How to Make Sense of the Wikileaks Clinton Campaign Email Document Dump and Controversy

It is becoming increasingly difficult to distinguish fact from fiction in the coverage of Wikileaks' ongoing publication of internal emails from Hillary Clinton's presidential campaign, known as the Podesta emails. There are internet hoaxsters pushing fake emails that are not contained in the actual published files. There are junk reports from prominent newsy websites that are based on obvious misreadings of the files in question. There is Clinton campaign and Democratic party spin seeking to distract from the content of the published emails. There is Trump campaign and Republican party spin exaggerating the content and import of what has been revealed by the leaked documents. And so on. In this article, we'll provide a bit of context on the leak itself, cover some examples of how it is being exploited by hoaxsters, how it is helping to reveal the incompetence of newsy sources of information, and how it is playing out within the context of the presidential campaign itself. We'll conclude with some tips on how to sift through the bullshit.


The Leaks

This article focuses specifically on coverage of the Podesta emails. But it is important to point out the context in which these files have been published. The first thing to note is that there is not just one leak that has resulted in the publication of Democrats' internal documents. Back in June, a hacker or hacker group known as Guccifer 2.0 began releasing a large set of internal files from the Democratic National Committee.

It is speculated that Guccifer 2.0 is a front for Russian hackers, if not a state-sponsored Russian cyberwar group, mostly on the basis of circumstantial evidence. The Guccifer 2.0 documents can be found here. Emails obtained by Guccifer 2.0 were, it appears, also obtained and published by Wikileaks. The Wikileaks DNC email database can be found at the link.

(The name 'Guccifer 2.0' itself is an obvious allusion to a Romanian hacker who called himself Guccifer and released documents on prominent Republican and Democratic party officials in 2013. Guccifer was eventually tracked down and jailed in 2014.)

Then in early October, Wikileaks began publishing a large set of files from the email account of John Podesta, a long-time Democratic party insider, and current chairman of Hillary Clinton's presidential campaign. This set of documents is known as The Podesta Emails.

The Podesta Emails are not directly related to the larger Hillary Clinton email controversy, which resulted from her use of a private email server during her time as Secretary of State. Emails from that controversy were made public by congressional inquiries and Freedom of Information Act requests. Many, if not most, of those emails have also been published by Wikileaks in its Hillary Clinton Email Archive.

Disinformation

Shortly after Wikileaks began publishing the Podesta email document dump, reports quickly began circulating online purporting to have found "smoking gun" evidence of one sort or another in the files. One of the most prominent of these was a report alleging that Clinton had called Democratic voters a "bucket of losers," in a clear allusion to her comments calling Trump supporters a "basket of deplorables." This claim can be demonstrated to be clearly false with a simple search for the term against the Wikileaks documents themselves. As a testament to their gullibility and refusal to do even basic research, numerous websites still have articles online breathlessly reporting the false claims as if they were true, without correction.

Misinformation

Misinformation campaigns based on the Podesta emails have been equally as successful as the disinformation campaigns waged by the hoaxsters. One widely circulated report claimed that the Podesta emails contained solid evidence of racist comments made by Hillary Clinton. "Racist Hillary DUMPS on African Americans, Calls Them Professional Never-Do-Wells," read one headline at a self-declared right wing news site. That sounds pretty serious! Moreover, the author of the article proclaims that the email confirmed everything she already believed! Yet, as with the hoaxsters, this claim is easily debunked with a minimum of effort. A search for the offending terms among the Wikileaks documents does indeed turn up an email using the offending terms. But anyone who is neither an idiot nor a knave should be able to quickly debunk the claim by reading the email's header, which reveals that it is not from inside the Clinton campaign. It was in fact sent from orca100@upcmail.nl, and addressed to a wide array of media outlets and political insiders. In other words, the purveyors of the "smoking gun" claim are either morons who are incapable of reading an email, or they are just click-bait artists trying to earn a few pennies off bombastic headlines.

Trump Gets Trolled 

Earlier this week, another story that was similarly based on an obvious faulty reading of an email from the Podesta files was published by the Russian state media outlet Sputnik News. The author(s) of the article misread an email in the Podesta files, and did not realize that it was just a forward, and not a personal email. This article was picked up by the Trump campaign, and the Republican candidate read from it at a campaign rally later that day. The embarrassing incident was reported widely in the media when the offending article was debunked later in the day.

Clinton Campaign Spin

The Clinton campaign, for its part, has clearly been put off balance by the publication of the hacked documents, judging from the contradictory statements they have made in its wake. Podesta first claimed that the Wikileaks documents were in fact fake. "They've put out documents that are purported to be from my account," he stated on a Sunday morning talk show. Then later on Twitter, he seemed to walk back this claim, asserting that fake documents had been inserted into the file dump, according to Politico. Finally, by Wednesday, Podesta admitted that his account had in fact been compromised and the the FBI announced that it was investigating the hack. Podesta has now gone on the attack himself, fingering Russia as the source of the hack and claiming coordination with the Trump campaign: "Russian interference in this election and their apparent attempt to influence it on behalf of Mr. Trump . . . should be of utmost concern to all Americans," said Podesta, according to CBS News.

This line of attack builds upon existing campaign narratives that have been articulated by Hillary Clinton herself. As she stated at the second presidential debate: "Putin and the Russian government are directing the attacks, the hacking on American accounts to influence our election. And Wikileaks is part of that, as are other sites . . . we don't even know if it's accurate information . . . believe me, they're not doing it to get me elected. They're doing it to try to influence the election for Donald Trump."

But Podesta appears to have bigger problems than the Russians. The Clinton campaign chairman's Twitter account was apparently compromised by someone from 4chan's /pol/ board earlier today. Politico reports:"Podesta's Twitter account sent out a strange tweet reading: "I've switched teams. Vote Trump 2015.Hi pol." The tweet was quickly deleted, but the Clinton campaign confirmed the account had been hacked."

For an in-depth analysis of the Democratic response to the hacks and leaks, see Glenn Greenwald's article at The Intercept: "In the Democratic Echo Chamber, Inconvenient Truths Are Recast as Putin Plots."

Conclusion

We live in a new information environment. Barack Obama was hailed as the first president of the social media age. The next president may be the first to inhabit an age of generalized, asymmetrical, information warfare. The Wikileaks Podesta emails file dump has completely muddied the waters in an already dirty presidential campaign. Widely read political news sources have been humiliated by transparent hoaxes. Others have had their shoddy reporting exposed for all to see. One major presidential campaign has been humiliated by spouting faulty Russian state news reports, while the other is getting pwned by 4chan.

Asking yourself a couple simple questions can help dispose of all the bullshit that is tripping people up right and left. Where's the evidence? Where's the corroborating evidence? The great thing about Wikileaks is that any assertions made on the basis of its documents can be verified or debunked by simply searching its archives and reading the primary source materials in question.

For more, check out our previous post on how to spot a fake news article and identify a hoax news website.
Comments (6)

The Witness Of Fitness: Health Apps Want Your Hot Body (Of Data)

Do you have a smartphone, smartwatch, or otherwise e-enabled device that you use to keep track of your health and fitness habits?  That's good, in the sense that you care enough about yourself to hopefully not totally devolve into a donut-demolishing dumpster.  It's bad, however, that all of your fitness data might not just be kept solely between you and your get-buff gadgetry.

"Sweet, I just beat my best 5K time!
But what's with all these ads to join the army?"
(Image courtesy lifefitness.com.)




According to Mens' Health magazine, 58% of smartphone users have some form of fitness app installed.  Some 81% of those apps have no privacy policy whatsoever.  That means that any number of interlopers from the health and fitness industry (or worse) could be dipping into your microchips for more ways to figure out how to escalate their multi-billion dollar empire.  Do you prefer biking to running?  Gyms to home workouts?  Do you shop at certain health food stores, run certain routes, patronize certain compression sock companies?  All of this ends up informing the larger corporate collective.

We live in a world where even your new athletic socks can snitch on you.
(Image courtesy wanelo.com.)

Worse, with 70% of Americans classified as overweight or obese, there are many ways that our data can be used to lead us further into temptation.  Do you go to a gym in a strip mall?  The other businesses might send out some chain-restaurant coupons singing the siren song of sugars and salt.  Do the recent data trends indicate that people are laying off visits to McDonalds?  Better escalate the ads for Shamrock Shakes!

We're so sorry to have to show you these tragic stats, though yes,
it is fucking totally rarely and deliciously worth the extra hour in the gym.
(Image courtesy chiabia.com.)

While some apps may ask for your permission to share data, openly admit to sharing your data, or at least hold off on talking about you if you're underage, it's worth keeping an eye on various health apps' privacy policies as much as it is keeping track of your own fitness.  In a way, maintaining your privacy is a form of fitness unto itself.


And remember, you can still get fit sans any tech devices.
Just imagine your favorite apocalypse scenario, and train to survive it!
(Image courtesy plus.google.com.)

Comments (44)

Will History Be Written By Lasers And Preserved On Crystals?

Have you ever written something so mellifluously elegant, so heartwrenching, or so damn dirty that you hid it away on a disk?  How about preserving important family history in your formerly-current computer's format?  If this happened twenty (or even ten) years ago, that disk is likely now obsolete.  How can we keep our digitized information in perpetuity when it's tougher and tougher to stay caught up with upgrades?

Now we can keep track of all of man's crazy fairy godparents,
right up until we all find out whether they're real or not.
(Image courtesy messagetoeagle.com.)




According to Gizmodo, scientists have discovered a way to etch massive quantities of information onto nanostructured quartz discs.  The discs, which are smaller than CDs, can hold a whopping 360 terabytes of data.  They are thought to be able to survive for 14 billion years, at temperatures up to 250 degrees Fahrenheit.

While a similar process had previously allowed the etching of some 40 megabytes of information per square inch (about the same data density as a music CD), the updated process opens up a huge new opportunity for long-term, large-scale data preservation.  The scientists involved in the discovery have gauged the possible data storage size by practice-printing smaller works onto small discs, including the Universal Declaration of Human Rights, Newton’s Opticks, the Magna Carta and the Kings James Bible.


Your future library might just be a pretty collection of quartz discs.
(Image courtesy theverge.com.)

The team, who hail from the University of Southampton, UK, uses femtosecond-fast pulses of laser light to etch the data to the nano-structure of the quartz.  Three layers of nanoscale dots are etched a mere five microns from each other.  The disc is then "read" by passing light waves through it and observing how their polarization is altered.

Now, we can record human history until our (probably near) end, and keep it around nigh-forever.
So you better do something interesting, or at least write like you did.
(Image courtesy southampton.ac.uk.

To put that in perspective, a femtosecond is one quadrillionth - one millionth of one billionth - of a single second.  A micron is one millionth of a meter (a single human hair is around 100 microns.)  You could probably carry a whole library in the space of one good-sized book.  Oh, and the sun is slated to burn out in about a third of the 14 billion years the data would exist until.

So keep writing those piles of "X-Files"/"Indiana Jones" mash-up fan-fiction.  Keep churning out manuscripts for plays based on your dog's perceived inner monologue.  Write the Great American Novel, or at least 500 drafts of what it could be.  Soon, your quantity of masterpieces could be kept safe forever, all together.


There are some love stories that will be written and rewritten forever through the ages.
(Image courtesy theguardian.com.)

Comments

Ingrained In The Brain: New "Brainprints" Security Metric Proven 100% Accurate

We've all seen a spy movie where someone's fingerprint-scan is needed to access an important area, and they end up forced to scan in at gunpoint, or simply having their finger lopped off to fulfill the invaders' needs.  And even retinal scans could possibly be faked with the right medical information and digital technology.  However, the latest security is key is stashed somewhere very safe:  inside your skull.

When your brain is your password, is your cap the Caps Lock?
(Image courtesy techcresendo.com.)


According to nakedsecurity.sophos.com, recent tests have proven "brainprinting" technology to be 100% effective at identifying unique users and granting them security access thanks to this information.

Using electroencephalogram (EEG) scans of various humans' heads, scientists were able to deduce unique patterns in which the brain's neurons fired in response to certain terms.  Each word, when flashed for under a second, imbued its own brain-spanning tracks through the users' grey matter, the pathway of which was then recorded and later used for authentication of the specific person.

By focusing solely on the region of the brain that reads and recognizes words, the scientists were able to eliminate any interloping "chatter" going on during the rest of the mind's business-as-usual.  This allowed them to zero in on the desired authentication indicators.


"OK, every time it lights up yellow, let Bill into the nuke lab.
If anything else lights up, have him arrested for using meth."
(Image courtesy tek-think.com.)

The researchers, based out of the Basque Center for Cognition as well as Binghamton University, showed a group of EEG-strapped volunteers 500 different images for half of a second apiece, and recorded the results.  The brainprints were distinct enough to identify a single person out of a group of 30, 100% of the time.

Binghamton professor of psychology Sarah Laszlo explained this neatly, saying, "When you take hundreds of these images, where every person is going to feel differently about each individual one, then you can be really accurate in identifying which person it was who looked at them just by their brain activity."

Most intriguingly, the "nonvolitional" brain response to each image means its impact on you is so decisive, you're not even aware you made a decision about it.  Your reaction to say, an English bulldog in a silly costume, is already apparent in your brainframe, and won't be altered neuronally.  However, were that brainprint to be "stolen" (somehow compromised due to your reaction), you could "reset" it by changing your mind about the image.

"My brainprint used to think this was adorable, but after the break-in
I had to reset it as a remembrance of yet another manifestation of Catholicism's daily oppression."
(Image courtesy amazon.com.)

Best of all, were the user under major stress (such as during a robbery where they are being forced to use their mental "code" to crack into something), it could negatively affect the brainprint enough to render it useless.

While the technology is still in development, it hints at a more hack-proof future where literally putting your mind to something will be a key feature of augmented security.


May the path of your neurons flow functionally.
(Image courtesy brainprint.ch.)




Comments

X Marks The Spotted: Windows 10 Is Watching You

As citizens of the cyber-community, we've unfortunately become conditioned to seeing ads that are eerily targeted to things we say, emails that appear from long-forgotten websites, and other evidence of deep data gathering made manifest for use of moneymaking.  Now, with the launch of Windows 10 becoming a necessity for some users, Microsoft seems to have pulled out even more stops to speed up their spying...

Seriously, what ISN'T spying on us these days?
(Image courtesy hackread.com.)

According to theinquirer.net,  Windows 10 uses "basic telemetry" data to adjust your web browsing habits for your location.  Fair enough.  However, the company has openly admitted to using this new browser platform to gather more data on users than ever, all under the auspices of excuses that prey on laziness and/or lack of knowledge.

The Windows 10 operating system has already made headlines by downloading itself to machines regardless of user preference, which is straight-up creepy.  It can also wreak havoc on devices with data caps, such as iPads.  The very fact that the system is so pushy makes it suspicious to begin with, to say nothing of the hidden folders that need to be navigated before any changes can be implemented to the system.  Numerous complaints have been made about glitchy and/or dramatically slower computers that have been afflicted by repeated failed download attempts by the system.

According to Forbes, the system itself is, by Microsoft's own admission, also spying on your personal actions.  Your usage of the system is reported back to Microsoft as part of their "core data" collection, which can include browser history data, system performance, and even keystrokes logged on your machine.  It can provide unasked-for software updates with no explanation of function, display ads in the Start menu, control your bandwidth usage, and report on hardware usage to Microsoft.  So basically, it knows everything about you.

Just wait until it starts writing you creepy love notes on those little desktop Post-Its.
(Image courtesy easysecurityonline.com.)

Microsoft Corporate Vice President Joe Belfiore explained that the company will take users' opinions into consideration regarding this technology, stating, “We’re going to continue to listen to what the broad public says about these decisions, and ultimately our goal is to balance the right thing happening for the most people – really, for everyone – with complexity that comes with putting in a whole lot of control.”

Sorry, all we heard was that bit about listening to the broad public and goals of a whole lot of control.  

If you suspect Windows 10 has been downloaded onto your machine sans consent, check your privacy settings and edit them via Start menu > Settings > Privacy.  It's a start, despite all the insidiousness.  Better yet, educate yourself on why this is bad for the safety of society, and don't be afraid to use your voice against it...if you're going to be listened in on, be heard as a cause for good.

Dammit Clippy, I never figured you'd turn snitch.  What has the world come to?!
(Image courtesy networkworld.com.)

Comments

Federal Appeals Court Rules NSA Wiretapping Illegal; NSA Turns Up The Volume, Puts Hands Over Ears, Says "La La La"

Of course, all privacy-prone American citizens have known this for some time:  the NSA's phone-call compendium is unnecessary, unaffiliated with capturing ANY terrorists EVER, and is overall downright creepy.  Thankfully, today, a federal appeals court ruled it illegal.

