Path to the dark side

On Saturday, May 21st. The first career panel in #Misec history was held. Put on by the brave @chaoticflaws, @vajkat, and @ZenM0de, it was highly successful. The panel included @jwgoerlich, @jeremynielson, @jim_beechy, @D0Xt0rZ3r0, and a infosec recruiter from @TEKsystems (Sorry, I didn’t find his handle). It was five glorious hours of Q/A related to getting a head start in infosec and what really matters in the field. Here’s a recap of what was discussed from the panel.

Disclaimer:
Please realize that whatever I was able to scribble down does not include everything that was said. To help me try to get “the important points” I “borrowed” a few tweets from our panelists and avid listeners from the crowd (cough, cough, @TeaPartyTechie). A lot of my quoted references are paraphrased and are my adaptations of their wise words. I grabbed the tweets after the event so they’re out of order, but I tried to make it as chronological as possible. Feel free to take it with a grain of salt. Also if you’re one of the panelists and don’t like something you read, please let me know and I’ll work with you to fix it!

Screen Shot 2016-05-21 at 4.31.34 PM

Rule #1:
The golden rule was mentioned in the first question of the panel, and it was was don’t be a dick. Whether you’re talking about security exercises inside your company, hacking someone, talking to other infosec people, mentoring people… “Don’t be a d1ck” can be applied to thousands of situations. In #Misec especially, we are all here to help each other, so play nice. It can get dirty, but it’s all in good fun.

Trololol

While we aren’t dicks, we do love our trolls. The first open question to start the panel was about trolling employees. How do you handle security exercises like leaving bad usb drives, phishing, and more at your job? There’s a lot of ways to run these exercises. The point is to improve the culture to increase security and not to get someone in trouble. If you’re going to troll your coworkers, do it because you want them to be safe not because you want them to get fired.

If you’re doing anything for a company, track the results. The numbers at the end of the exercise are what’s going to prove to the higher-ups that the trolls; while “mean”; were worth it.

When you’re looking for an infosec job, a degree isn’t the most important thing. Some companies will demand the traditional Computer Science degree, others are willing to see what you bring to an interview. The important part is that you can explain your position and why you should get the job using a thoughtful story. Tell an interviewer why you belong.

If you’re looking at people in the industry, and they give you advice on what to do, follow it. If you take action on what they suggest, you’ll be 1 out of 10 people who talked to that person that did something with that information -wolf.

You want to continue to grow even after your finish school or get a job. I’ve said the following in at least three other blog posts, but you really need to find a community. Once I found Misec, my infosec network literally exploded. Networking was repeatedly brought up throughout the panel. I starred it in my notes three times. It’s important to reach out to as many people as you can so you can surround yourself with successful people that have been in the same boat.

Try to find a mentor. Someone who isn’t at your current company, but someone who has done what you want to do. They’ll be able to guide you in the right direction and make sure you do need to in order to get you where you want to go. A mentor is someone who you can bounce ideas off of and will navigate you down the best path possible. Have goals and share them with your mentor.

Screen Shot 2016-05-21 at 4.32.20 PM

There was a lot of discussion around how to become an expert. Really there’s only one way to become an expert and that’s practice, practice, practice. You’ll never be perfect and there’s probably someone more knowledgable, but you can always improve.

Being a leader

There will come a time, after you’ve found your niche in the infosec world when you are more knowledgable then most. No one is going to walk up and say “Congratulations, here’s your expertise certification”. If you feel you’re an expert, then say so. Just be prepared for what that entitles, interviewers will ask you the tougher questions, people will come to you for help, and there will be higher expectations. Only you can decided when you’re ready for that kind of title.

Screen Shot 2016-05-21 at 4.31.06 PMIn regards to “technical know-how VS social, economical, political know-how”. It was pretty well decided that it was important to be technical but still be aware of your surroundings. Keep up to date on the practices related to your field. Know the products involved and the processes in place and what might be coming in the future.

