps Challenge, this is the first time this event has been hosted in Scotland and it is a “hackathon” with a difference. For those of you unfamiliar with the term, a “hackathon” is a technology development event where volunteers turn up and take on challenges posed by companies and organisations, frequently working for a 48hr period straight.

The word “hack” has, in recent years, been misconstrued by the press and hackathons are one way people are taking the word back. The word hack has many meanings but in its simplest it means “to do something with technology that the technology wasn’t originally designed for”. The term was picked up and used by people like Steve Wozniac, who built the first Apple computers in his garage out of parts from different machines and by students at MIT who used the first large mainframe computers at night inventing and programming the very first computer games. Yes, your iPhone and your computer games are the work of “hackers”.

In a way the word has similar origins to the English word “boffins”. When a word was needed to describe the first serious and malicious computer break ins it was picked up by the press and quickly became synonymous with criminal activity for the general public. Over the past decade however, that image has changed and the value of the “hacking mindset” or “hacking ethos” has been put to use by governments, organisations and companies.

As an example, the National Health Service in the UK has run NHS Hack Scotland events, where participants are invited to work on software and hardware. The winner of the most recent event was an android app to help you track anxiety.

This brings us on to why we say that Space Apps Challenge is a hackathon with a few twists. First off, there are over 50 challenges to pick from. They can all be viewed HERE . There is no way we could present all 50 challenges to people, there’d be no time to get the work done! So for the Glasgow event we have chosen 10 of the challenges for people to focus on. Next, not all of the challenges at this event involve software programming. One challenge is about creating plans to redesign the Kennedy Space Center for the year 2040. So while it has a space related theme, it is much more suitable for architects, planners or people working with the built environment. Another challenge will use a 3D printer to print a section of the dark side of the moon and then to make it into wearable jewellery. Yes, we will be having a 3D printer, a new technology which will become ubiquitous in years to come. The chance to investigate how one works while the technology is still developing and is rare in Scotland is one not to be missed.

NASA also presented a number of challenges to encourage girls to get into STEM (Science, Technology, Engineering and Mathematics) education, and we will be working on two of those in particular. One of them involves creating an app that allows girls to watch and share stories from female engineers and scientists, engage and share their own story, hopes and ambitions. Studies have shown that offering young girls more female role models in STEM careers helps break down resistance to those subjects. Encouraging girls toward STEM paths requires changes in perception, a shift in peer pressure and better mentorship support. We hope to contribute in some small way to an improvement in all of these areas this weekend.

One of the most exciting elements of the Space Apps Glasgow site is that we will be having participation from school children. We realised early on in organising the event that one of the challenges, Why we Explore Space, was perfect for groups of children. We therefore invited pupils from Machanhill and Craigbank primary schools in South Lanarkshire to take up the challenge. The pupils will be working on this challenge during this week, researching and studying Why we Explore Space, the benefits space exploration has brought to our everyday lives and how it may help all of humanity in the future. They will then be invited to present their findings at the main challenge on Sunday afternoon alongside all the groups who have been working over the weekend. We fully expect that the pupils will eclipse the adults.

A major challenge in organising the event was that of sponsorship and funding. In this respect we have been very fortunate as the Scottish Qualifications Authority have come on board as our major sponsor. We are pleased that they have recognised the unique nature of this event, its spirit of international cooperation and education are clearly values that SQA and NASA both hold dear. In addition, the whole concept behind Space Apps and even some of the challenges are in line with the kind of activities seen in Scottish classrooms with the implementation of Curriculum for Excellence. This new education system for Scotland seeks to improve education for all and develop skills needed in the modern world. In a future blog post we will be delving deeper into this and how it relates to Space Apps.

For now Space Apps is (unofficially) the biggest event of its type in the world, with just over 6000 registered attendees at the time of writing. This next week and weekend will be a frenzy of activity for all involved in Space Apps, expect this blog to fill up with posts from all involved. Though we have not even started the event we are proud to have gotten this far and we are pleased that we have managed to bring this to Scotland, allowing people from across the country to take part in technology development for social good and citizen science at the very highest international levels.

The Tallinn Manual: an attempt to set out “rules” for cyberwarfare

When wars start having rules you know it is serious. No doubt most of you are familiar with the Geneva convention, which has set out the rules of “traditional” warfare. NATO has just released the Tallin Manual which, in short, sets out rules for cyberwarfare.

This manual is not an official treaty, no country will sign it, no country (it seems) will even be held to it. However, from its very existence we can infer a few things. Firstly, that all the talk about the landscape of battle changing is not so much hot air or hype. It is being taken seriously at a very high level. Secondly, given the participants in NATO, we can assume that certain countries are gearing up the offensive activity in this area if not down right planning to attack.

Cyber attacks are nothing new, however they have yet to have serious consequences which affect the circumstances of wide groups of citizens.   As such the prevailing attitude I find from “normal” people is one of indifference. However, for those who know, it has only been a matter of time before these attacks become “kinetic”: attacks with physical implications.

From one point of view the Tallinn Manual can be viewed as an attempt to stave off the worst of this scenario before it happens. So what does it contain?

Below is an abbreviated version of the report from the Telegraph on the subject. The full article is available here.

The handbook, the result of three years collaboration between international experts for Nato’s Co-operative Cyber Defence Centre of Excellence, defines a cyber attack as one that is “reasonably expected to cause injury or death to persons or damage or destruction to objects.”

An online attack on an electricity grid resulting in fire is one example of the way that cyberwar could bring about real physical harm.

The advisory handbook, written by 20 legal experts including a retired UK air commodore and several British lawyers, says Governments must avoid attacks on civilians, hospitals, nuclear power stations, dams and dykes.

Attacks on the latter three are particularly sensitive as they threaten to cause widespread loss of life, and should be avoided “even when they are military objectives”.

""Full-scale wars could be triggered through online attacks, as the report comments “cyber operations alone might have the potential to cross the threshold of international armed conflict”

“Hacktivists” who take part in online attacks can become legitimate targets in cyberwar, the new guidelines say, even though they are technically civilians.”

There are several interesting points from this. It is certainly commendable that the document has been created in the first place. Few people could disagree that structures like hospitals, power stations and, I hope included, airports should be outside the scope of an attack. Questions remain about what therefore is in scope? Attacks on governments and their departments could be equally damaging for people “on the street” as the day to day working of a country grinds to a halt. Attacks on banks likewise could cause disastrous effects on people and the economy of a country. The same goes for certain sectors of business. Are these areas considered civilian? If so, the question remains, “What exactly is in scope”?

Also worrying is the point that hacktivists are legitimate targets. Now, I do not intend to get into an argument about the ethics of hacktivism. However, when combined with the idea that physical attacks may be sparked from cyber attacks does this give a government licence to make hacktivists physical targets?

Many questions need answered. This almost seems akin to the perils of blacklisting over whitelisting. While it is certainly a good thing to see that these rules are being set down. It is important to also make the obvious point that this NATO document will not be upheld internationally. 

Full details of the document can be found here: http://www.ccdcoe.org/249.html

The document is open and can be read here:

http://issuu.com/nato_ccd_coe/docs/tallinnmanual