They listen to everything, but this is the only thing they need to hear.
(Image courtesy alan.com.)




According to Reuters, the 2nd U.S. Circuit Court of Appeals in Manhattan said that even the much-maligned Patriot Act was no excuse for the NSA to go snooping around our phone conversations (and texts, and picture messages.)

Circuit Judge Gerard Lynch, whom all Americans should buy a beer for, confirmed the ruling in a 97-page decision that the Nude Snapshots Agency's skullduggery is illegal.  Judge Lynch stated, "Such expansive development of government repositories of formerly private records would be an unprecedented contraction of the privacy expectations of all Americans. We would expect such a momentous decision to be preceded by substantial debate, and expressed in unmistakable language. There is no evidence of such a debate."

Pleads ignorance to massive malfeasance.
Leaves the wiretap tape rolling.
Leader of the "home of the brave"?!
(Image courtesy raceandcomics.blogspot.com.)


However, the appeals court did not rule on whether the actions were unconstitutional, nor did they call for a halt to the program (which is due to expire, along with the rest of the Patriot Act, on June 1st.)  Lynch explained that this would give Congress a chance to formally and officially decide what types of surveillance are acceptable (and, you know, LETTING US KNOW ABOUT IT THIS TIME.)  If Congress reauthorizes the objectionable Section 215 of the Patriot Act (the supposedly surveillance-enabling bit), further litigation could lead to the Supreme Court.

Other federal appeals courts in Washington D.C. and California are examining the case, which had previously been ruled lawful in December 2013 by district Judge William Pauley in Manhattan.  The NSA is currently getting away with their wiretapping weirdness thanks to secret approvals from a "national security court" established in 1978 under the Foreign Intelligence Surveillance Act.

Apparently we're really good at all of this by now, and have been for some time.
(Image courtesy phandroid.com.)

The case was brought to court by the American Civil Liberties Union.  One of their lawyers, Alex Abdo, was passionate about Thursday's verdict.

"Mass surveillance does not make us any safer, and it is fundamentally incompatible with the privacy necessary in a free society," he correctly noted.

Somewhere in Russia, Edward Snowden should be cracking a bottle of vodka and celebrating just a little,
or a lot, or at least enough to forget that he's still in fucking Russia
because America's government brutally proved that they cannot handle the truth.
(Image courtesy ethicsstupid.com.)

Comments

Euthanizing Youtube: Security-Testing Hacker Discovers Ultimate "Delete" Button

What if you had computer hacking skills of such astonishing power, you could bring an entire lane of the information superhighway to a screeching halt?  What would you do with your great and terrible force?  This week, one man was faced with this fascinating decision...

NOOOO!  NOT THE HARLEM SHUFFLE!
(Image courtesy answerbag.com.)


According to Gawker.com, a Russian hacker named Kamil Hismatullin decided to take his talents out for a spin this week. Hired by Google under a Vulnerability Research Grant to assess Youtube for security flaws, Hismatullin made an astonishing discovery: he could permanently eradicate any video with a simple string of code.

Suddenly, over a decade of humanity's finest and freakiest moments were up for grabs. An entire archive of human history (often stupid and ridiculous human history, but history nonetheless) was at the whim of one hacker. Visions of rap/opera mash-ups, cat videos, and rap/opera/cat-video-mashups vanishing became a tangible, terrible threat.

"LEAVE YOUTUBE ALONE!!!"
(Image courtesy kidzworld.com.)

Hismatullin let all of that slide, to the tune of five grand.

Despite a shockingly short study-period for this possible purge, and a looming lust that threatened to knock pop stars from their plastic pedestals, Hismatullin simply accepted a $5,000 bounty to solve the problem. Of his voyage through video Valhalla, he wrote, "In general I spent 6-7 hours to research, considering that couple of hours I've fought the urge to clean up Bieber’s channel haha."


It is speculated that the footage of this hilarious skateboarding bulldog
ultimately convinced Hismatullin not to wreak havoc on the popular video site.
(Image courtesy allthingsd.com.)

While we don't necessarily agree with the results (Bieber should be banished and Mr. Hismatullin should be at least $10,000 more wealthy), the plausible annihilation of so much material brings ponderous questions to mind.  Are the seemingly-supple strands of the World Wide Web really mere gossamer?  Could someone hack voting machines in an election?  Could someone crack into a president's email?  Could someone tear down Twitter (please)?

There's no safety in this cruel world.  Just be thankful Mr. Hismatullin is not a wrathful man or one with an agenda, and go back to enjoying your videos...you now know that like fickle and fiendish fire of life, they could flare out at any moment.



A veritable burning of the modern Library of Alexandria could have taken place here.
Cherish this trove of wisdom while you still may.



Comments

Keeping Quiet? Better Buy It. AT&T To Charge For Online Surveillance Opt-Out


So it's come to this.  We're now "afforded" the option to bribe companies out of spying on us...




As internet speeds grow faster, so does the transfer of your personal information.  It seems that not only are Americans willing to give up privacy for a little security, we're also willing to give it up just for quicker downloads of stupid cat videos.

As reported by techsmash.com, AT&T is now charging $70 for high-speed Gigabit internet, and another $29 if you don't want them to track you during your adventures on said internet.  While other companies offer this opt-out service for free, AT&T apparently decided to parlay the value of privacy into a moneymaking scheme.


Great, now they're tracking me for googling "internet gulag."
(Image courtesy quickmeme.com.)

AT&T's website states that they monitor, "The web pages you visit, the time you spend on each, the links or ads you see and follow, and the search terms you enter."  Well, that's not going to paint a pretty picture.  But at least they are sure to follow that statement with a patronizing, "We will not collect information from secure (https) or otherwise encrypted sites, such as when you enter your credit card to buy something online or do online banking on a secure site."  Gee thanks for, you know, not committing major financial fraud?

Since we as internet users have little choice in the matter, how can it be considered ethical to try to financially deter us from surfing safely and secretly?  Privacy shouldn't come with penalties, particularly not payoffs.  If this is how we expect to be treated at the world's nexus of knowledge, how far are we going to let it go in real life?

The next generation of secret police don't even need the "secret" prefix anymore.
Oppression is now overt, and pay-for-privacy is a perturbing part of that.
(Image courtesy consumerwatchdog.org.)

Comments

The Big Daddy Of Big Data: U.S. Appoints First-Ever "Chief Data Scientist"


Due to the vast influx of intelligence from many forms of modern media, treasuring our data technology is now a job that requires a major position in the United States government.  Meet America's chief cyber crusader, D.J. Patil...




Patil's official title is the extravagant "Chief Data Scientist and Deputy Chief Technology Officer for Data Policy." That's a lot of data. According to wired.com, however, Patil has been well prepared to upload the job thanks to stints at LinkedIn, eBay, PayPal, Skype, and Greylock Partners (a venture capital firm.) He also worked with the Department of Defense in anticipating threats via social media analysis. Yes, America, this man is handling a fistful of your stats.

"Wow, around Valentine's Day you stalked a LOT of exes on Facebook."
-D.J. Patil
(Image courtesy broward.floridahealth.gov.)

Patil's official position puts him in the Office of Science and Technology Policy, with US Chief Technology Officer Megan Smith as his boss. His major current plan is to work on applying information gleaned from many of the "big data" sources, particularly focusing on the healthcare system.

Smith downplayed the insidious nature of a now-official cog in the machine who tends to the rivers of possibly ill-gotten "big data" that flow through the minds of our supposedly "innovative" government. She stated today on the White House's blog that, "Across our great nation, we’ve begun to see an acceleration of the power of data to deliver value. From early open data work by the National Oceanic and Atmospheric Administration (NOAA), which provides data that enables weather forecasts to come directly to our mobile phones, to powering GPS systems that feed geospatial data to countless apps and services — government data has supported a transformation in the way we live today for the better."

We'll see about that. Of course, they'll see first, because they have a Chief Data Scientist.

Knowledge is facts, wisdom is application, and big data is all the hard evidence.
(Image courtesy delta2000.com.)

Patil's experience is not a singular one: other techies of his Silicon Valley ilk are also currently helping revamp the federal government's IT and intelligence collection/analysis methods. It seems we can only hope that they actually have the nation's best interests and security in mind, unlike other agencies who seem to mostly enjoy trolling for your nudies (HI NSA!  DID YOU LIKE THE VALENTINE?)

Some more data from Big Data.  And there's lots more where that came from.
(Image courtesy binarytattoo.com.)

The government's significant investments in "big data" matrices need oversight, and Patil is watching it all. He will also be advising on tech policy and practices, so this could be the man to blame if your electronic privacy continues to be violated (spoiler alert: they're not stopping, they're just making it look better.)


SOMEONE had to handle this insane amount of intel.
(Image courtesy www1.unece.org.)

And make no mistake, this is not just a job to Patil...he loves what he does, and wants you to love him for it too. In 2012, Patil declared “data scientist” as the sexiest job of the 21st century in a co-authored Harvard Review article.  His life's mantra?  "If you can’t measure it, you can’t fix it.”  Well, now he can measure everything.  But how are we going to know what's getting fixed...by whom...and why?  Maybe the American public need some other, more impartial data scientists of our own...perhaps a system of techs and balances?


This is D.J. Patil.  No need for any more introductions, he already knows everything about you.
(Image courtesy leadingthoughts.com.)










Comments

"Like" After Death: Leave A "Legacy Contact" To Manage Your Facebook Postmortem

Like millions of people the world over, perhaps you enjoy reporting the diverse details of your life on Facebook.  But what about...after?  What happens to your e-life when your real one is over?  Better find someone very trustworthy to handle your e-estate...



Rest in PC.
(Image courtesy sickchirpse.com.)

As PC Life reports, there is a new option to harangue people with your selfies, even from beyond the grave (hopefully the selfies were taken pre-demise, otherwise something creepy is going on.)  No, they've not figured out how to update from the afterlife ("OMG, sooo hot here, WTF is with these pitchforks?  -feeling HOT :P")  It's a new Facebook feature called your "legacy contact."

Your legacy contact is like the executor of your will, except only limited to to your Facebook e-existence.  Since 2009, Facebook has allowed pages for the deceased to become memorial pages, but now, should your death occur in an untimely manner where you were unable to share your password, your legacy contact can handle all of your profile traffic.

No, not that legacy.  If you were uploaded to a computer, you could update your profile from the Grid.
(Image courtesy disney.wikia.com.)

Timeline announcements, covers, profile pics, new friend requests, and other things that you personally would have been able to edit or like are now in the hands of your trusted associate.  They don't call it a "legacy" for nothing...you want to make sure your curator is a close confidante.  However, this person won't be able to post as you, nor will they be able to see your private messages.  If you truly trust your contact, an archive of your profile including photos and posts can be downloaded from your account.  You know, in case someone wants to make a book of all your awful haiku or "artistic" brunch photos.

Fruits of earth orbit
sunny-side-up sustenance...
Full life, full belly.
(Image courtesy observer.com.)

You can freak the hell out of your favorite roommate, or give your Valentine a weirdly endearing mission, or just otherwise classify your legacy contact on Facebook by going into the "Security" settings and choosing "Legacy Contact."  An option to send a message is also included, which you'll probably want to use if you've not yet spoken about this with the person to whom you are entrusting your e-eternity.

Of course, if you're more of a scorched-earth type, you can now also tell Facebook to kill off your profile as soon as you've shuffled off the mortal coil.  But who'd want to do that?  Don't you want your choices in stupid cat videos to live on forever?

Modern man dies thrice:  when his heart ceases to beat, when his name is spoken for the last time,
...and when his social media account is deleted forever.
(Image courtesy shamusyoung.com.)

Comments

The Safest Secrets In The World: Swiss Systems Allow For Super-Secure Data Storage

As privacy concerns escalate in our ever-observed lives, steps are now being taken to ensure that precious data can be held as securely as gold or other valuables.  Switzerland, a nation known for its strict privacy in the banking business, is at the forefront of this mission.

According to phys.org, Switzerland has some 61 data-banking centers that deal in information storage.  During the last five years, over a billion dollars have been invested by folks looking to keep their most important information safe from anyone else.

Even their pocketknife USB has a fingerprint scanner and major encryption technology.
No, seriously.
(Image courtesy gadling.com.)

The investments in data storage are surging despite Switzerland's ever-eroding laws concerning banking privacy. Due to the formerly overabundant nature of banking privacy in the nation, it was known as a haven for shady dealings to be neatly numbered and accounted for, without oversight from pesky things like the law. Although that's now changing, the element of the pervasive privacy is now being well applied to data security.

Franz Grueter, the managing director of the data storage firm Green.ch, explained, "Clients need confidence, discretion, reliability and stability. These have been the country's hallmarks forever." He also noted that, "Data storage is the new Eldorado for Switzerland. It's a real boom." (Green.ch has posted 30% annual growth since its inception in 1995.)

Though Switzerland is Europe's fifth-largest data hub, it wants to be known as the nation that takes data security the most seriously. In Switzerland, personal data is legally classified as a "precious good" that requires a judge-issued order before it can be observed by any outsiders. Thus, digital assets, in the form of proprietary secrets, intellectual property, invention schematics, sensitive plans, or other critical data can be safely stashed with the Swiss.

Even email services established in Switzerland are more secure.
(Image courtesy totaldigitalsecurity.com.)

One such information cache, known as Deltalis, is situated in an underground Cold War-era bunker that's protected by biometric scanners, armed guards, and four-ton steel doors that were built to thwart a nuclear attack. Its exact location is not publicly known, and critical IT developments will be handled only by those who act in strict accordance with Swiss law. As far as privacy goes in the modern world, this is as safe as safe can be.

With leaks everywhere from government to Hollywood to personal cell phones occurring, it's good to know that somewhere, secrecy is being taken seriously. One big leak, from renowned whistleblower Edward Snowden, hinted that international spies had their eye on cracking into the Swiss system. They'll have to be the best in the world to make the attempt, though...digitally, physically, and legally, the Swiss have more layers of data protection in place than useful tools on one of their pocketknives.

Your weirdest nudies are safe here.
(Image courtesy photoromanzoitaliano.com.)
Comments

This Message Will Self-Destruct: CIA and Homeland Security Seek To Officially Destroy Thousands Of Emails

When you delete your emails, it's likely just to remove clutter, liberating your inbox from constant coupons, ads, e-pleas, etc.  But when the CIA and Homeland Security want to delete emails, considerably more eyebrows are raised.

According to engadget.com, two of our most totally-not-shady Big Brother organizations want to delete all of their emails that are seven years or older, as well as the emails of all CIA employees who have been retired for 3 years.  A plan of action was shown to the National Records and Archives Administration (NARA) that indicated this intent, with only 22 top officials' correspondence to survive the digital culling.

History now seems to be written by the digital winners.
(Image courtesy news.yahoo.com.)

For two organizations who thrive on intelligence (one where it's in the very title of the company), this seems like a bad idea.  Numerous senators, including Dianne Fenstien (D-CA), are actively opposing this plan, fearing the expunging of evidence.

The motion was made by the CIA as part of an effort to help streamline its email collection for better management, a mission that NARA had asked of all government agencies to figure out a plan for.  Homeland Security's excuse was that it would free up valuable server space ($50 a terabyte per month) and that deletion could also possibly thwart the intended intelligence-gathering of Einstein, their government-website traffic-tracker.

They can stash endless info on regular citizens, but heaven forbid their own emails get retained.
(Artwork by Will Varner / Image courtesy twistedsifter.com.)

While this would be a win for private privacy, the overarching scope of government intel is something that people don't want to be able to simply vanish like so many extraordinary renditions before it.

Lee Tien of the Electronic Frontier Foundation told Gizmodo, "It's kind of sad. I want to applaud the government for choosing to discard unnecessary data about people. But we have good reason to question the government's reasons because of what we've learned about what we've NOT been told."

If you think the government shouldn't be doing the modern equivalent of shredding countless files and burning the confetti, you can tell NARA right here.

Uh...thanks but no thanks.
(Image courtesy reanimatedresidue.wordpress.com.)

Comments

Grounding Big Brother: Amnesty International Releases Anti-Government-Spyware Detection Software

Are you a closet revolutionary who is constantly aware of the deterioration of society and informs themself on ways it can be fixed?  Are you a casual bystander who once googled a song by a band that prided themselves on questioning authority?  Are you just paranoid as hell that the Man is out to get you?  Now, you can stop governmental cyber-peeping for sure, thanks to new technology released by Amnesty International.