Screen Shot 2016-05-21 at 4.32.46 PM

The first 90 days on the job can be the most important. A few tips were given by the panel. Wolf said to focus on competence, perception, relationships, and getting results. That’s where the Red Baron reference was applied. Jeremy mentioned doing anything and everything that was asked or offered. Even if you’re a just an admin, help out to unpack the new machines. Jim said that for the first few years, get experience, you don’t have to narrow it down as soon as you get a job. Just get some knowledge first. The idea here is to be productive, work hard to get where you want to be.

A good thing that was pointed out here during a follow up question is that everyone fails. From the interns to the rock stars. Good guys will own up to their mistakes and try to fix them. Others will try to hide them.

Screen Shot 2016-05-21 at 4.30.12 PM
Contribute back, a lot of people new to the community will think “I’m not experienced enough” or “I’m just a student” or something similar to that. I can tell you first hand just how valuable it is to contribute as a noob. I write these blog posts as I learn, so I can look back and  see how far I’ve come and so that you can learn as well. I give talks about the research I’ve done for classes or as an intern and I plan on giving a talk about what I do as a full time employee. Well, mostly what I do, (just come to the talk and find out). Get involved and give a talk, even if it’s a recap of one of your classes. You don’t have to be “all knowing” to give back. Hey, at the very least, you should start a security blog of your own 😉

 

 

Screen Shot 2016-05-21 at 4.29.54 PM

Just another reason to contribute. You’ll become more of an expert by being involved. Give back to the community, volunteer at cons, network, give talks, go to panels. I can’t stress it enough how many times this was mentioned and how invaluable it really is.

Another option to give back is to mentor. Even if you’re not the #1 person in the field, you can still try to mentor someone. Help others so others want to help you. If you’re contributing, other’s will find you. Trust me.

Screen Shot 2016-05-21 at 4.29.08 PM

People asked about what was the most overrated and underrated skills in infosec. Being the top dog, knowing a vulnerability by the first sight of an indicator, and partying hard are all things that are overrated. 80% of the value comes from the last 20% of the work. That doesn’t mean that the first 80% of the work isn’t important. Put your time in, get the research, do it right. “Partying is pretty well tied into the infosec community. It’s big at cons, but it’s not a requirement. Be safe and have fun” -Jim.

The underrated skills that were mentioned were writing reports and monitoring performance. Red team writes 2:1 compared to hacking. It’s important to be able to clearly describe the issue and suggest a technical fix to non-technical people. Monitoring performance is also really important. Going back to the trolls, if you run a phishing exercise, it’s good to show by how much the click through rate has decreased on malicious emails.

Another question was how to get kids involved in infosec. The resounding answer was “don’t”. Thanks wolf. What is really important is allowing your kids to be curious and explore what they are interested in. If the kids are really into infosec, show them the ethical side of hacking. Always try to inspire them to be the best they can be. Also, a good way to allow kids to grow into hackers is Hak4kidz.

Finally I want to finish with a list of other points that I know are important but I can’t remember where in the Q/A they belong. Probably because they were important and were repeated 3-4 times. Hope you like them:

  • Be comfortable being uncomfortable (we’re all uncomfortable)
  • Build relationships <3 NETWORK!
  • Join Misec! (or your local infosec group)

Thanks to TEKsystems for hosting us for the event. Thanks to all the panelists that joined us, Thanks to @chaoticflaws, @vajkat, and @ZenM0de for planning all of this. It was really a great event and I learned a lot. Oh! and I won a RTFM in a raffle, it’s a great resource.

 

OverTheWire: Leviathan

Hello everyone, thanks for looking at my last post about OverTheWire: Bandit. Since my traffic is about x10 my average consistently for the last four days, I wanted to write a follow up post about the next wargame offered by OverTheWire, Leviathan.

All over the exercises, they say to not post walkthroughs or writeups, so I won’t. I will do my best to promote the project without giving away the important stuff. If you’ve done the Bandit challenge already with or without a group, I suggest trying Leviathan on your own. Leviathan only has 7 levels, which by myself, took me just under 2 hours.