As reported by the BBC, it is no secret that governments use "sophisticated spying tools that could grab images from webcams or listen via microphones to monitor people." Amnesty International knows how wrong that is, and has released the Detekt software to combat Big Brother's unsavory advances. Detekt scans your computer for government-grade spyware that might be missed (or intentionally looked over) by other more mainstream virus or malware detectors.

They're not this overt, but they are this unpleasant.
(Image courtesy wpremedy.com.)

Created through a collaboration between Amnesty International, the Electronic Frontier Foundation, Privacy International and Digitale Gesellschaft, the free software is designed to operate on Windows (the platform which most spied-on people are apparently using.) Its availability should be helpful in putting a damper on the $5 billion international government spyware market.

That's your tax money, getting spent to indiscriminately spy.  Kill the idea that this could ever be acceptable.
(Image courtesy betanews.com)

"People think the uses of spyware by governments are isolated cases. They are not," said Claudio Guarnieri, the German creator of Detekt. "Their discovery is isolated...Spyware is becoming the final solution for surveillance operations to overcome encryption.

"The real problem is nobody really asked the public whether that's acceptable and some countries are legitimizing their use without considering the consequences and inherent issues."

One of those inherent issues being that average civilians shouldn't be covertly spied on by their government.  Better fire up the Detekt, we probably just got put on a list.

There is nothing noble about blindly swinging a cyber bat at peoples' computers, hoping a pinata of prosecutable info will explode.  Even if it did, that candy is probably supposed to be helping the people.
(Image courtesy thehackernews.com.)



Comments

Pew Report: 90% Of Americans Feel They've "Lost Control" Over Data Privacy

It's no secret that most civilian information in the United States is not secret.  But just how bad has the encroachment on our privacy gotten?  In a new Pew Research Center report, it seems that the cognitive dissonance of the American Dream is frustrating, but still not something people feel ready to fix...even though it is more critical now than ever to stop the erosion from the invasion.

It's not just a feeling.  It's their first move.
(Image courtesy mb.com.ph.)

The Washington Post reports that a recent study indicated Americans were very aware of the "privacy dystopia" they were living in, with 61% stating that they "would like to do more" to protect their online information.  Over 90% were aware that they had "lost control" over how private organizations were able to obtain and utilize their personal information.

Unfortunately, 55% were admittedly willing to trade personal information for free services online, which doesn't seem to be in line with most peoples' stated desires for privacy (yes, it DOES require sacrifice of some things, unfortunately, but perhaps someday with effort, that could be changed.  Cognizance of this is the first step to correcting it.)

Whatever this is, it isn't worth your security.
(Image courtesy news.softpedia.com.)

Other data from the report included some interesting findings:

-60% reported that revealing data to companies over the internet did not significantly improve their online experience

-88% did not trust advertisers the majority of the time

-82% did not trust the government all or most of the time

-Only 24% felt they could be easily anonymous online

-Perhaps most importantly, over 60% disagreed or strongly disagreed with the statement "it is a good thing for society if people believe that someone is keeping an eye on the things that they do online."

Cell phones, land lines, and social media site security were also assessed, but the overall results were clear:  the snooping needs to stop.  And until we cease squandering our own operational security or surrendering our data for the benefit of fleeting internet fun, this is going to be difficult to change.  It is no longer enough to disagree with privacy-violating practices - consumers and citizens must make the powers that be stop shamelessly snooping and selling our security.  Big Brother has become a bully, and it's time to fight back.

More technological shutters must be closed to block a variety of prying eyes.
(Image courtesy nypost.com.)

Comments

Hack Lab Intro: How to Set up a Home Hacking and Security Testing Lab

Introduction

This series of articles comprises an introductory tutorial on how to set up a home lab to experiment with common hacking and information security testing tools. Our setup will  allow us to explore the sorts of computer and network vulnerabilities that can be encountered on the internet, and to test the security of our own home computer network and networked devices, all from within an isolated and secure working environment. The series is geared toward individuals who have little or no prior experience with virtualization software or common hacking and security testing tools, but are interested in exploring network and computer security.

Over the course of the tutorial series, we will create two separate network configurations. The first will be a completely virtual environment populated by two virtual guest systems running inside a single host computer. This requires nothing more than an internet connection for the necessary downloads, and a computer with relatively modest RAM and disk resources.

The second configuration will be an everyday local area network of the sort that can be found in many homes, but which is isolated from the internet and where we can strictly control and monitor all network traffic. This setup is slightly more involved in terms of hardware than the first, requiring also a spare router.

Our monitoring and attack system in both configurations will be an instance of a Kali Linux virtual machine running inside an installation of the VirtualBox software package on our primary computer. Kali is a Linux operating system distribution intended for security testing and digital forensics.

In the first completely virtual network environment, our victim will be an instance of  Metasploitable2, a virtual machine that exhibits vulnerabilities that can be found on  everyday computer systems and software configurations. As noted at Offensive Security, "Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques."

In the second network configuration, we will use the Kali Linux virtual machine to compromise an everyday local area network router of the sort that can be found on many home networks, in order to demonstrate just how easy it can be to steal login credentials  passed from another computer on the network.

The tutorial is broken down into four parts:
  • Part 1 covers the installation of VirtualBox and provides a walk through of a full installation of a Kali virtual machine on your primary lab computer. Along the way, we'll take a short detour on how to quickly run live Kali sessions without a full installation of the machine.
  • Part 4 provides details on setting up our second network configuration, which models an everyday home local area network. With the attack machine, we'll conduct a simple man-in-the-middle attack against the network's router, and demonstrate a serious security vulnerability by stealing login credentials sent to it from the victim machine, in this case, the host computer. 
Comments (14)

Hack Lab Part 4: Compromising a Home Router on a Local Area Network

This is part four in our tutorial series on how to set up a home hacking and security testing lab. In part three, we set up a completely virtual network inside VirtualBox in order to use Kali to test the (in)security of the Metasploitable2 virtual machine. In the present article, we'll set up a local area network similar to one you might find in any home, and then walk through a man-in-the-middle attack against an everyday router.

Here's our hypothetical scenario: there is a malicious individual on a local area network listening in on the network traffic (sniffing it, as they say) using ARP poisoning in an attempt to steal login credentials from the router's administrator so as to hijack the device, and by extension, the network. In this scenario, Kali will once again function as the attacker but the host computer will be the victim.

This configuration will require a router specifically for the purpose of hosting our home lab's local area network. This could also be accomplished virtually, but having the external network will allow us to test the security of other external networked devices moving forward.

Configuring the Local Area Network
For the present test, which was successful, I picked up one of those ubiquitous Netgear WNR 2000 series home routers at a local flea market for ten dollars. You might even have an old router just lying around collecting dust. Plug the router in, turn it on, and configure it as desired. An online manual for this router stated that once you have connected your computer to it, you can navigate to the URL routerlogin.net or the device's ip address in a web browser to log in for administrative purposes. They further provided the factory default login credentials: 'admin' for the login name, and 'password' for the password. The first thing I did upon logging was to change the password using the router's so-called "Smart Wizard".

I prefer to hook up devices to the lab router through ethernet, and turn off wireless networking in the router when I'm feeling paranoid. Log into the router, and adjust settings as necessary. It should have DHCP, to provide ip addresses to hosts on the network. Keep it completely isolated from your actual home LAN that is connected to the internet, at the very least because connecting a second dhcp server to your main home network would cause a fair amount of chaos. We'll soon see whether this sort of interaction with the router is secure in any way. (Spoiler alert: in the case of the WNR 2000, it is not.)

Once your router is setup, open the Network settings in your Kali machine and change the attachment from the internal network to bridged mode, and attach it to the appropriate interface. (People who are more comfortable with managing multiple interfaces on Linux could just add a second adapter and switch between the two inside Kali.)  Under the Advanced section of Kali's Network settings, notice the drop down menu for Promiscuous Mode. This setting is important for our test. There are three options here: Deny, Allow VMs, and Allow All. Set it to Deny. This means that Kali will not be privy to any traffic directly to or from its host machine or other VMs that may be on the network.


Why have we set Promiscuous Mode to Deny?

Abstinence-Only Networking and the IP Stack
When Kali is running in bridged networking mode, so as far as the rest of the hosts on the network are concerned, it is a completely independent host. But it's not, it's a virtual machine, it shares its network interface with its host computer, and by extension with any other VMs that might also access that interface.

If we set promiscuous mode to Allow All, the Kali machine will pick up all traffic going over the network interface, to which it has access because it is itself bridged over this interface. That obviously includes the given network's traffic sent to and from the host computer on which the virtual machine is running, as well as any other virtual machines it might be running on that interface. If the host computer pings the router, Kali will pick up the traffic.

When promiscuous mode is set to Deny, on the other hand, Kali networks with the host computer (and any other virtual machines that might be on the network) as if they were all on completely separate physical devices. If the host computer pings the router, Kali will not pick up the traffic.

If there is a secondary computer on the network, even if Kali is in promiscuous mode, it will not be able to capture a ping from that computer to the router, or any other such traffic between them, for that matter, such as an http session.  

When we run the man-in-the-middle attack against the router and the host machine, however, we'll see that we can pick up traffic between them. One might wonder whether this is a true man-in-the-middle attack, because as we already know, the Kali guest and the host computer share an interface. Kali already has access to the host machine's traffic. Setting up the sniffer is basically just enabling promiscuous mode on the adapter setting.

However, we are not conducting a physical layer attack. ARP poisoning is conducted between the link layer and the network layer of the IP stack. This could be demonstrated with a secondary host on the network. An ARP attack by Kali against the secondary computer will still work even though Kali does not share a physical network interface with the victim, and could not detect such traffic even in promiscuous mode.


Reconnaissance and Scanning the Network
There should now be three hosts on the lab LAN: 1) the router, 2) the host computer (our victim), and 3) the Kali virtual machine (our attacker). Let's begin by conducting some passive monitoring of the network traffic.

Open up Wireshark on your Kali instance and conduct a live capture, to see what kind of traffic you can pick up on this network. (See part two in the series for info on how to properly configure Wireshark to conduct a live capture, if you haven't already.) Let the scan run for about half an hour. My capture picked up:
  • SSDP broadcasts from the router, alerting hosts as to its existence
  • ARP broadcasts from the victim computer and the Kali host machine, seeking out the router's hardware address from its ip address.
  • DNS requests to external websites for services running on Kali and the host machine, these are obviously unresolvable, since the network is not connected to the internet. (I would also like to shut down these services later if they are not system critical, as I don't like the idea of my machines contacting random services on the internet without my say so.)
Nothing really seems out of the ordinary here, so let's run a scan of the network. Here's the topology graphic produced by Zenmap from a default nmap scan of my lab network:


The router is at 192.168.1.1, the primary host computer is at 192.168.1.2 and the Kali machine is at 192.168.1.5. As you can see, Zenmap's color coding indicates that there may be some vulnerabilities in the router.

This scan discovered three open ports on the router, and found no open ports on any of the other hosts. Ports 23 (telnet) and 80 (HTTP) were found open by default on the router. We would expect port 80 to be open since you can log into the router with a web browser for administrative purposes. It seems a bit odd that the telnet port is open as well, as it is unlikely anyone today would be telnetting into the router on their home network. This is a security vulnerability, but, fortunately, this router does not actually allow simple telnet access to its administrative interface. Any basic attempts to connect to it via telnet are rejected, which makes one wonder why it is open to begin with.

Now let's attempt to systematically determine what traffic on the network the Kali instance is able to capture. All packets sent from or to the Kali VM will be captured in Wireshark, since the capture is running on that system: ex. ping requests to the router from Kali, ping requests to Kali from the host computer, HTTP traffic if you use a Kali web browser to navigate to the router's admin page, and so on.

As noted above, if your Kali virtual machine's network settings were in promiscuous mode, Wireshark would also capture any packets directly sent to or from the host computer. But this is not the case here as we have set promiscuous mode to Deny.

With promiscuous mode set to Deny, if you ping Kali from the host computer, the Wireshark capture will pick up all of these packets, since they are being sent directly to and from the Kali machine. However, if you ping the router from the host computer, none of the request or reply packets will be picked up by your Wireshark capture in Kali, nor will any other such traffic. For example, if you use a web browser on the host computer to navigate to the router's login interface, the capture will not detect any of this traffic.

With this observation, we have acquired our target. What we would like to do is two-fold: 1) pick up any direct traffic at all between the host computer and the router, 2) pick up any sensitive traffic (and any correspondingly sensitive information) sent between these devices.

Running a Man-in-the-Middle Attack with Ettercap
To compromise the traffic between the host computer and the router, we are going to use a program called Ettercap. As noted in its manual page, Ettercap is a "multi-purpose sniffer/content filter for man in the middle attacks." Ettercap can be run from the command line or through its graphical interface. To launch the graphical interface, type the following command into a terminal: sudo ettercap -G. The Ettercap graphical interface:


However, we're going to run Ettercap from the command line, as this conserves more resources on the host machine since it does not require excess RAM. Our plan is to use arp poisoning to capture traffic between the victim and the router. Reading through the Ettercap manual pages allows us to determine that we can use the following command to conduct our attack:
sudo ettercap -i eth0 -T -M arp /192.168.1.1/ /192.168.1.2/
Before we run the command, let's take a closer look at what's going on here: 
  1. sudo runs the command as a privileged user. This is necessary for Ettercap to conduct the packet capture.
  2. ettercap tells the shell to run the Ettercap program.
  3. -i eth0 tells Ettercap to run the capture on the eth0 interface inside Kali. This may be different for you depending on how you have your network adapters set up. If you try to run arp poisoning on an interface that is not enabled, Ettercap will likely complain that "No such device exists". If you run it on an interface that is enabled, but not connected to a network, Ettercap will complain that "ARP poisoning needs a non empty hosts list".
  4. -Tq tells Ettercap to run in text mode (-T), meaning it will print out any text characters found in its capture.
  5. -M tells Ettercap to run a man-in-the-middle attack.
  6. arp specifies that Ettercap should run an ARP poisoning man-in-the-middle attack.
  7. /192.168.1.1/ and /192.168.1.2/ specifies the two specific hosts we want to target.
Let's see if we can capture any traffic between the victim and the router. Start a Wireshark live capture on Kali. Now ping the router from your host computer, and just let it ride (ex. ping 192.168.1.1). If you are running in non-promiscuous mode, Kali will not pick up any of the ping requests and replies between the victim and the router.

Now run the Ettercap command above (with any necessary substitutions for your own network configuration) from a terminal in Kali. If successful, the Wireshark capture should now begin picking up the echo requests and replies between the victim and the router (as well as any other packets passing between them), and Ettercap will print to the terminal any text picked up in those packets. You can now stop the live capture, quit Ettercap and stop the ping from the host machine to analyze the results. 

The next question is whether we can pick up any sensitive information, such as login credentials, passing between the victim and the router. For this, we'll slightly modify our Ettercap command:
sudo ettercap -i eth0 -Tq -M arp /192.168.1.1/ /192.168.1.2/
As you can see, everything is the same here, except I've added a q to the -T option. This tells Ettercap to run in quiet mode, which means that it will not print any and all text it picks up in captured packets, but rather only text of potential significance, such as login credentials. For our test, we want to see if we can capture the victim's credentials when logging into the router.

Start a new Wireshark live capture in Kali. Run the Ettercap quiet mode command in a terminal. Now, on the host computer, use a web browser to navigate to the router and log in to the administrative interface. Here's the result in Ettercap when I ran this attack against the WNR 2000 router:


As you can see, Ettercap picked up the victim's user name (here: 'admin') as well as the password (here: 'supersecretstring'). Moreover, the router passed the login credentials over the network in plaintext six times when the victim logged in to the device! Obviously, 'supersecretstring' is not a very good password, but in the present case it doesn't really  matter how secure the password is, since the router passes it over the network in plaintext.  
The login credentials can also be found in the Wireshark packet capture run alongside the Ettercap ARP poisoning attack. My Wireshark capture picked up a lot of packets, so let's do a search for 'credentials':


Inspecting the first packet returned from this search, reveals the following under the HTTP section of the packet view:


And there they are, the user name and password, conveniently located under the authorization heading: 'admin:supersecretstring'.   In fact, it turns out the login credentials are sent in plaintext every time the victim loads another page in the router web interface!

The victim's router admin account has now been compromised. After the victim logs out of the router, the attacker can immediately log in with admin privileges, change the password and lock out the victim, or make changes to the system's settings, turning it off, etc. The "Smart Wizard" on the WNR 2000 router isn't so smart or wizardly after all!

Now the question is: does this attack work against the router on your home lab? Let us know in the comments.

Reflecting on this attack, one would probably ask: Can't we detect this attack as it was going on? Does it not create a whole load of excess traffic on the network? Wouldn't it be clear from a packet capture on the victim machine that the intrusion took place? Wouldn't it even identify the ip and hardware addresses of the attacker? The answer to all those questions is in the affirmative, but you'd need to have been monitoring the network traffic over the whole course of the login session to know that. A simpler solution for the potential victim is to check the system's ARP cache before logging in to the router. This will identify whether there are two hosts on the network with the same hardware address. Since hardware addresses are supposed to be universally unique, this is a tell-tale sign that ARP spoofing is in progress.


Moving Forward
Now that you have your lab's local area network set up, what can you do with it moving forward? Well, that's up to you! At the very least, you can use it to test the security of any given networked device you like, whether it's your main computer, a secondary computer, a cell phone, a tablet, a network drive or fileserver, a television or gaming console, and so on. Do you know what precise information your cell phone or laptop broadcasts to the entire local area network when you connect to any wireless device?

That concludes part four of our tutorial series on setting up a home hacking and security testing lab. If you've followed along from the beginning, you now have a virtual network you can use to explore the vulnerabilities in Metasploitable, an isolated local area network to test the security of any device you wish, and some familiarity with a handful of the many tools that are bundled with Kali.

As always, questions, comments, suggestions and criticism are welcome in the comments. Happy hacking!
Comments (8)

Hack Lab Part 3: Installing the Victim Machine on a Virtual Network and Basic Exploits

This post is part three in our tutorial series on how to set up a home hacking and security testing lab. If you followed along in parts one and two, you have installed a Kali virtual machine in VirtualBox on your primary computer, and have begun exploring your home computer network with nmap and Wireshark, both of which come bundled in Kali.

In the present article, we will walk through the creation and installation of our victim machine, a virtual instance of Metasploitable2, and then configure our first lab network: a completely virtual internal network inside VirtualBox. We'll place the Metasploitable2 victim machine and the Kali attack machine on the virtual network, and conclude by showing one way to begin exploring and exploiting Metasploitable's various vulnerabilities with Kali, and then provide some resources for further study.

On that note, it must be stated at the outset that Metasploitable is an intentionally insecure machine, with a ridiculous number of vulnerabilities. It should never be exposed to the internet, or to an untrusted network. This is why we will connect it to a completely virtual network, one that cannot even be accessed by the host machine that is running VirtualBox.


Installing Metasploitable2 in VirtualBox
There are number of subtle differences between creating a Metasploitable virtual machine and creating a virtual instance of an everyday operating system such as Kali in VirtualBox, as wel shall see. Metasploitable2 is a prepackaged system intended for security testing and practicing common exploit techniques. Once the machine is set up, it does not require any updates or further configuration as was the case with Kali.

The first step, of course, is to download a copy of the Metasploitable2. Metasploitable2 was developed by Rapid7, the IT security group that created the Metasploit Framework, "a tool for developing and executing exploit code against a remote target machine," as noted at Wikipedia. The Metasploit Framework, as you may know, is also bundled in Kali, and the intentionally vulnerable Metasploitable2 system was created to provide a way to test the sorts of exploits that can be launched from Metasploit, among other tools.

You can download Metasploitable2 from Rapid7, but it is also available from other sources such as SourceForge. Once you've downloaded the file, unzip it, and place it wherever you prefer. I keep all my virtual machine .iso files and the like in a dedicated folder.

In the Metasploitable2 download, you'll notice a few differences from your Kali download. For Kali, we used the .iso disk image file to install the system on the machine. There is no .iso file for Metasploitable2. Instead we are instead going to install the Metasploitable.vmdk file, which stands for virtual machine disk format.

Start up VirtualBox and click "New" to begin setup of the victim system. Name the new virtual machine, select its type and version. I've just used the defaults here: Ubuntu, 32 bit. Click "Next".


Since we will not be using the Metasploitable system directly, but rather only interacting with it as a target, we can lower the amount of RAM we allocate for it.  I've chosen 384 MB as the initial setting. After you get it up and running, you might find that you can reduce it even further. In my experience, response times begin to noticeably lag around 256MB of RAM. Click "Next".


We do not need to create a virtual hard drive for Metasploitable. Instead the .vmdk file will act as a virtual hard drive itself. Select "Use an existing virtual hard drive file", then click the file-browser icon, navigate to your Metasploitable download files, and select the .vmdk file. Click "Create".


The newly created instance should now appear in your VirtualBox interface. Notice I have grouped my kali1 instance and my Metasploitable2 instances inside a folder labeled 'lab'. Grouping becomes very helpful once you have more than a couple virtual machines set up.


Now we need to tweak a couple settings for our Metasploitalbe virtual machine. Open the Settings window. I uncheck 'Floppy' in the boot order under the System menu, though this is not very important. In the Network settings, you'll notice that the default is the same as it was for Kali: there is a single network adapter enabled with NAT, natural address translation.


We're going to change NAT to an internal VirtualBox network. In the "Attached to" drop down menu, change adapter one by attaching it to "Internal Network". You can also name your new virtual network. The default name is 'intnet'. I'm going to call mine 'labnet'. Click OK.


We're not quite ready to fire up our victim system just yet. Or at least, I'm not, because I've chosen a new name for my internal network. My experience with internal networks in VirtualBox has been a bit inconsistent. I clearly recall that the first time I used an internal network, it just worked and no further config was necessary. On another computer, I later found that the default internal network 'intnet' had to be configured as you would any custom internal network. If you fire up your Metasploitable virtual machine, log in and find that you have a functioning ip address, you're all set and can skip the following section. Otherwise, read on.

Configuring the VirtualBox Internal Network
I have to now enable the VirtualBox internal network 'labnet' to which I've just attached my Metasploitable virtual machine. If we take a look at the VirtualBox user manual section on Internal Networking, we read:
Unless you configure the (virtual) network cards in the guest operating systems that are participating in the internal network to use static IP addresses, you may want to use the DHCP server that is built into VirtualBox to manage IP addresses for the internal network. Please see Section 8.35, “VBoxManage dhcpserver” for details.
Rather than set up static ip addresses for our virtual machines on the virtual internal network, let's set up the virtual dhcp server. Reading through the VirtualBox user manual section on managing the dhcp server, we can conclude that running the following command in a terminal on the host computer will appropriately configure the internal labnet network.
VBoxManage dhcpserver add --netname labnet --ip 192.168.1.1 --netmask 255.255.255.0 --lowerip 192.168.1.2 --upperip 192.168.1.255 --enable
What's going on here? Let's parse this command.
  • There is the command for the VirtualBox dhcp server: VBoxManage dhcpserver
  • We want to create a new network, therefore: add
  • We indicate the name of the new network: --netname labnet
  • We specify the ip address of the dhcp server itself: --ip 192.168.1.1
  • We specify the subnet or netmask: --netmask 255.255.255.0
  • We specify the lower ip address for the server: --lowerip 192.168.1.2
  • We specify the upper ip address for the server --upperip 192.168.1.254
  • Finally, we enable the network so it starts any time a machine on the network is started: --enable
If successful, you can now fire up your new victim system and it will automatically be connected to the newly-configured internal virtual network. Go to the VirtualBox interface, select the system and click Start. This is the Metasploitable login screen:


Run ip addr or ifconfig to confirm that the system has been given an ip address and make a note of it. The victim is prepped. Did I mention? Metasploitable is an intentionally insecure machine, with a ridiculous number of vulnerabilities. It should never be exposed to the internet, or to an insecure network!

Now let's put our attack machine on the internal network. Network adapters can be changed in this manner even if the machine is running, though in my experience, this can also lead to minor glitches in the functioning of the VM, so I usually shut down if I'm going to change network settings for a VM.

Select your Kali instance in the VirtualBox application interface, click Settings, go to the Network settings. Change the adapter from Bridged to Internal Network, and select the name of your newly created internal network. I also "Allow All" in promiscuous mode under the advanced settings, as this allows the Kali network interface to detect any and all packets to and from the other virtual machine (as well as the host computer, if it were able to connect to the same network). Click OK.

Start up Kali and log in if the machine is not running. Check ip addr or ifconfig to make sure you have gotten an ip address from the virtual dchp server. If so, you're all good! Open up the Ice Weasel browser that comes bundled with Kali. In the address bar, enter the ip address of your Metasploitable instance. When the page loads, you should see the web interface that is pre-configred on the Metasploitable virtual machine. It comes packaged with 5 different websites/webapps that are intentionally insecure: TWiki, phpMyAdmin, Mutillidae, DVWA, WebDAV:


At this point, you now have a virtual internal lab network running on your host computer, and two virtual machines running on that network: your Kali attack machine and your Metasploitable victim machine. Remember, this network is completely internal to VirtualBox. Your virtual machines cannot communicate with the host computer over this network and the host computer cannot communicate with the virtual machines over this network. They are isolated.

Exploring Metasploitable's Vulnerabilities
Now the real fun begins! The first thing you might do here is passive network monitoring to see what kind of packets, if any, the victim machine is sending out over the network. Fire up Wireshark inside Kali, and start a capture on the appropriate interface for the lab network. (See part two of this series on how to configure Wireshark for live capture.)

From the packet capture, you'll soon notice that Metasploitable sends out workstation and workgroup announcements every couple of minutes for services that are running on it. If you inspect those packets more closely, you'll find that those packets contain a good deal of information about the host machine sending them, as well as about the services running on it.

An an exercise, confirm by inspecting the packets you've captured that Metasploitable is: 1) a workstation, 2) a server, 3) a print queue server, 4) a Xenix server, 5) an NT Workstation, 6) an NT Server, and 7) a Master Browser. You can doubly confirm that the machine is running such services by browsing its shares over the network in the file manager. But where can we find the network login credentials to view the shares?

Now that we have some idea of what we're dealing with, let's conduct a few port scans of the victim system to see what vulnerabilities that might expose. Let's just go through some of the various default scan types built in to Zenmap to see what they bring to light.

A ping scan reveals that the host is up. A quick scan identifies 18 open ports, among them the reserved ports for ftp, ssh, telnet, smtp, htttp, mysql and so on. A regular scan identifies 23 open ports. An intense scan also reveals 23 open ports, but it also provides operating system and version information, along with more detailed information about the services running on the various ports. For example, it notes that anonymous ftp login is allowed on port 21, identifies the SSH server's hostkey fingerprint, and so on. Run the more intensive scans to see what else you can find.

As an exercise, analyze the command options used in the various Zenmap scans to determine why those particular scans revealed that particular information.  

It is worth noting here that a couple leads for tracking down Metasploitable's network login credentials are provided already in the simple quick scan. However, it is indicative of the system's complete insecurity that these leads make the question of determining the network login credentials moot. Can you identify any such lead and why it moots our earlier question?

If you've followed along this far, you're probably asking yourself: what's next?  (That is, if you haven't jumped ahead already.) Well, you now have a fully functioning virtual hacking lab outfitted with one of the most powerful attack systems and one of the most vulnerable victim systems around. It's time to start exploring some of the more involved tools bundled in Kali and see what other kinds of weaknesses you can identify and exploit in the various services running on the victim machine, including in the five websites and applications running on the system.  That, however, is beyond the scope of the present article, but here are some resources to help get started:
Like nmap and Wireshark, all three of these tools are listed in Kali's "Top Ten Security Tools" menu.

That concludes the present article. In part four of the series, we'll set up an external local area network and demonstrate how it is possible to steal login credentials from a victim machine logging in to a compromised router. As always, questions, comments, suggestions and criticism are welcome below.
Comments (5)

Hack Lab Part 2: Exploring Your Home Computer Network with Kali Linux

This article is part two in our tutorial series on how to set up a home hacking and security testing lab. If you followed along in part one, installing a Kali Linux virtual machine in VirtualBox, you have installed VirtualBox on the primary computer for your home lab and created a Kali Linux virtual guest on this host machine. The Kali system has been fully updated and VirtualBox Guest Additions have been installed on it. Finally, your Kali VM has a single network adapter running in bridged mode and you have set up an administrator account on the Kali instance. 

Creating and configuring the virtual network setup outlined in the introduction, which we will do in part three of this series, requires a few more steps: we still have to download and install Metasploitable, set up the virtual network, etc. But if you're like me, you're probably already itching to start playing with all the toys Kali has to offer, if you haven't already!

Home Network Analysis 101
This article will show how some of the tools that come bundled in Kali can be used to explore your existing home computer network, and test whether you can successfully identify all the devices that are connected to it. In particular, we'll take a look at a set of tools that come bundled in Kali that can be used for network analysis: nmap/Zenmap and dumpcap/Wireshark.

These will come in handy in our eventual testing lab, but they can obviously also be used to explore your home local area network as well. Nmap is a command line network scanner, and Zenmap is a graphical interface to nmap. Dumpcap is a command line network traffic monitor, and Wireshark provides a powerful and versatile graphical interface to monitor network traffic and analyze network packet capture files.

Here's a simple experiment. Do you happen to know how many devices are currently connected to your home network? Can you identify all of them off the top of your head? Try to do so, and make a list of them. At the very least, we know there will be at least three: the Kali guest, the host machine you are running Kali on, and your router. There may also be more computers or cell phones connected to it, and maybe even your television, refrigerator or coffee maker!

We are first going to use nmap to see if we can identify any such devices on the network, and perhaps detect one or two that we did not think or know were connected to it. We'll then configure Wireshark and run a packet captures to get a sense for the normal traffic on the network, and then run another capture to analyze just how an nmap network scan works.

Determining Your IP Address
Before we can scan the network with nmap, we need to identify the ip address range we would like to examine. There are a number of different ways to determine your ip address on a Linux distribution such as Kali. You could use, for example, the ip or ifconfig commands in a terminal: ip addr, or sudo ifconfig.

(Note that if you are using an administrator account inside Kali, which is considered a best practice, when a non-root user enters a command such as ifconfig into a terminal, the shell will likely respond by complaining "command not found". In Kali, sensitive system commands like ifconfig have to be run as root. To access it from your administrator account, all you need to do is add "sudo" to the front of the command: sudo ifconfig.)

These commands will provide you will a wealth of information about your network interfaces. Identify the interface that is connected to the LAN (likely eth0), and make a note of the ip address indicated after "inet" for the ip addr command, or after "int addr:" for the ifconfig command. That is your ip address on your local area network. Here are a couple ifconfig and ip addr outputs posted by the Ubuntu Journeyman:



As you can see here, the ip address for this machine is 192.168.1.4.5. Yours is likely something similar to this: for example, 192.168.1.123 or 10.0.0.56 etc. Notice in the ip addr output above, the ip address is: 192.168.4.5/24.  That means 192.168.4.5 is the ip address of that specific machine, while the /24 at the end indicates the address space for the LAN's subnet, which in this case are all the addresses from 192.168.4.1 to 192.168.4.255.

If we were to scan this local area network with nmap, we would want to scope out all the addresses in the network's range, which means 192.168.4.1, 192.168.4.2, 192.168.4.3, 192.168.4.4, and so on, all the way to 192.168.4.255. One shorthand way of notating this is: 192.168.4.1-255. Another common shorthand is 192.168.4.0/24.  Of course, if your address were 10.0.0.121, then the shorthand would be: 10.0.0.1-255 or 10.0.0.0/24. 


Host Discovery
Let's assume your Kali VM has the ip address 192.168.1.5 on a subnet with possible host addresses from 192.168.1.1 to 192.168.1.255. Now that we know Kali's ip address and the address range we want to take a look at, open up a terminal and type: nmap. This will provide you with a long list of all the options available within the nmap program. Nmap is a powerful program and there are a lot of options! Perhaps the simplest possible network scan that can be conducted with nmap is a ping scan, for which we use the -sn option.

Now type nmap -sn 192.168.1.1-255 into your terminal and hit enter. (Don't forget to substitute the address range for your network if it is different from this!) This scan will tell you how many hosts nmap discovered by sending a ping echo request to each of the addresses in the range x.x.x.1-255, and provide you with a list of the ip addresses of the hosts that returned a ping reply. This is host discovery 101. Here is the ping scan output from nmap on a simple local area network I set up for the purpose:


The ping scan found 5 hosts up with the addresses: 192.168.1.1, .2, .3, .5 and .6.  Note that in the wild, this method of discovery may not work, as it is becoming increasingly common for administrators to configure their systems so that they do not reply to simple ping echo requests, leaving a would-be ping scanner none-the-wiser about their existence.