Leviathan Lv7 end messafe
Just to prove I made it through the lessons!

Shh, don’t tell, here are some tips

Now the site does say it’s 1/10  for difficulty so it should not be hard right? Well… it is if you have no idea what you’re doing, so you should definitely start with Bandit if you’ve never used bash before.

Remember what you learned from bandit. Cat files, ls directories, and don’t forget that passwords are stored in /etc/leviathan_pass/. There is two commands that you should read the manual for: ltrace and ln. You might need to find a website to convert combinations of only 2 numbers (well, 10 😉 ) to readable letters.

That is all the help I am willing to give you guys, otherwise you would not learn anything. There is only six levels and you should be able to figure most of it our. Trust me, there are walk throughs you can google (BUT SHOULD NOT)… I will admit that I did that for the second level but that does not make it ok. It is a cheap way to get to the next level and you do not learn  as much. Definitely try to do as much as possibly without looking up the password or how to get it.

OverTheWire: Bandit

Hey everyone, this post about Bandit is NOT a walkthrough of the greatest (only) “learn bash hacking” programs I’ve completed. This is NOT going to give you an advantage if you’re looking for cheat codes. This post will hopefully make you click on OverTheWire and want to try it out for yourself.

Why you should try Bandit

Do you work with Linux, bash shells, scripts, or ever have to deal with the command line? If you are a developer, network admin, forensic analyst, incident responser, pentester… or any other IT job, the answer is most likely yes (unless you have some serious automation or “a guy” for that). Whether you’re entering into a new field or you need a refresher course, Bandit is the first of many war games offered by the good looking hackers of OverTheWire. Start at Lesson 0 and work your way through them all.

Last night, I met up with a group of fellow hackers from #Misec and we tackled it. We went from 4pm to 12am, only stopping for a taco/wings run. We had a wide range of skill levels from 15 years of experience to a recent college grad, but we were able to go through the tasks at a pretty even pace. Doing this training in a open group where everyone discusses their tactics was really cool because there are multiple ways to do the same lesson, there’s never one right answer. I highly suggest you do the same. Get a group of 4-10 people, grab a six-pack and hunker down somewhere.

Helpful Hints

By the end of the night, I had expanded on the bash commands I already knew like ls, cat, chmod, mkdir, touch, openssl, and vi/nano/vim. I looked at the man page (help documentation) for the first time for other commands I heard of but didn’t use: grep, file, diff, gzip, tar, and so much more. Seriously guys and gals, you will not complete this course unless you type <cmd> –help or man <cmd>.

There was only really tricky lesson in Bandit for those unfamiliar with development or python. So to assist but not give the answer away, I’d like to point a few things out about python. Please note this is one specific way to beat this level, @jadedtreebeard found a faster way to beat this level without even touching python.

  • Run python scripts by writing: python filename.py
  • Variables have type, so numbers (30002) are integers and words are strings (“words”)
    • Change integers to strings: str(myVariable)
    • Change strings to integers: int(myString)
  • Importing packages are the first thing to do in a .py file
    • I suggest you look at socket *COUGH COUGH*
  • range(x, y) will give you a list starting at x going to y
  • For loops will loop through every object in a list
    • Syntax: for something in list:
    • Indent under that line and it’ll be included in the list
  • If statements are powerful
    • What would happen if you only did something when a variable contained a certain substring
      • if only “Correct” was in someString: then I could print someString only when it has the right values instead of every incorrect one as well… 😉

There are 27 lessons in Bandit, it took our group 8 hours to casually and thoroughly go through every lesson. A few are very tricky. I suggest you a) read cmd manuals b) read the associated links from OverTheWire for each lesson c) brainstorm and bounce ideas around your group. The only thing you should not do is google the answer, this is a public activity and other people have already done this. I suggest you stay away from googling “how to complete Bandit”…. It’s not cool, you can learn so much more by following a-c.

Lastly, I want to give a shout out to @Ashioni of @CBI_IT, @JadedTreeBeard, @bigryanb, @EquinchOcha and the other hackers in my group who’s twitter handles I do not know… It’s because of them I had such a fun time instead of pulling my hair out when I got stuck on lesson 28. If you are in the Michigan area, you seriously need to look up #Misec, it’s a great group of people. Reach out to @Ashioni, he is trying to set up a workshop at @CBI_IT to go over these exercises.

After you’ve conquered Bandit, move on to the next level: Leviathan. I suggest trying Bandit in a group with other people, but Leviathan should be pretty tame and is a good way to test your individual skills.

Testing HPKP Headers

Over the last two weeks, I’ve posting a lot about HTTP Public Key Pinning. This will be my last post about it, I want to focus on testing HPKP. If you don’t know what HPKP is, read the first post. To learn how to add those headers, read the second post.

I’ve had to spend a lot of time trying to figure out how to properly test these headers. In theory, this is how it should work. The first time your browser loads a website with HPKP, it saves the pin in it’s memory and then compares the pin on every request after that until the pin expires. If the browser ever finds a request without a pin or a incorrect pin, then the browser will block the request and warn the user.

Failed attempts at testing HPKP

In order to test this, you should just have to change the pin. Easy right? Well so far the execution of that has been tricky. When I tried to change the pin to a random number that doesn’t match the cert, the browser seems to ignore the pin (According to my own results) and doesn’t send an error.

The next idea I attempted was to use OWASP ZAP to man-in-the-middle (MITM) the request, which would change the certificate and the pin could be modified in all the requests. This also didn’t work because HPKP is ignored when a client trusted certificate is used instead of one approved by a CA. “Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor).” –Mozilla.

Better ways for testing HPKP

What did seem to work was setting Chrome’s expected value to a false pin, and then getting an error when going to the site with a real pin. Here are the steps:

  • Go to chrome://net-internals/#hsts in chrome
  • Add your domain and use the example sha256/7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y= as the Public key fingerprints
  • Go to your domain
  • You should see an error message like the one below.
Chrome error message from testing HPKP
Error message from testing HPKP

This works for testing it from one application. What about other browsers like Firefox?

Another idea for testing HPKP is to keep the pin but  change the certificate used to one that doesn’t match the pin. This requires buying another certificate because it has to be CA approved. You can either modify your domain’s headers to change the cert or you can try to use MITM and the CA cert instead of the self-signed cert.

Let me know how you test HPKP, it’s tricky business and isn’t easy to do. There are online tools like report-uri’s HPKP analyser that can compare the certificate and the pin, but will not test the browsers usage of the pin. A lot of people think it’s good enough, but that’s not true. If browsers do not properly block other requests without a correct pin, then there is no point in using HPKP.

Adding a HPKP Header

Before we try to add a HPKP header, let’s review from last week. I made a post about what HTTP public key pinning is. It’s a fingerprint that browsers use to compare certificates can warn the user if the certificate is from a different source, even if it’s trusted or from the same server. If that doesn’t make sense, check out the link to the previous post.

Public-Key-Pins

A Public-Key-Pins header looks like this:
Public-Key-Pins: pin-256=”…”; pin-256=”…”; max-age=###; include subdomains; reporting-url=”…”;

The required parts are pin-sha256, and max-age. The pin is where you add the actual pin and the age is the number of seconds the the pin is kept on a browser. It’s good to note that the policy will not work with only one pin in the header, at least one backup pin is required. I’ll go over creating pins further below. For testing keep age short like 10 seconds (I did 500), otherwise standards recommends a two month period (5184000 seconds). Both include subdomains and the reporting url are optional. the include is just a boolean, I set it to true just to be safe. I don’t have reporting set up so I do not include that url in my header.