Did your scan find the same number of hosts that you had presumed were on your network? Were there more or less?

We can use the default nmap scan to further investigate known hosts and any potential ghost hosts the ping scan may or may not have uncovered. For this, simply remove the -sn option from the command above: nmap 192.168.1-255. Here's the output of the default nmap scan on the same network as above:


Nmap has returned much more information. It found three open ports on the router at 192.168.1.1, as well as an open web server port on host 192.168.1.2.  All scanned ports on the remaining hosts were closed.

You can also use nmap to further investigate known hosts. The -A option in nmap enables operating system detection and version detection. Pick out a couple of the hosts discovered by your nmap scans, for which you already know the operating system type and version. Now scan these hosts with nmap for OS and verstion detection by adding them to your host address target list, separated by commas.  For example, if I would scan the router and web server discovered above for OS and version detection with the command: nmap -A 192.168.1.1,2. This will return more information, if any is determined, on those hosts.

You can obviously also run an OS and version detection scan over the whole network with the command: nmap -A 192.168.1.1-255. Depending on the number of hosts on your network, this scan could take a couple minutes to complete. If you press <Enter> while the scan is running, it will give you an update on its progress.

If there are more and a handful of hosts on your network, the output can be hard to parse in the terminal. You could send the output to a file with:  nmap -A 192.168.1.1-255 > fileName.txt. Or you could use one of nmap's own built-in file output options.

But this is also where Zenmap comes in quite handy. Open up Zenmap from Applications->Kali Linux->Information Gathering->Network Scanners. If you are running as an administrator and not root, as you should be, you will get a message stating that not all of nmap's functionality can be accessed without root privileges. Root is not necessary for basic scans. However, you can run Zenmap as root by opening a terminal and typing: sudo zenmap. The Zenmap interface:


The Zenmap interface is pretty straightforward. Enter the target ip address or address range into the target field. Changing the scan profile from the drop down menu changes the scan command. You can also manually enter or edit commands in the command field. After you run a scan, Zenmap also helpfully breaks down the results for you, providing host details, port lists, network topology graphics and more.

Play around with the various built-in scan types. Can you identify all the hosts on your home network with a ping scan? a regular scan? an intense scan? Can you identify all the open ports on those hosts? If you have a laptop or another device that you frequently use to connect to the internet over public wi-fi hotspots, you can also do intensive scans of those devices to determine if there are any open ports that would represent a potential security vulnerability. Identifying open ports is important for vulnerability assessment, because these represent potential reconnaissance or attack vectors.


Network Traffic Capture and Analysis with Wireshark
Nmap scans a network and probes hosts by sending out ip packets to, and inspecting the replies from, its target at a given address. With 255 addresses to scan along with 1000 ports on all discovered hosts in the default scan of the subnet above, that's a lot of network traffic! What does the packet traffic generated by a scan look like on the network?

To answer this question, we can use Wireshark and dumpcap. Dumpcap, as its name implies, is a command line tool that dumps captured network traffic. Wireshark provides a graphical user interface to analyze these sorts of dump files, which are collections of all the network traffic to which the given network interface was privy.

If run with the proper privileges, Wireshark can capture live network traffic as well. In Kali, you can find Wireshark under: Applications->Kali Linux->Top 10 Security Tools. Unless you have already configured Wireshark with the appropriate settings, when you open it for the first time you will be informed by the "Capture" panel that "No interface can be used for capturing in this system with the current configuration."


In its documentation, Wireshark recommends appropriate settings to enable capture privileges. This also suggests confirming that Wireshark can also be run as root. To run Wireshark as root, you can log in as root, or run sudo wireshark in a terminal. When you run Wireshark as root, you will first be given a usage warning and provided with sources for how to set up proper privileges. This forum post on AskUbuntu boils the process down to three simple steps.

Now that you've enabled live captures in Wireshark, let's run one! Click "Interface List" in the Capture panel of the default view. Choose the interface that is connected to the network (it will indicate your ip address on that network), and click Start.

This will immediately begin a live capture of all the packets on the network to which the interface has access. At the very least, it will detect: 1) packets it sends out, 2) packets it receives directly, 3) packets it receives indirectly if they are broadcast to all the hosts on the network.

If you have never viewed a network packet capture before, you may be surprised what you can see, and what information is simply being broadcast over the network. You'll probably find messages from your router, you'll see internet traffic packets if you are viewing a webpage in a Kali browser, or on Kali's host computer (depending on whether or not Promiscuous Mode is enabled in the VirtualBox advanced network settings for your Kali machine). You might find that one device is especially chatty for no good reason. There might be devices pathetically sending out calls to other devices that have been removed from the network, such as a laptop searching for a printer that has been turned off, and so on.

The default Wireshark packet capture interface numbers each packet it captures, and then notes the time after the capture began that it received the packet, the ip address of the source of the packet, the ip address of the destination of the packet, the protocol, the packet's length and some info. You can double click an individual packet to inspect it more closely.

If you ping your router (which you should have been able to identify via nmap analysis) from Kali, you'll see all the requests and replies, obviously, since the Wireshark capture and the ping are running on the same machine. But the Kali guest shares its interface with the host machine. If you enable promiscuous mode in the advanced network settings inside VirtualBox for your Kali instance, when you ping your router from the host machine itself, the Wireshark capture will similarly allow you to see all requests and replies, they're going over the same interface! If you disable Promiscuous Mode, on this other hand, this will not be the case. In this case, packets to and from the host computer will not be picked up, as if it were a completely separate physical machine. Similarly, if you ping your router from a different computer, you will not see the request/reply traffic at all, though perhaps you might pick up an ARP if the requester does not already know the (hardware) address of the request's intended recipient.

After getting a feel for what the base level network traffic looks like on your network, start a new capture, and then run a simple scan from nmap or Zenmap, and watch the result in Wireshark. When the scan is finished, stop the capture and save the file. Capturing the simple nmap ping scan from above on my network resulted in a file with over 800 packets! Now you can analyze the network traffic generated by the scan itself. You'll probably want to play around with Wireshark for a bit to get a sense of what it offers. There are tons of menus and options in Wireshark that can be tweaked and optimized for your own ends.

Well, that's it for this article. In part three of our hack lab tutorial series, we'll install our victim machine, an instance of Metasploitable2, in VirtualBox and set up a completely virtual lab network to explore some more tools that are bundled in Kali. As always, comments, questions, corrections and the like are welcome below.
Comments (18)

Hack Lab Part 1: Installing a Kali Linux Virtual Machine in Virtualbox

In this article, which is the first part in our tutorial series on how to set up a home hacking and security testing lab, we will walk through the creation and installation of a Kali Linux virtual machine inside VirtualBox. This system will then function as our main monitor and attack machine in subsequent tutorials. After setting up the virtual system, we will:
  1. run a live Kali session
  2. do a full install
  3. update the system
  4. install the VirtualBox Guest Additions
  5. configure appropriate user accounts
  6. and finally switch over to a bridged network adapter in preparation for the next tutorial in the series
The whole process may take a few hours to complete, more or less, depending on the specifics of your own situation, ex. computer, internet connection speed, and so on. This session took me about three hours from beginning to end.


Virtualization
There are a number of different free virtualization packages available online. For this tutorial series, we've chosen to go with VirtualBox because it's open source, beginner friendly, and there is a lot of documentation and support information that can be found for it online, especially regarding the systems that we will be installing. For example, since Kali and Metasploitable are derived from the Debian Linux distribution, support information on other Debian-based operating systems such as Ubuntu or Crunchbang is often also applicable to Kali and Metasploitable, as we shall see in this and subsequent articles.

The first step is to download and install the VirtualBox software package onto the primary computer chosen for your lab setup. Make sure you download the right version for your operating system and hardware architecture (32 bit vs. 64 bit). Instructions for installation on various operating systems are readily available if you run into any snags. Also make sure to keep a handy copy of the VirtualBox user manual, which comes packaged with the software and can also be found online.

Once you install VirtualBox and run it for the first time, you'll be presented with the application's welcome prompt, which provides an orientation for the interface. Poke around in the menus to get a feel for the software.

Next, download a copy of the Kali Linux operating system .iso disc image. Again, make sure you download the proper ISO file for your computer's architecture. Depending on the speed of your internet connection, this may take some time, as both the 32 bit and 64 bit files are 3GB in size. Kali's documentation can be found here.

As Kali is a security sensitive system, once you have downloaded the file, it is recommended to check its SHA1SUM hash value against the one supplied on the download page to make sure the file had not been corrupted in transit. For more on how to check a file's hash value, follow the link to our previous article providing an overview of the process.

If you plan on playing around with a number of different virtual guests on your computer, it is probably a good idea to create a permanent folder somewhere on your system where you will keep all the necessary operating system .iso files.

Creating a Virtual Machine
Now let's return to VirtualBox and set up the virtual machine on which we will install the Kali operating system. Open VirtualBox and click "New". Provide a name for your Kali virtual guest system. Choose Linux as the type and Debian as the version, since Kali is derived from Debian Wheezy. As you can see below, I'm using the 32 bit version. Click Next.


Choose the amount of memory you want to allocate to the virtual instance once it is up and running. In my experience, Kali can use a lot of RAM, and the computer I'm running it on has a fair amount to spare, but for now I'm going to leave it at the default of 512MB.  You can also adjust these settings later to optimize them for your own setup. In my experience, Kali runs pretty well in VirtualBox even on a laptop with only 4GB of RAM, though you may have to conserve by shutting down memory intensive applications running on the host computer. After you've set your memory size, click Next.


Choose whether you want to create a virtual hard drive for the virtual machine. We're going to need one for our home lab, so check "Create a virtual hard drive now", then click Create.


For the "Hard drive file type", check "VDI (VirtualBox Disk Image)", then click Next.


In the "Storage on physical hard drive" window, you'll probably want to choose "Dynamically allocated." This means that space will not be taken up on your physical hard drive until it is actually written to the virtual disk. If you choose "Fixed size" then the virtual disk drive will take up a set amount of space on your physical hard drive even if that space has not been written to by the virtual machine. Click Next.


In "File Location and Size," choose where you want the hard drive files for the virtual system to be stored by clicking on the folder icon. I just use the default folder. This is where VirtualBox will store all files related to your virtual machine. Also, on this screen you may increase or decrease the amount of hard drive space you want to be allocated for the virtual instance. 8 GB is the default. I'm going to push mine up to 10 GB. Click Create.



The new virtual system should now appear in your Virtualbox interface. As you can see I have three folders in my left sidebar, and have placed the kali1 instance I just created into a new "lab" group. In the main interface we can see the settings for the new systems, which are a mixture of defaults and configuration settings we determined ourselves in the creation phase. Before starting up the instance for the first time, I usually adjust a few settings first.


Click "Settings" for your new virtual machine. I'm going to add a description under the General menu, because I have other Kali instances on my computer.


In the System menu, under Motherboard, I uncheck "Floppy" in the boot order.


Also in the System menu, under the Processor sub-menu, we have to check "Enable PAE/NX" for Kali to operate properly.


Finally, under the Display menu, I add more Video Memory to the default 12MB, bumping it up here to 36 MB to start. Again, this can be adjusted later to optimize your particular setup.


That's it for now. Browse through the other menus. Notice in the Network setting we can add up to 4 different network adapters for our virtual machine. Later we will play around with the network setting, after we've fully installed the Kali operating system. For now, a single network adapter running on NAT (i.e. Natural Address Translation) will suffice for our purposes.


Click "OK" to save your changes.

Fire up your new machine by double clicking it, or single clicking it and then clicking Start. You will be prompted to "Select start-up disk". We now have to choose the startup disk for our new virtual machine. This is the Kali .iso file we downloaded earlier. Click the folder icon and navigate to the folder where you've stored the Kali .iso file on your host computer. Select it, then click start.



Booting into a Kali Live Session
Kali should boot as if you were booting a real physical machine from a cd with the Kali operating system file on it. Notice that if you click inside the guest window, your mouse pointer will be "captured" by the guest. From then on, your keyboard and mouse activity will control the virtual machine. To switch back to using your host machine, you have to hit the host key, which by default is Right-Control on my computer. It may be different depending on your operating system. The Virtualbox interface will tell you what the "Host Key" is in the bottom right of the window.


From this menu, you can boot into a number of different types of live session, or you can do a full install of Kali on the virtual hard drive we previously created inside Virtualbox. As we shall see, there are numerous advantages to doing a full install of Kali for the purposes of our home hacking lab, but one of the advantages of a live session is that we can jump right in without any further configuration. Let's select the default Live session. Here is the Kali Desktop after booting into live session (note the time and day, yes, this is how I prefer to spend Saturday evening):


You will soon notice that there are certain limitations to the virtual machine's interface. For example, your mouse wheel will not work, you cannot enlarge the size of the screen, or go full screen, there is no tab completion in the terminal, and there are other interace issues as well. This is not a limitation of the live session, or Kali itself, but rather of the virtual machine we've created. However, all these issues can be addressed by installing the Virtualbox Guest Additions, but we'll save that for our future full install of the system.

Notice also that there are limitations to the default NAT networking interface. Under NAT (natural address translation) the Kali guest is not treated as its own independent node on the wider local area network. It does not have an independent ip address on the local area network. Its virtual ip address is translated by the ip address of the host machine. This can be addressed by adding a second network adapter to the virtual system or changing the present one, as we shall see later on.

However, despite these limitations, you can already begin exploring the ridiculous number of tools that come bundled with Kali. Here are Kali's Top Ten Tools:


Since all appears to be working well, let's take a snapshot of the virtual machine. VirtualBox snapshots are a way to keep a log of your virtual machines in a given state. If you are experimenting with a new configuration, and everything suddenly goes to hell, you can always revert back to your previous snapshot like nothing happened. Go to the VirtualBox interface window, select your Kali guest, click "Snapshots" in the upper right. Take a snapshot by clicking on the camera icon. Name the snapshot, and give it a description. Now, if we seriously screw up something on the machine, we can always just revert to this prior state of the system.


Now let's reboot to do a full install. Click the root menu item in the top right of the Kali Desktop window. Then choose reboot or do a full shut down and boot from the VirtualBox interface. In the process, you will be prompted to remove the disk from the system. Of course, we are using a virtual disk image, so there is no physical disk that needs to be removed. Just click enter to continue. Now reboot . . .  OH NO!!!!! "FATAL ERROR: No bootable medium found! System failed."


If you've been following along thus far, you've likely just been delivered this disturbing warning by your virtual machine upon reboot. It's a good thing we took that snapshot! Actually, this was only to be expected. Remember when you had to remove the virtual disk from the machine upon shutdown or reboot? Well, we now have to re-insert the virtual disk, that way we can reboot into Kali and move on to a full install of the operating system. So solve this "Fatal Error," with your virtual machine still running:
  1. Point your mouse toward the Oracle VM VirtualBox application menu on your host machine and find the Devices dropdown menu
  2. Select "CD/DVD devices"
  3. Select "Choose a Virtual CD/DVD disk file..."
  4. Select or navigate to your Kali .iso operating system file
  5. Close the virtual guest by exiting the window and powering off the machine 

After the machine closes down, restart it from inside VirtualBox, it should boot into Kali from the newly inserted virtual disk.

Full Installation of Kali in VirtualBox 

Now let's move on to our full installation of the Kali virtual instance. Once your system reboots into the main menu, choose the Install option and hit enter.


The installation process will begin straight away. Note that over the course of the installation, the various menus are not graphical interfaces. You cannot point and click, you have to enter info via the keyboard, and use the arrow keys to navigate. We're not going to do anything fancy here for the purposes of this simple home lab setup. In most cases the defaults will suffice. Simply follow the directions on each page. This process took about an hour on my computer. Here's the first screen:


  1. Choose your language.
  2. Select your location.
  3. Select your keymap.
  4. Enter the new host's name. It simplifies things to choose the same name you chose for your VM inside VirtualBox, but these need not be the same name. You can also always change both names later if you so wish.
  5. Enter a domain name. I'm going to leave it blank and hit enter.
  6. Enter a root password, then re-enter to confirm. These will be the credentials for the root super-user on the system. Be sure to make a note of the password you've chosen.
  7. Select your time zone.
  8. Partition Disks, select 'Guided - Use Entire Disk'. Not to worry, here 'Entire Disk' means the virtual hard drive we created upon initial setup of the VirtualBox machine. In my case, this will eventually claim up to 10GB on my harddrive, as this was the size I specified when I created the VM.
  9. Select disk. This is the virtual hard drive we configured earlier.
  10. Select partition scheme. Let's choose default, all files in one partition.
  11. Confirm selections, or go back if necessary.
  12. Select yes, to commit the changes by writing them to disk.
  13. Select network mirror if any. None is needed for this home lab setup.
  14. Select proxy if any. None is needed for this home lab setup.
  15. Install grub boot loader (default).
  16. Installation complete! Select continue.