Getting a pin

In order to get a pin, you first need a certificate. So make sure you have TLS enabled on your site. Basically, you need to make sure https://your-website works and you get the green lock. An easy way to get TLS set up is Let’s Encrypt, I wrote about that in my TLS blog post a few months ago, scroll to the Try it! section. Once you have a certificate, you have two choices. First, you can use a nice tool and grab the pin generated for you (don’t worry, you’ll be sending this hash to everyone anyways, it’s ok if someone else generates it for you… as long as it’s valid). All you have to do is type in your website’s domain / URL into the tool.

The other option is to use openssl on your server to encode and hash the value yourself. First you need to find the certificate. Since I use Let’s Encrypt. Mine was in /etc/le and called private.pem. All you need to do from there is run the command below:

openssl x509 -pubkey < private.pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

Be sure to change private.pem to your filename, all else should stay the same. This won’t modify anything but will echo your new pin.

Getting a backup pin

Backup pins are a little tricker to create. First off, the reason we need a backup pin is we are limited what’s accepted by the browser. It’s a good idea to give the browser more then a single option just in case the private key from the first pin gets compromised. This method will generate a new CSR and private key for the same TLS certificate. Here are the steps. It’s very similar to generating the first pin, you just need to create the csr and key first.

Step 1: Generate a new private key
 openssl genrsa -out name.your.backup.key 4096
– 4096 is the bits used (I think), 2048 or 4096 is the only two values you should be using.

Step 2: Generate a CSR
openssl req -new -key name.your.backup.key -sha256 -out name.your.backup.csr
– There are fields you will be prompted to fill in, do so to the best of your ability.

Step 3: Generate the second pin
openssl x509 -pubkey < name.your.backup.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

So now you should have both pins*, for future reference, I would recommend writing a bash script to run these commands and then echo the pin values in the format of the header so it’s possible to copy and paste the header into a configuration file. Can you think of a better way? *This is also a good time to mention that you will have to redo this EVERY time you change your TLS certificates, if you’re being super-cyber-secure, that means every three months. That means the more automated, the better!

Adding a HPKP header

Now, depending on your sever, there are a lot of different ways to add a header to your requests. If you’re using apache, add a line to the vhost file. If you’re using nginx, there’s a similar line you can add to the configuration. If you’re using a fancy load balancer that’s too expensive for a guy running a blog off a VM, then you can use a rule designed for that load balancer.

I’d be worried to tell you too much about my architecture but the response header already straight up tells you I run on an apache server… [note to self: remove that next time I’m digging in header configs and then update this blog post]. Since we are all caught up on my server’s inner workings. I’ll go through the steps to add this to your apache config.

Step1:
sudo a2enmod headers
– You need to have permission to modify headers from the vhost file

Step 2:
sudo nano/vim/vi [your favorite text editor] server.conf
– Edit your vhost file and add the line in step 3

Step 3:
Header always set Public-Key-Pins “pin-sha256=\”base64+primary==\”; pin-sha256=\”base64+backup==\”; max-age=5184000; includeSubDomains”
– Save the vhost file

Step 4:
sudo service apache2 restart

Check your HPKP header is there

Your header should be there, if everything works well, your browser won’t yell at you about your website. Nothing will change, yay you’re done! But wait, how do we know? Well.. seeing that the pin is there is easy, check your request headers and you can see the pin. Or use another report-uri tool that tells if the hash is valid and that you have your backup pin available.

HPKP header results
Results from tool after HPKP header has been added

Final Comments

In a future blog post, I’ll be discussing a way to actually test the pins and see if the browser will respond well. Right now, I’ve only read about a method that requires purchasing a second certificate. To avoid that, I’m looking into any other possibilities such as using a MITM technique. The issue with that is modern browsers are doing a similar check even without the pins, so at this point in time I’m unsure if it’s the default browsers functionality or the new HPKP header.

If you have any issues with the steps, please comment below. Let me know if you want to see more about securing HTTPS protocols!

Special shout out again to https://scotthelme.co.uk/hpkp-http-public-key-pinning/. Thanks to Scott’s blog post’s I found the report-uri tools and was able to double check the commands I found on Mozilla about getting a pin for the HPKP header.

 

 

Rebuilding the 3D printer

A long long time ago, I wrote a blog post about trying to assemble a new Folger Tech 3D printer. Long story short, I was given a bad Arduino board that started to smoke as soon as it was plugged. I spent weeks trying to get help from Folger to check my wiring, because to the best of my knowledge I had followed their instructions and I didn’t know what was wrong. Well after getting a response from them saying “Looks fine to me” and Reddit users not being able to help I looked for a cheap replacement for the board and found the electronics from an online store that shipped from china. I got a new board, shield, and 5 motor controls for under $20.

Reassembling the 3D printer

After a couple months of procrastination, I finally decided to rip apart the printer and install the new electronics. This wasn’t the first time I had to disassemble part of the printer, tear apart the electronics and reassemble them. The only good thing from that is practice makes perfect. This is the fourth time having to go through the process and that makes it easier. It’s also nice to have a second set of hands, I had a helper who was able to catch falling screws, hold wires, and check the instructions when my hands were full.

Before I started doing anything to the printer, I re-watched a video on Youtube of a guy that assembled the same printer and got it working. Even when I was following along with the video, I didn’t do anything different, so I’m pretty sure the only issue was the bad board.

Once I got everything reinstalled, plugging it in was the most nerve racking part of the entire process. I didn’t want to have it start smoking again because I really did wire in something wrong. Luckily I had nothing to fear, plugging it in didn’t cause anything to smoke and that was a huge relief to me. I was able to calibrate the motor controls and nothing started to burn even as it was on for around 15 minutes.

Firmware/Computer Software

The next stage was getting the firmware installed on the Arduino. Another rookie mistake I learned. Install the firmware before you connect everything together. The firmware (and configuration) was provided by Folger Tech and for some reason I couldn’t install it from my mac once everything  on the 3D printer was connected to the board. The computer knew there was a serial connection, but couldn’t do anything with it. After reinstalling drivers and googling fixes, I finally gave up and decided to try another computer. I installed the Arduino IDE and Repitier Host onto my new windows 10 “gaming” laptop that I just got for Christmas and hoped that would work. Luckily it did, I was able to upload the firmware without having to disassemble the printer for the fifth time.

I was able to connect to the printer using Repititer. I set up the software’s configuration and tested the end stops on the printer. It seemed like the printer and computer was working well, so I tried to send the “go home” command to the printer, so the nozzle would move to the default position… Well, guess what happened.

What’s next?

This isn’t the end, I’m currently messing with more configurations for the 3D printer and the Repitier software, I’m not sure what I need to do next but I’ll figure it out eventually. Hopefully sometime soon you’ll see a post with my first actual print.

HPKP.. Public Key Pinning?

On a project I’m involved with, a scanner has picked up a low issue where the HTTPS is missing HTTP Public Key Pins (HPKPs). If you’re like me, you’re probably thinking what the heck is HPKP? Well, I did a little bit of research and got it working on my personal website, I’ll share my struggles below so you don’t have to follow my footsteps.

The Theory

Our browser stores a list of places that are accepted TLS/SSL certificate providers. If any website used a certificate that has one of those certificate authorities (CAs) as the root, then the browser will trust the certificate and not flag any errors. If only we had a way to check which CA was being used by a website, and if that CA ever changed, browsers would notify the end user.

Public Key Pins are a “fingerprint” that match a server’s TLS certificate. More specifically it’s a base 64 encoded SHA256 hash of the certificate. The browser uses this HPKP to validate the certificate, since a different cert wouldn’t be able to have the same pin. Browsers will store the HPKP on the first visit to a website, and will compare that stored pin to the pin attached to all future requests and make sure that the TLS certificate in the same. If they were different, it’d mean that either the certificate changed or (more likely) there is a man in the middle attack that is routing all the traffic and modifying the certificate chain.