Let the machine do its thing, and then reboot the system. Upon reboot, log into kali using 'root' as your username along with the password you chose for root during installation.

Congratulations, you now have a virtual instance of Kali Linux installed on your computer! But we're not done with our configuration of the new virtual machine just yet. We still have to update the software on the system, and then we're going to install the VirtualBox Guest Additions in order to enable full screen mode, tab completion in the terminal and so on. This process might take you another hour or so, depending on your internet connection.

Updating Kali and Prepping for Guest Additions
If your host computer is connected to the internet, you should have internet connectivity from inside your Kali VM over your NAT adapter. You can check this by opening up the bundled Ice Weasel browser and making sure you can get online. Ice Weasel can be opened by clicking the icon next to the Places drop down menu in Kali. You can also try pinging google.com or some other website from inside a terminal. You can open a terminal by clicking the terminal icon next to the Ice Weasel icon. We are going to need a working internet connection to update the system.

Let's update the system. Open a terminal in Kali and enter the following command:
apt-get update
This will make sure Kali checks the most recent repository for any software updates. Once this process completes, enter:
apt-get dist-upgrade
This will update all software on the Kali system. Depending on your internet connection, this may take some time. The process lasted around 15 minutes for me this time around. Once that is complete, you now have a fully updated Kali virtual machine. But we are still lacking some basic functionality, so now we're going to install the VirtualBox Guest Additions.

Installing Guest Additions in VirtualBox can be tricky. To prepare the system to handle the Guest Additions, we have to run a couple more commands inside the terminal, so open up a new terminal shell and run the following series of commands, one after the other, after each completes:
apt-get clean
apt-get autoclean
apt-get update
apt-get install build-essential linux-headers-`uname -r` dkms
Notice that `uname -r` is inside backticks, not single quotes in the final command here. Yes, this matters. The backtick key should be located just above the tab key on your keyboard. This series of commands was suggested on this CrunchBang forum post, and it has yet to fail me in setting up Guest Additions for a Debian-based machine inside VirtualBox. Once this process has completed, we can now install the Guest Additions themselves.

Installing VirtualBox Guest Additions in Kali
While engaged in the Virtual system, in the Oracle VM application menu, go to the Devices dropdown menu again. Notice the "Insert Guest Additions CD" option. Select it. You will get a pop-up inside Kali asking you if you want to run the file. If it succeeds, great! If not, that's not a problem. In my experience, it has never worked off the bat, so I click cancel.


Selecting the "Insert Guest Additions CD" menu option has inserted a virtual disk into your virtual machine. The files on this disk can be found in the folder: /media/cdrom/. Confirm that they are there by navigating to this folder in the graphical file system manager or in a terminal.

To install the Guest Additions for Kali, we need to run the VBoxLinuxAdditions.run file on the Guest Additions cd. However, you cannot simply run the file from the /media/cdrom/ directory. First we need to copy it and change its permissions.

Copy the file to your Desktop from inside a terminal with the following command:
cp /media/cdrom/VBoxLinuxAdditions.run /root/Desktop
You should see a copy of the file appear on the Desktop.  Change to the Desktop directory inside the terminal:
cd /root/Desktop
Change the permissions on the file with the following command:
chmod 755 VBoxLinuxAdditions.run
Run the additions file:
./VBoxLinuxAdditions.run
Success? Success!


If you experience any snags along the way here, you'll have to do some trouble shooting. There is a ton of info online regarding installation of Guest Additions in VirtualBox VMs, likely in large part because the process can be tricky. Remember also, that support info for other Debian-based systems such as Ubuntu and CrunchBang will also apply to Kali in many cases. But the series of commands above has yet to fail me.

Upon successful installation of the Guest Additions, we have to shut down the machine for the updates to take effect. Reboot and log in as root again. Once the system reboots, the simplest way to confirm that the Guest Additions have been successfully installed is to see if you can maximize the window for the guest system. You should now also have code completion in the terminal, among other things. You can now eject the Guest Additions virtual CD from the Virtual cd drive. Click the Computer icon on the Desktop, then click eject under the devices menu.

We now have a fully updated fresh install of a Kali virtual machine with the VirtualBox Guest Additions installed. Let's shut down the machine, take a snapshot and switch the network adapter into bridged mode in preparation for the next tutorial.

Switching to Bridged Networking
After the VM has shut down and you've taken your snapshot, open up the settings of your new virtual system and go to the Network menu. Unless you've already chaned these settings, you should have network Adapter 1 enabled, and attached to NAT. Change the attachment to a bridged adapter. This will allow our guest to act as an independent host on our local network, rather than have its address translated by the host computer the virtualization software is running on.


Finally, the adapter Name has to connect up to the appropriate network adapter of the host machine, i.e. the one that is actually connected up to your local network, whether it is a wireless connection, an Ethernet connection, or whatever. The appropriate one should be selected by default. Click Okay.

Start up the guest. Open a terminal and ping a known website or host, or use a browser to visit a web page. If it works, CONGRATS! You're in bridged mode.

If you have no networking capability, and can't even ping other computers on your home network, let along a website. You have to do some trouble shooting. Here are some troubleshooting questions:
  • Are your networking settings correct in VirtualBox?
  • Is the adapter for the guest machine connected to the right interface on the host computer?
  • Is Kali's /etc/network/interfaces file structured properly?
  • Is the appropriate interface up as indicated by ifconfig?
  • Have you tried restarting Kali's networking service?
  • Is Kali's /etc/NetworkManager/NetworkManager.conf file structured properly?
  • Have you tried restarting the network-manager service?  
As the old saying goes, when all else fails, read the manuals!  

Setting up an Administrator Account
If you've followed along this far, you are now logged into your Kali VM as root, have a fully updated system, and the VirtualBox Guest Additions installed. It is not good to get into the habit of running everything in Kali as root. Best practices dictate setting up an administrator account and using sudo to run security-sensitive commands.

Create an administrator account by going to the root dropdown menu in the top right of the Kali Desktop. Then select: root => system settings -> user accounts -> create an administrator account. Create an administrator account with a separate password.  Then log out, and log back in with your new admin account.  Using an administrator account such as this creates a bit of extra work (ex. having to use sudo for otherwise everyday commands such as ifconfig, having do to a bit of extra configuration for applications such as Wireshark and Zenmap), but it is a good habit to get into so as to avoid becoming careless with the root account. After setting up an administrator account, shut down the machine and take another snapshot.

In part two, we will use two tools bundled in Kali to explore your home local area network. Thanks for following along. As always, leave any questions or comments below. 
Comments (3)

Hack Lab Intro: How to Set up a Home Hacking and Security Testing Lab

Introduction

This series of articles comprises an introductory tutorial on how to set up a home lab to experiment with common hacking and information security testing tools. Our setup will  allow us to explore the sorts of computer and network vulnerabilities that can be encountered on the internet, and to test the security of our own home computer network and networked devices, all from within an isolated and secure working environment. The series is geared toward individuals who have little or no prior experience with virtualization software or common hacking and security testing tools, but are interested in exploring network and computer security.

Over the course of the tutorial series, we will create two separate network configurations. The first will be a completely virtual environment populated by two virtual guest systems running inside a single host computer. This requires nothing more than an internet connection for the necessary downloads, and a computer with relatively modest RAM and disk resources.

The second configuration will be an everyday local area network of the sort that can be found in many homes, but which is isolated from the internet and where we can strictly control and monitor all network traffic. This setup is slightly more involved in terms of hardware than the first, requiring also a spare router.

Our monitoring and attack system in both configurations will be an instance of a Kali Linux virtual machine running inside an installation of the VirtualBox software package on our primary computer. Kali is a Linux operating system distribution intended for security testing and digital forensics.

In the first completely virtual network environment, our victim will be an instance of  Metasploitable2, a virtual machine that exhibits vulnerabilities that can be found on  everyday computer systems and software configurations. As noted at Offensive Security, "Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques."

In the second network configuration, we will use the Kali Linux virtual machine to compromise an everyday local area network router of the sort that can be found on many home networks, in order to demonstrate just how easy it can be to steal login credentials  passed from another computer on the network.

The tutorial is broken down into four parts:
  • Part 1 covers the installation of VirtualBox and provides a walk through of a full installation of a Kali virtual machine on your primary lab computer. Along the way, we'll take a short detour on how to quickly run live Kali sessions without a full installation of the machine.
  • Part 4 provides details on setting up our second network configuration, which models an everyday home local area network. With the attack machine, we'll conduct a simple man-in-the-middle attack against the network's router, and demonstrate a serious security vulnerability by stealing login credentials sent to it from the victim machine, in this case, the host computer. 
Comments (3)

This (Text) Message Will Self-Destruct (Your Hard Drive's Data)

Security of your digital information now means security of the majority of your life.  Though it's possible to use a service that will release your valuable documents in the event of your untimely demise, what if you just need a complete destruction of data?

Look no further than the Autothysis128t.  According to ign.com, the 128-gigabyte hard drive is specially created for cautious compilers' control.  It's encrypted with a password, but for an unbeatable extra level of security, an onboard cell radio is standing by to eradicate your info with a mere text message.  

The Autothysis128t can be programmed to automatically go scorched-earth on your saved files in several ways, such as if it's unplugged from your computer, or if too many passwords are attempted to crack it.  But the real killswitch is the text-based execution order (textecution?) that you personally choose and fire off should the situation require it.

Thus, in event of theft or loss, the device will murder your data beyond all known recovery techniques as soon as you hit "send."  For $1600, it's an expensive security measure, but can you put a price on perfect privacy?

For all of your most sensitive materials.




Comments

Dead Drop: Darknet Service Will Be Your Whistleblower If You Mysteriously Disappear

It's hard out there for a whistleblower.  With Bradley "Chelsea" Manning in extreme custody, Edward Snowden hiding out in Russia, and numerous other knowledge-droppers dead under sketchy circumstances, one would be deterred before breathing a word of any new top-secret info - no matter how damning.  However, if you do happen to have your hands on some hot intel, and fear for your safety because of it, a new service will release your documents if you end up disappearing or dead.

The service, called Dead Man Zero, is accessible only through the deep web.  According to vice.com, it costs around $120 (paid in bitcoin.)  One uploads their files to a secure cloud, then the site requires password updates (set at a variable time preference by the user), which if not established will trigger a release of the documents to the user's desired outlets (lawyers, journalists, etc.)

“So what if something happens to you?” Dead Man Zero's site ponders. "Especially if you're trying to do something good like blow the whistle on something evil or wrong in society or government. There should be consequences if you are hurt, jailed, or even killed for trying to render a genuine and risky service to our free society...Now you have some protection. If 'something happens' to you, then your disclosures can be made public regardless.”

It adds, "If events overtake you, you can still overtake your adversaries."

Of course, for anyone paranoid enough to use this service, a secondary dose of worry ensues.  Is the cloud secure enough?  Will the site sustain long enough to make certain my documents really do survive me?  Will they follow through with their promise despite what the intel may contain?  Yes, it is a gamble.  But so is possessing information worthy of this kind of necessity.  For true protection of what is too dangerous for public knowledge, it's either a service like this, or a buried chest full of documents and some keys distributed to your close associates...which do you feel is truly the safest?

You could always test their security by uploading a treasure map to the cloud and laying booby traps for anyone who comes after it.  Just an option.

Comments

Hashing: How and Why to Check a File's Hash Value

Consider the following situation. You have been working for days on a PowerPoint presentation for work or school, and have been keeping the file on a shared computer, a network drive or even a personal flash drive. You put the final touches on your presentation the night before it’s due, save the file and get ready for a good night's sleep. The next day, you confidently begin your presentation. But imagine your surprise when you and your audience see the following image on your third slide:


You’ve been pranked. If you're lucky, everyone got a good laugh out of it. If not, there may be more serious consequences, depending on the situation. This sort of everyday  scenario raises an obvious question. Short of opening the file and manually perusing each slide in the presentation, how could you be sure that it had not been modified by any of the pranksters you may share your computer or network with? More seriously, how can we verify the integrity of a file that may or may not have been modified by a malicious individual seeking to infect out computer or network with a dangerous piece of malware?

In this article, we’ll consider these questions and discuss the pros and cons of one simple means by which we can verify a file’s integrity to ensure that it has not been tampered with, namely, by verifying its hash value. We’ll conclude with a quick tutorial on how to verify a file’s hash value on Mac, Linux and Windows systems, and provide some links to a few lectures on cryptographic hash functions culled from the series of courses listed in our collection of free online computer science courses. Our primary sources along the way will be Everyday Cryptography by Keith M. Martin, and Applied Cryptography by Bruce Schneier.

Malware comes in many different guises. As the Electronic Frontier Foundation writes in their Surveillance Self-Defense Project, malware is frequently spread by "trick[ing] the computer user into running a software program that does something the user wouldn't have wanted." Let's say you decide to download a file from a website you know and trust, and from which you have safely downloaded files in the past. How do you know, for example, that the file you have downloaded onto your computer is in fact the one intended by the trusted website? How do you know it was not altered in transit? How do you know it was not swapped for another file by a malicious attacker? And how can you determine this without running the file first? 

One simple way to verify a file's integrity is by confirming its hash value. In Everyday Cryptography, Martin writes: “Hash functions can be used to provide checks against accidental changes to data and, in certain cases, deliberate manipulation of data . . . As such they are sometimes referred to as modification detection codes or manipulation detection codes” (emphasis in original, Martin, p. 188). In our opening example, a suitable hash function would have allowed you to detect that your presentation had been modified in some way without ever opening it.

So, what is a hash function? The primary practical property of a hash function is that it compresses arbitrarily long inputs into a fixed length output (Martin, p. 189, Schneier, section 2.4). Furthermore, slight differences in the input data result in large differences in the output data. “A single bit change in the pre-image [i.e. the file you’re hashing] changes, on the average, half of the bits in the hash value,” (Schneier, section 2.4). Two of the most commonly used cryptographic hash functions are known as MD5 and SHA1. Schnier quotes NIST’s description of the SHA hash function as found in the Federal Register:
The SHA is called secure because it is designed to be computationally infeasible to recover a message corresponding to a given message digest, or to find two different messages which produce the same message digest. Any change to a message in transit will, with a very high probability, result in a different message digest. (Schneier, section 18.7.)
Here’s a simple example. I have created a plain text file named hello.txt on my Desktop. The file contains a single line that reads: “Hello there.” Applying the well-known sha1 hash function to the file produces the following hash value:
4177876fcf6806ef65c4c1a1abf464087bfbf337.

If I edit the file and remove the period from the end of the line so that it reads “Hello there”, the hash function now returns an entirely different value: 33ab5639bfd8e7b95eb1d8d0b87781d4ffea4d5d.

If I then return the file to its original state by adding the period back in to the end of the sentence, the hash value of the newly edited file will be the same as the original hash. And we would have seen much the same result (though it would have taken a good bit longer to compute!) if my original file had been a copy of the complete works of Shakespeare from which I then removed a period.  

Let’s consider a more practical example. The Electronic Frontier Foundation provides a number of recommendations on how to reduce your risk of malware infection in its Surveillance Self-Defense Project. At the top of their list, we read: “Currently, running a minority operating system [their examples are Linux and  MacOS -ed.] significantly diminishes the risk of infection because fewer malware applications have been targeted at these platforms. (The overwhelming majority of existing malware targets only a single particular operating system.)” This is more security through obscurity than anything else, but it’s still fun to try out new things, so after a bit of reading you decide to download a copy of the latest version of Ubuntu from an online repository.

How can you check to make sure that the file you’ve downloaded is the official one intended by Ubuntu’s developers and has not been manipulated or corrupted in transit? One way is to confirm that the file’s hash value is equivalent to the one provided by the developers. So you go to the page that lists the download’s hash value and make a note of it. Next, you run the hash function on the file you downloaded. If the resulting value is equivalent to the expected one, you have successfully verified the file’s hash.

However, it is critical to note here that verifying a file’s hash value by itself can only establish a relatively weak form of data integrity, in comparison with more robust mechanisms such as digital signature schemes which can provide a stronger form of integrity verification and even authentication. (Martin, pp. 186-189.) This is because a hash value such as we are discussing here cannot tell us anything about the origin of a digital file. For example, assume that unbeknownst to you, the site you’ve downloaded your file from has itself been compromised, and the attacker has: 1) replaced the download file with a piece of malware, and 2) also replaced the corresponding hash value that you use to check the file’s integrity with the hash value of the malware.