Pretty cool, right? Adding one header and your client’s browsers will start complaining anytime someone changes the TLS certificate. That’s a pretty nice security feature for a small amount of work. Well, it would be, if it wasn’t redundant. From what I’ve seen while trying to test HPKP headers, modern browsers like the latest versions of Chrome and Firefox do a similar check with the TLS certificate alone, I think they compare the certs to see if they’re different or if  the certificate’s CA is trusted by the browser. Why do we need a hash if the entire TLS certificate will be compared by the browser?

Why bother with HPKP

Honestly, I’d say to add HPKP because of a few reasons. I mentioned earlier that the latest versions of two browsers do this check, what if it’s older? It’s also better to be redundant and have two security controls then to have one and say “eh, it’ll work, well, it should”. At the very least, add the pin to reduce the issues found by scanners so you can be one step closer to having ZERO ISSUES! Which we all know is application security’s wet dream. If you don’t want to do it for the “compliance” aspect, you can always do it so Qualys’s SSL Lab will cheer for you.

Qaulys SSL Lab: HPKP deployed banner
When SSL Lab uses a exclamation point, you know you did the right thing

HPKP Resources

When I was doing my research on pinning, I went to a few different sources. All were great and very helpful. If after this you still don’t understand htp public key pinning, feel free to leave a comment below with questions (I’ll add more, I promise!) and check out the references below.

Social engineering a hackathon

When a lot of people hear about hacking, they imagine a guy in a hoodie at a computer late at night. That’s not always the case, social engineering is a big part of the picture. This last weekend I went to Bsides Indy, and the keynote was about communicating with management about security. He gave a few examples about breaking into some of the most secure places… because of human error.

This got me thinking, is there anything I’ve done that is close to that, and a good example is my time volunteering at a hackathon a few weeks ago. Last year was the first SpartaHack, and I volunteered there as well, I spent the whole weekend carrying boxes, helping hackers, and doing anything asked of me by the organizers. Originally I was going to help organize the web services this year, but plans changed for certain reasons. I ended up offering to volunteer again last minute before the event started.

Since it was last minute, I jumped into helping where I could and I still had access from the early planning days of the event. So I caught up on all the information about volunteering and helped out. When I first arrived at the event, I was told to go grab a t-shirt, so I went to the volunteer HQ and grabbed the first one I saw. Apparently I got an organizer shirt, so I was well on my way into social engineering territory, even if it was just a quick snatch and grab. If I wanted, I could’ve grabbed a radio  too and started talking to hackers and just making things up trying to get to whatever I wanted.

While I was volunteering, I was “general help” or “help desk” most of the time. The first job meant that I walked around and helped wherever I could, the second job was sitting behind a desk and helping hackers by answering questions or returning hardware that was lent out.

Near the end of the event, I was picked to help with judging and was giving admin access to the submission portal of everyone’s projects so I could approve them. So just because I was sitting in the right place, and raised my hand to try and help, I was given admin access to the event just to approve projects.

Now since this was something I was doing at school, I didn’t really try to break anything, I didn’t want things to go bad or anything like that. But for example, what if I put on my “hacker’s hoodie” and wanted to play around? There was a lot I could have done. For example, I was helping with lending out hardware like Raspberry pi’s and Arduinos… what would happen if a one went missing? Who’s held responsible? I was approving projects, what if instead I started deleting them, so 1/3 of the projects didn’t get included for judging. I realized I didn’t have access to the production databases, but the dev one. I could still have used that access to test SQL injection against the dev environment and then use these exploits in on the real site. Even more simply, I could have used one of the organizers laptops in the HQ to get access, laptops were left out and unlocked. I’m sure it wouldn’t have been hard to drop a couple tables. Again, I didn’t do anything of this sort at the hackathon, I’m just saying that it would have been possible.

So how important is social engineering? Very. Humans are the easiest part of a system to compromise. Even in the most secure environments, if someone forgets the rules or makes an exception, something can go awry. Social engineering can be as simple as wearing the wrong t-shirt, and complex enough to imposter an auditor at a major company. If you want to get better at social engineering, practice telling stories, the more convincing and believable the better. For more on social engineering, look here.

TLS Lightning Talk

Hi everyone, last night I gave a lightning talk at Misec Jackson. It was a quick 15 minute summary of my last blog post on TLS. I summed everything up into 12 slides and threw in some last minute images to make it look better than just bullet points on bullet points.

Other lightning talks from the night

I wasn’t the only talk that night, there was a talk on IPv6 that was pretty insightful. IPv6 is older then windows XP but it’s still not widely used. There’s been a couple hacks and misuse of it’s features already, but I’m sure there’s more to come. Another talk was on “the evil bit“, network packets actually have a bit that can be set if the packet has malicious intent, and any security device should drop those packets immediately. Some website do this, others don’t. A fun idea would be hiding a service by ONLY accepting the inverse of that. The last talk of the night was about RFID tags and stealing card info, the speaker referenced a talk from DefCON 21 (pdf of defcon slides).

My thoughts on my talk

Look! I'm behind the podium!!
Look! I’m finally behind the podium!!

My talk went pretty well, I didn’t have any words on my slides. I had a lot of pictures that I used to replace my talking points and I wrote everything I wanted to talk about. This was my second time giving a presentation for hacking. My first attempt I was talking into a computer the entire night as I did a walk though. I feel like I did a lot better by not putting my words on the screen n reading off the slides, I was able to make more eye contact with the crowd and the words flowed more easily. If I was going to give this talk again, I’d do more research into the technical aspects of TLS MITM attacks, or how TLS is implemented. I had one question from the crowd about how someone would be able to decrypt a  packet and I went into a MITM description… I feel like I might have misunderstood the question and I want to do more research with that before I present on the topic again. Let me know what you think about my slides, feel free to leave me a comment. The notes at the bottom of the google slides were my talking points, and most of those were summarizing my older blog post.

I’m glad to have a second set of slides under my belt. Now I have “Web hacking with the broken web app project” and “TLS: what is it and why it matters”. My next scheduled talk is on web app testing and will be at Misec Southfield in June. I look forward to giving back to the security community and I’m happy to be gain presentation skills as I learn more about information security.

VTech Kid Connect Data Breach

On November 14, 2015, VTech discovered a hacker had broken into their databases, servers, and websites. The hacker used SQL injection to gain complete access to the databases that held all of the data used by the Kid Connect application that VTech uses.

A friend of mine wrote up an awesome case study about the breach and you can read it here StephenManz_KidConnectHack.

My two cents on the VTech breach

(Not a TL;DR of the case study, just what I took away)

While in the database, the hacker discovered that passwords were hashed using MD5. Which is pretty easy to crack now thanks to faster machines and better algorithms. MD5 hashes any input to 16 bytes of encryption, using brute force or rainbow tables, even guessing common passwords and comparing them to the hash, are great ways to break the hash.

This means the hacker gained access to customer data, related information like who ordered the toys, and information related to that. For example credit card info, home addresses, and more.

This is another example why it’s really important to consider abuse cases when testing you applications. Even if your databases is “just for a kids app” it can still be the end of the world for your clients. Proper input validation and query construction is very important for any application. Automated test cases should try things other than what is expected, like SQL injection or XSS. For example, a child’s name shouldn’t contain special characters.

Exploits of a mom, xkcd #327
Exploits of a mom, xkcd #327

Also don’t use algorithms that are broken, at the very least google the algorithms you plan on using and see what the infosec community thinks of them. MD5 hashes and SHA-1 encryption are examples of algorithms that used to be good, but have since been become crackable. Do your research!

Again, please check out Stephen’s case study in the link above, he did a great job summarizing the VTech breach. VTech also has a formal press release about this breach.