If you then verify the hash value of your downloaded file, you have done nothing more than verify the integrity of the malware! And you’re none the wiser because the site itself was compromised! At the same time, however, if you found out through another source that the site and file were compromised, you could then identify the malicious file and distinguish it from the legitimate source file. In a digital signature scheme, as mentioned above, the developer could digitally sign the legitimate hash value with a trusted key. In this way, the question of trust is then displaced to the question of signature authentication.

A second concern regarding this method of determining data integrity is the security of the hash functions themselves. There are known practical and theoretical vulnerabilities in two hash functions that are among the most common in use for these exact purposes on the web today: MD5 and SHA1. A discussion of these vulnerabilities is beyond the scope of the present article, but more information can be easily found online.

Still, as Bruce Schnier states, “we cannot use [one-way hash functions] to determine with certainty that the two strings are equal, but we can use them to get a reasonable assurance of accuracy.” (Schneier, section 2.4). In other words, hash functions can help us establish a basic level of data integrity. In our opening example, simply making a note of the hash and then checking it the next day would have sufficed to establish that the file had been tampered with. But, of course, if the file had been secured or encrypted to begin with, it never would have even been an issue in the first place.

Finally, how does one actually compute the hash value of a file? It is actually rather simple, but the specifics depend on your choice of operating system. MacOS and Linux systems come bundled with basic functionality to check any file’s hash value, while Microsoft Windows systems require you to download a piece of software to accomplish the task. Two of the most common functions used to verify file hashes are known as MD5 and SHA1. We’ll consider each in turn.

MacOS
1) Open up a command line Terminal.
2) Type “openssl md5 </path/to/file>” into the terminal and press enter.
2A) As an alternative to #2, you can also type “openssl md5 ” into the terminal, then drag and drop the target file into the Terminal window, and press enter.
3) The terminal will then return the MD5 hash value of the given file.

To compute the hash value of the file using a different hash function, type the name of that function into the terminal command in place of “md5”. For example, to compute the sha1 hash of a file, you would type: “openssl sha1 ” followed by the file path. To see a list of all the message digest commands available on your machine, type “openssl —help” into the command line terminal.

Linux (Debian-based)

1) Open up a command line Terminal.
2) Type: “md5sum </path/to/file>”. Then press enter.
3) The terminal will return the MD5 hash value of the given file.

To compute the hash value of the file using a different hash function, type the appropriate command into the terminal in front of the path to the target file. For example, “sha1sum </path/to/file>” will compute the file’s sha1 hash value. To see what other hash functions are available on your system, type “man dgst” into the terminal. 

Windows
Windows systems apparently do not come bundled with a built-in utility to check hash values. However, there are a number of different pieces of software you can download to accomplish the task. Microsoft Support lists the File Checksum Integrity Verifier, but warns that this is not supported by Microsoft and is only of use on Windows 2000, Windows XP and Windows Server 2003. This discussion at superuser provides a number of different extant options.

Video Lectures on Hash Functions
As always, comments, questions, suggestions and angry tirades are welcome below.
Comments (7)

Going Dark: New Email Technology To Easily Encrypt Everything

The unabashed abuse of privacy on the global scale is one of the most troubling invasions of our time. Now, one programmer is advocating a new paradigm of electronic communications that is simple and effective: "Dark Mail" that encrypts every email, every time.

Ladar Levison created the popular and secure email service Lavabit, which made news when he shut down the service entirely rather than cede to the goverment's demands that he surrender his security keys (which would have effectively undermined the entirety of the operation's purpose.) This happened hot on the heels of the Edward Snowden leaks, and since then no seriously secure single service has stepped forward to fill the gap. Now, as popularmechanics.com reports, Levison still wants to keep you covered.

In an interview posted today, Levison stated that everyone should be under the assumption that their electronic communications are being monitored at all times. This creepy but cruelly accurate statement is one that has yet to sink in for modern society, even though it means that everything from their (possibly "dangerous" and defamatory) private opinions to naked pictures are subject to scrutiny. He argues that the complexity of the e-communication infrastructure, coupled with the ease of cracking "endpoint security" (one's personal computer or device) makes things difficult for the average privacy-prone person. He has created "Dark Mail", a new encryption idea, to aid in spreading the powers of privacy.

As Levison explained:

"Dark Mail is really an effort to turn the world’s email dark—to make email encryption ubiquitous, universal, and automatic. The simplest explanation of what we’re doing is that we’re rewriting the protocols of email—the standard rules computers use for delivering email messages—so that messages are encrypted before they leave your computer and can’t be decrypted until they’ve reached the recipient’s computer. And because this is built into the system, there’s no cognitive burden. Grandma could use this—you don’t need to understand encryption or why it’s important. If someone can use email today, they will be able to use Dark Mail tomorrow."

Levison went on to elucidate that Dark Mail is not an email service, rather, it is a technology than any provider could implement. Expounding on PGP (Pretty Good Privacy) software, Dark Mail implements asymmetric cryptography techniques that use a public key (given to anyone who would like to send an automatically-message to a specific recipient) and a private key (theoretically, only the viewer of the message) to keep communications secure. Layers of anti-metadata technology to shake electronic position trackers are also in the works.

Levison went on to reference Phil Zimmerman, PGP's creator, and his lengthy police investigation and legal battle stemming from the creation of an encryption so strong that it was at first considered a munition (although the charges were eventually dropped.) On paper (and e-documents), there are laws that are in place to allow us this level of privacy.

Even if you feel you're doing nothing wrong, how do you know what those who would malign you are using against your favor? Why become a target just because you might be seeking knowledge that someone else deems illicit? Keep your privacy and your freedom close at hand, for both are valuable enough to be stolen.

If George W. Bush's personal oil painted nudies can be e-heisted, your info doesn't stand a chance. 

Comments

Scammed By A Skimmer: Watch Out For ATM-Based Info Theft Devices

Crafty criminals have used technology to streamline their operations since the word "hacking" only meant to slash off someone's limb.  Recently, their methods have been getting trickier and less obtrusive, so much so that you may be robbed without even knowing about it.

Who needs to be a stickup artist when a simple, slim ATM skimmer can do all the work for you?  According to gizmodo.com, that's what's troubling police in southern Europe this week, after this insidious little interloper was pulled from a bank machine.

It's efficient, but sure doesn't look as badass as old bank robbers used to.

Powered by a mere watch battery and a small magnetic reader, the heist device was also equipped with a small data storage unit.  The skimmer was likely used alongside an external camera that monitored customers pressing PIN numbers, although this was missing from the crime scene.  One bank employee explained that mystery well, stating they "didn't capture any hidden camera [because the criminals] probably took it. There were definitely no PIN pad [overlays]. In all skimming cases lately we see through the videos that fraudsters capture the PIN through [hidden] cameras."

This trend could easily go unnoticed in busy commercial centers where people need cash quickly, but if you aren't paying attention, you may end up paying through the nose. Keep your eyes peeled and your wallets sealed around shady ATMs!
A.T.Ummmm...



Comments

Mass Surveillance In Massachusetts: Boston Police Spy And Lie


In yet another installation of a police force overprotecting and serving themselves, it has recently come to light that every single attendee of the Boston Calling music festival in 2013 was under surveillance, the records of which were accessible through the darknet.  According to techdirt.com, the Boston Police Department then lied about their involvement in the entire operation.

While the event was clearly being documented by the media, various videographers, and amateur snapshooters alike, no one was availed of the information that they were being categorized and profiled during the festival.  Reporter Tim Cushing described it as such:

"What Boston Calling attendees (and promoters, for that matter) didn't know, however, was that they were all unwitting test subjects for a sophisticated new event monitoring platform. Namely, the city's software and equipment gave authorities a live and detailed birdseye view of concertgoers, pedestrians, and vehicles in the vicinity of City Hall on May 25 and 26 of 2013 (as well as during the two days of a subsequent Boston Calling in September). We're not talking about old school black and white surveillance cameras. More like technology that analyzes every passerby for height, clothing, and skin color."

Boston's Dig website found some even more unsettling information:

"Shockingly, these sensitive documents have been left exposed online for more than a year. Among them are memos written by employees of IBM, the outside contractor involved, presenting plans to use "Face Capture" on "every person" at the 2013 concert. Another defines a party of interest "as anyone who walks through the door."

Over 50 hours of footage was available for easy access. When confronted, the Boston police department denied any involvement, until they were called out by journalist Kenneth Lipp (who found the files.) Boston police were clearly seen in monitoring stations, being trained by IBM employees.

Fortunately, this forced out the truth, with mayoral press secretary Kate Walsh explaining to Dig in an email that a "pilot program" had indeed been tested, and of course, it was for our own good. The city was merely "looking at challenges such as permitting, basic services, crowd and traffic management, public safety, and citizen engagement through social media and other channels. These were technology demonstrations utilizing pre-existing hardware (cameras) and data storage systems."

Yes, that's right. They've had the ability to do this for a while. And nobody in the crowd - or even the promoters - knew.

Lipp continued to probe, uncovering a host of other sensitive information that the BPD had left out in nearly plain sight. Driver's license information, addresses, and other valuable informative material was easily accessed, which could have led to a bigger problem than anything the cops were looking out for with their spy system.

Despite events like the Boston Marathon bombings prompting authorities to seek more intel on members of large crowds, the fact that this system went live without any public knowledge or oversight, and was then lied about, doesn't make the average civilian feel any safer.  When civilians are treated like suspects for no reason, cops are acting like villains for no reason.  And what kind of society is served by villains?

Soon they'll start judging and profiling you by your music tastes, too.



Comments (1)

NSA: Naked Snaps Agency

The famous Edward Snowden NSA leaks provided a shocking amount of disclosure to a nation that is still trying to chalk up the agency's egregious misconduct to "national security." Now, in a new interview, Snowden admits the dirt they were digging up on people is a little more lascivious than previously thought.

In an interview with The Guardian as reported by Ars Technica, Snowden said in no uncertain terms that NSA agents commonly obtained and distributed nude and sexually illicit private photos from the people they are sworn to protect. Snowden described the chain of events where young agents would find an appealing photo during the course of their work, then share and compare it with pornographic pics found by their coworkers.

In Snowden's own words, he said, "It's never reported. Nobody ever knows about it because the auditing of these systems is incredibly weak. The fact that your private images, records of your private lives, records of your intimate moments have been taken from your private communications stream from the intended recipient and given to the government without any specific authorization without any specific need is itself a violation of your rights. Why is that in a government database?”

The interview also included Snowden categorically denying attacks that he is a Russian spy, calling such allegations, "Bullshit." Just because he's trying to shut off the NSA's abundant amateur porn supply doesn't mean he hates America.

Comments

You Keep It, They Peep It: No Fourth Amendment For Foreign Data Storage?

The United States government is actively opposing Microsoft's endeavors to protect users' electronic information. Contesting a ruling from earlier this year that demanded warrants for online data, the government cited the Stored Communications Act to attempt to retrieve data from a server in Ireland, saying,"Overseas records must be disclosed domestically when a valid subpoena, order, or warrant compels their production. The disclosure of records under such circumstances has never been considered tantamount to a physical search under Fourth Amendment principles, and Microsoft is mistaken to argue that the SCA provides for an overseas search here. As there is no overseas search or seizure, Microsoft’s reliance on principles of extra-territoriality and comity falls wide of the mark."

According to petapixel.com, the case was in regards to information stored by drug traffickers and was a target for extensive search, but the principle remains the same. Better get your own external hard drive to store those terabytes of homemade furry videos, because if they're stored offshore, the government can enjoy them to their hearts' content.

Just assume your data's not safe anywhere.

Comments

Chicago Serves Up Deep-Dish Big Brother With New Downtown Multi-Sensors

Urban engineering requires a lot of data to help cities and their denizens improve. However, the city of Chicago may have taken it into creepy territory with their new, discreet, downtown multi-sensors.

Ostensibly created to track data on climate, pedestrian movement patterns, environmental pollutants, light intensity, sound volume, and (of course, in Chicago) wind, the sensors are an interesting idea to monitor city elements in real time. The worrisome bit is that they also record the cellphone connectivity of passersby. Advocates are quick to point out that the sensors only monitor connectivity to wireless networks, not actual device signatures, but the element of privacy invasion remains.

Computer scientist Charlie Catlett, who has led the team working on this "Array Of Things" project, told the Chicago Tribune that, "We don't collect things that can identify people. There are no cameras or recording devices...sensors will be collecting sound levels but not recording actual sound. The only imaging will be infrared."

However, Gary King, Harvard University's director of the Institute for Quantitative Social Science, astutely pointed out that, "If they do a good job they'll collect identifiable data. You can (gather) identifiable data with remarkably little information...you have to be careful. Good things can produce bad things."

The data grab is being promoted in part as a means to understand urban environments more thoroughly, and to make cities run more cleanly and efficiently. Hopefully this won't include raids from the Thought Police.

Will you be e-raided by the Array?  Image courtesy the Chicago Tribune.


Comments

Down With The Sickness: Your Online Health Records Are Easily Hackable



Your medical records from personal doctors and hospitals are increasingly going electronic, both due to ease of accessibility for providers and the stimulus of $24 billion dollars in federal incentive money (thanks to the 2009 Health Information Technology for Economic and Clinical Health Act.)  Now, serious worries are raised that this sensitive information's accessibility isn't being protected well enough from threats.

According to the Identify Theft Resource Center, over half of the 353 tracked breaches in 2014 were from the health sector.  Criminal attacks on health data are on the rise, with the target information (such as a full health profile on a certain person) selling for $500 on the black market.  This information can be used to steal an identity to gain care, or worse, commit blackmail with the sensitive material.  A Ponemon report claimed 313,000 people were health-record heist victims in 2013, up 19 percent from the previous year.

Politico.com reports that security ratings firm BitSight has rated the health care industry as the least prepared for a cyber attack, thanks in part to their high volume of threats and slow response time.  Also, about half of health systems surveyed in an annual review by the Health Information Management Systems Society indicated that they spent 3 percent or less of their IT budgets on security.

Even the Feds admit this is a weak system.  The health industry “is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” according to a warning released by the FBI.

Since 2009, more than 31.6 million individuals (a tenth of the United States) have had their medical records exposed through some form of malfeasance or outright theft, according to the U.S. Department of Health and Human Services.

Comments (1)

OnionWare Anonymity Software Makes Spies Cry: New Secure Filesharing Service Expertly Thwarts Middlemen


With privacy issues becoming more and more critical in modern life, it is important to retain a feeling of security when dealing with one's major online documents. More than simple spied-on social media or intercepted emails, having a means to store and transfer large files online in a private manner is the focus of a new anonymity software.

Inspired by NSA patriot Edward Snowden, the new OnionWare technology uses the super-secure Tor network to thwart prying eyes, then establishes a temporary website on the user's computer. This eliminates the "middleman" of other filesharing services like Dropbox, which could be infiltrated by the government at any point. Using Onionware and Tor, a secure password and URL are exchanged peer-to-peer, and once the desired files are downloaded by the recipient, the temporary site is deleted permanently.

Parker Higgins, an activist with the Electronic Frontier Foundation, lauded the new technology, telling www.digitaljournal.com that, "Peer-to-peer offers no convenient mechanism for centralized surveillance or censorship. By design, there's usually no middleman that can easily record metadata about transfers—who uploaded and downloaded what, when, and from where—or block those transfers...recording all of it would require a dragnet effort, not a simple request for a log file from a centralized service provider."

The software was developed by tech analyst and cryptography/cybersecurity crusader Micah Lee while trying to expedite the secure transfer of files between Edward Snowden and journalists David Miranda and Glenn Greenwald, whose own files came under government scrutiny once the Snowden leaks were exposed.
Comments (1)

"External Communications" And Infernal Revelations: Britain Allows Cyber-Spying On Facebook And Google

While many other nations around the world are condemning the US for its privacy violations, it seems that Great Britain is taking advantage of our lapses.

The BBC reports that British intelligence now considers sites like Facebook and Google to be "external communications" due to the companies' headquarters being based in the US, and thus the information gleaned from these sites is acceptable for agency retainment and/or review. Non-external sources would require the signature of a minister on a targeted warrant, issued only after suspicion of illegal activity was clearly stated.

Privacy International director Eric King noted the actual laws preventing this are unclear and possibly manipulated by those who would scour for secrets, stating "Intelligence agencies cannot be considered accountable to parliament and to the public they serve when their actions are obfuscated through secret interpretations of Byzantine laws."

With America, Britain, and even more of the world now affected by pervasive privacy penetration, an international dialogue on what constitutes infringement may be necessary. With the American Constitution already well trampled in regards to cyber and cell security, perhaps a rallying of world citizens tired of being spied on would achieve some measure of change.




Comments

Dropping The Ball On Watching Us All: NSA's "Complex" Software Mysteriously Deletes Info Before Lawsuit

The National Security Agency, who have been arguing accusations of massive breaches of privacy due to their supposed care about protecting the very national security their name entails, have turned out to be rather insecure after all...thanks to the apparent complexity their own software.

The Washington Post reports that the NSA was told to retain information for a lawsuit from the Electronic Freedom Foundation (EFF), intended to assess the depths of the NSA's invasive espionage efforts, but that the information was difficult to retain due to the need to shut down certain software elements where the data would be contained. Deputy director Richard Ledgett claimed that trying to safely retain all of the information required for the lawsuit would be deleterious to the agency, and would create "an immediate, specific, and harmful impact on the national security of the United States."

The EFF maintains that some of the information required for their lawsuit, which deals with the unlawful and downright creepy Big Brothering of American citizens, has already been destroyed. The NSA, meanwhile, maintains massive operational facilities' worth of workers and computer systems in which any of their valuable peeping-tom discoveries could have been "lost."


Comments

Secret Service Using Totally Cool Sarcasm Detector While Watching Social Media

The United States Secret Service has escalated their social-media surveillance methods as of late, and it makes things soooo much better for the common person. If you don't have a specially-crafted program to filter that sentence, it contained sarcasm, which has become a problem for Big Brother by creating false positives for threats during their nitpicking of our online brain droppings.

The new technology is considered superior than tasking agents with creating fake profiles to gather and assess the public's social media commentary.  According to www.nextgov.com, the technology also includes the abilities for “sentiment analysis,” "influencer identification," "access to historical Twitter data," “ability to detect sarcasm," and "heat maps" or graphics showing user trends by color intensity, agency officials said.

The program will operate in real time and totally respects your opinion.


Comments (6)

June 5th: Reset the Net

Proponents of an open and secure internet are pushing back against indiscriminate surveillance this week. Tech Crunch has the details:
A number of websites for Internet services, businesses and even several nonprofits, including Amnesty International, Greenpeace, MoveOn.org, and others, will participate in a series of online anti-NSA protests this week. The websites, which also include Reddit, Imgur, BoingBoing, DuckDuckGo, and several others are taking part in an online campaign called “Reset the Net,” which is specifically aimed at encouraging website owners and mobile app creators to integrate increased security protections into their services, like SSL and HSTS, for example. The overall goal is to make it more difficult for government agencies to engage in their spying activities.
Explains the campaign on its website, ResetTheNet.org: “The NSA is exploiting weak links in Internet security to spy on the entire world, twisting the Internet we love into something it was never meant to be: a panopticon.” While it’s not possible to stop the attacks, the site adds, those who offer users online services could help cut down on the mass surveillance by building proven security into the “everyday internet.”
Comments

Heartbleed: Critical OpenSSL Bug Exposes Secure Traffic

From Ars Technica:
Lest readers think "catastrophic" is too exaggerated a description for the critical defect affecting an estimated two-thirds of the Internet's Web servers, consider this: at the moment this article was being prepared, the so-called Heartbleed bug was exposing end-user passwords, the contents of confidential e-mails, and other sensitive data belonging to Yahoo Mail and almost certainly countless other services.
The two-year-old bug is the result of a mundane coding error in OpenSSL, the world's most popular code library for implementing HTTPS encryption in websites, e-mail servers, and applications. The result of a missing bounds check in the source code, Heartbleed allows attackers to recover large chunks of private computer memory that handle OpenSSL processes. The leak is the digital equivalent of a grab bag that hackers can blindly reach into over and over simply by sending a series of commands to vulnerable servers. The returned contents could include something as banal as a time stamp, or it could return far more valuable assets such as authentication credentials or even the private key at the heart of a website's entire cryptographic certificate.
Comments

Government and Media Incompetence Puts Americans' Data at Risk

In a chilling, but not especially surprising, report at ZDNet, David Gerwitz reveals that incompetence in government has led to a doubling of the number of information security breaches over the last five years, and that incompetence in the media has led to reporting that understates the extent of these breaches by an order of magnitude.  Excerpt:
According to testimony given by Gregory C. Wilshusen, Director of Information Security Issues for the Government Accountability Office to United States Senate Committee on Homeland Security and Governmental Affairs that, and I quote, "most major federal agencies had weaknesses in major categories of information security controls."  In other words, some government agency data security functions more like a sieve than a lockbox. . . .

Some of the data the GAO presented was deeply disturbing. For example, the number of successful breaches doubled since 2009. Doubled. There's also a story inside this story, which I'll discuss later in the article. Almost all of the press reporting on this testimony got the magnitude of the breach wrong. Most reported that government security incidents numbered in the thousands, when, in fact, they numbered in the millions.

Comments

Two Major Internet Data Breaches

Someone's been rerouting traffic from the internet information fire hose.  From Wired:
In 2008, two security researchers at the DefCon hacker conference demonstrated a massive security vulnerability in the worldwide internet traffic-routing system — a vulnerability so severe that it could allow intelligence agencies, corporate spies or criminals to intercept massive amounts of data, or even tamper with it on the fly.
The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.
Now, five years later, this is exactly what has occurred. Earlier this year, researchers say, someone mysteriously hijacked internet traffic headed to government agencies, corporate offices and other recipients in the U.S. and elsewhere and redirected it to Belarus and Iceland, before sending it on its way to its legitimate destinations. They did so repeatedly over several months. But luckily someone did notice.
What the surveillance state security hysterics fail to understand is that any breach of informational security in the name of security makes everyone less secure on the internet. In related news, 2 million passwords have been compromised from some of the biggest names in the tech industry:
Hackers have stolen usernames and passwords for nearly two million accounts at Facebook, Google, Twitter, Yahoo and others, according to a report released this week.

The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing log-in credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers.
Comments

Networking: 5 Wifi Securty Myths and the Crypto-Solution

PC World takes on some apparently popular wifi network security myths.  Excerpt:
Wi-Fi has evolved over the years, and so have the techniques for securing your wireless network. An Internet search could unearth information that’s outdated and no longer secure or relevant, or that’s simply a myth.

We’ll separate the signal from the noise and show you the most current and effective means of securing your Wi-Fi network . . . 

It concludes with a call for encryption:

Now that we’ve dispensed with five Wi-Fi security myths, let’s discuss the best way to secure your wireless network: encryption. Encrypting—essentially scrambling—the data traveling over your network is powerful way to prevent eavesdroppers from accessing data in a meaningful form. Though they might succeed in intercepting and capturing a copy of the data transmission, they won’t be able to read the information, capture your login passwords, or hijack your accounts unless they have the encryption key . . . 
Comments

Adobe Hacked: Data on 3 Million Customers Compromised

From Adobe:
Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber attackers. Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related.
Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident . . . 
Comments

iPhone Fingerprint ID: More Trouble Than It's Worth?

If you believe the security pronouncements of any of the giant tech firms, please leave your information in the comments, I have a bridge to sell you.  Of course, the mainstream media are not nearly so skeptical.  Indeed, they're eating it up.  From Bloomberg:
Apple’s use of fingerprint scanning in its new iPhone models could lead more device makers to adopt the authentication method as a successor to passwords - - and that’s fine with privacy advocates.

The introduction coincides with the rise of cybercrime and revelations that the U.S. National Security Agency has intercepted Internet communications and cracked encryption codes on devices including the iPhone.

Apple said that on the new iPhone, information about the fingerprint is stored on the device and not uploaded to company networks -- meaning it wouldn’t be in data batches that may be sent to or collected by U.S. intelligence agencies under court orders.

“They’re not building some vast biometric database with your identity associated with your fingerprint that the NSA could then get access to,” Joseph Lorenzo Hall . . . .
That latter quote is rather funny, as governments and corporations routinely deny that they are building vast databases on us as they build vast databases on us.  Wired is a bit more circumspect:
There’s a lot of talk around biometric authentication since Apple introduced its newest iPhone, which will let users unlock their device with a fingerprint. Given Apple’s industry-leading position, it’s probably not a far stretch to expect this kind of authentication to take off. Some even argue that Apple’s move is a death knell for authenticators based on what a user knows (like passwords and PIN numbers).
While there’s a great deal of discussion around the pros and cons of fingerprint authentication — from the hackability of the technique to the reliability of readers — no one’s focusing on the legal effects of moving from PINs to fingerprints.
Because the constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself,” may not apply when it comes to biometric-based fingerprints . . .
Comments

Netizen Self-Defense Against the NSA Adversary

Bruce Schneier literally wrote the book on Applied Cryptography.  In an article for the Guardian, provides some advice for those who are concerned about privacy and security and explains what measures he takes in order to secure his information.  From the Guardian:
I have five pieces of advice:
1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.
2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you're much better protected than if you communicate in the clear.
3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.
4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about.
Comments

Password Security: Is Bigger Better?

From Ars Technica:
For the first time, the freely available password cracker ocl-Hashcat-plus is able to tackle passcodes with as many as 55 characters. It's an improvement that comes as more and more people are relying on long passcodes and phrases to protect their website accounts and other online assets.
Until now, ocl-Hashcat-plus, the Hashcat version that can use dozens of graphics cards to simultaneously crack huge numbers of cryptographic hashes, has limited guesses to 15 or fewer characters. (oclHashcat-lite and Hashcat have supported longer passwords, but these programs frequently take much longer to work.) Released over the weekend, ocl-Hashcat-plus version 0.15 can generally accommodate passwords with lengths of 55 characters. Depending on the hash that's being targeted and the types of cracking techniques being used, the maximum can grow as high as 64 characters or as low as 24.
Comments

Trojon Virus Continuing to Spread Via Facebook

Just in case you needed to be reminded that you should always be cognizant of the links you click, the New York Times reports on a six year old piece of malware that continues to dupe Facebook users and drain bank accounts.  Excerpt:
a six-year-old so-called Trojan horse program that drains bank accounts is alive and well on Facebook.  Zeus is a particularly nasty Trojan horse that has infected millions of computers, most of them in the United States. Once Zeus has compromised a computer, it stays dormant until a victim logs into a bank site, and then it steals the victim’s passwords and drains the victim’s accounts. In some cases, it can even replace a bank’s Web site with its own page, in order to get even more information– such as a Social Security number– that can be sold on the black market.
Comments

How Does a Password Hack Work?

A fairly well-detailed article at Ars Technica on the "Anatomy of a Hack" shows how hackers go about the process of cracking supposedly secure passwords.
In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results . . . Even the least successful cracker of our trio—who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process—was able to decipher 62 percent of the passwords. Our top cracker snagged 90 percent of them.  
The strength and speed of this attack is not surprising however, since the passwords were encrypted with the MD5 algorithm, which is widely considered to be cryptographically broken.  The first flaws were found in the algorithm in the 1990's, and many more followed over the course of the last ten years.  So the question is: are a lot of websites still using broken encryption schemes?  And if so, how many? And which ones?

Comments

Your Credit Card Company and Bank are Threats to Your Information Security

Today, online hacktivist group Anonymous has launched Operation USA, which is targeting U.S. government and banking websites.  Ahead of the attack, the US Department of Homeland Security downplayed the planned operation.  According to reports
“OpUSA poses a limited threat of temporarily disrupting U.S. websites,” the homeland security bulletin states, saying the attackers will likely use commercial hacking tools in a variety of “nuisance-level” strikes, defacing websites or temporarily knocking them offline.
Once again, the Department of Homeland Security appears to have proven themselves to be both ignorant and inept.  Hackers are already claiming to have leaked detailed credit card information on 10,000 individuals to the website pastebin.  The leak contains names, addresses, home phone numbers, social security numbers, credit card numbers, mother's maiden name, the answers to the card holder's so-called "security question" and so on.  Make sure your information is not in the leak, and if it is, take appropriate action.  This hack succinctly demonstrates how woefully inadequate the security protocols are at some of the world's largest banks and credit card companies.  The question we should be asking is not, why would a hacktivist group engage in such malicious behavior.  Your working assumption should be that hackers are ALWAYS attempting to access your personal and financial information.  The real question is why are these corporations that we trust with our personal and financial information so insecure?  
Comments

Las Enforcement Takes Stand Against Secure Online Communication

Governments are among the greatest threats to data privacy and information security on the internet.  Law enforcement groups in the United States are now effectively demanding that the privacy and security of all online communications be compromised because there might be criminals using those means of communications.  From the Washington Post:
A government task force is preparing legislation that would pressure companies such as Face­book and Google to enable law enforcement officials to intercept online communications as they occur, according to current and former U.S. officials familiar with the effort.

Driven by FBI concerns that it is unable to tap the Internet communications of terrorists and other criminals, the task force’s proposal would penalize companies that failed to heed wiretap orders — court authorizations for the government to intercept suspects’ communications. 
The thing is, when you have a means of communication that actually is secure, there is no way to wiretap or intercept it, that is the point of a secure means of communication.  The article continues:
There is currently no way to wiretap some of these communications methods easily . . .  the companies argue that they have no means to facilitate the wiretap . . . 
What government agencies want is a backdoor into these secure means of communications.  In other words, they want to compromise the security of all means of communication.  Excerpt:
Susan Landau, a former Sun Microsystems distinguished engineer, has argued that wiring in an intercept capability will increase the likelihood that a company’s servers will be hacked. “What you’ve done is created a way for someone to silently go in and activate a wiretap,” she said. Traditional phone communications were susceptible to illicit surveillance as a result of the 1994 law, she said, but the problem “becomes much worse when you move to an Internet or computer-based network.”
This case is especially interesting because the FBI and other government agencies have no qualms about illegally wiretapping the communications of Americans citizens.  Here, they have legal authority to do so, but they are incapable of doing so because the technology is secure.  What's their solution? To make the technology insecure.  
Comments

Over 50 Million User Accounts Compromised at LivingSocial

From All Things D:
LivingSocial, the daily deals site owned in part by Amazon, has suffered a massive cyber attack on its computer systems, which an email from CEO Tim O’Shaughnessy — just sent to employees and obtained by AllThingsD.com — said resulted in “unauthorized access to some customer data from our servers.”

The hack includes customer names, emails, birthdates and encrypted passwords.  The breach has impacted 50 million customers of the Washington, D.C.-based company, who will now be required to reset their passwords.
Comments

CISPA and the Corporate Lobby for Internet Censorship

Maplight reports that CISPA, the Cyber Intelligence Sharing and Protection Act, known to its critics as the internet censorship act, has picked up nearly three dozen co-sponsors in the US House following a corporate lobbying effort of IBM executives to their puppets in the legislature.  From Maplight:
On Monday, the same day that IBM flew nearly 200 executives to Washington D.C. to lobby Congress in support of CISPA, 35 members of the House signed onto the bill as new co-sponsors. Proir to Monday, CISPA had only 2 co-sponsors since being introduced in February.
On Tuesday, the Obama Administration issued a veto threat against the bill in its current form citing privacy concerns.
Data: MapLight analysis of reported contributions to the 35 new CISPA co-sponsors and the entire House from interest groups supporting and opposing CISPA.
  • New co-sponsors have received 37 times as much money ($7,311,336) from interests supporting CISPA than from interests opposing ($200,062).
  • Members of the House in total have received 16 times as much money ($67,665,694) from interests supporting CISPA than from interests opposing ($4,164,596).
The EFF and the ACLU have organized a campaign to defeat CISPA.  From the EFF:
CISPA is a dangerous "cybersecurity" bill that would grant companies more power to obtain "threat" information (such as from private communications of users) and to disclose that data to the government without a warrant -- including sending data to the National Security Agency.

CISPA was recently reintroduced in the House of Representatives. EFF is joining groups like ACLU and Fight for the Future in combating this legislation.  Last year, tens of thousands of concerned individuals used the EFF action center to speak out against overbroad and ineffective cybersecurity proposals. Together, we substantially changed the debate around cybersecurity in the U.S., moving forward a range of privacy-protective amendments and ultimately helping to defeat the Senate bill.
Comments

Wordpress Under Botnet Attack

Admins beware.  Make sure you've got a secure password.  From the BBC:
Wordpress has been attacked by a botnet of "tens of thousands" of individual computers since last week, according to server hosters Cloudflare and Hostgator.  The botnet targets Wordpress users with the username "admin", trying thousands of possible passwords.  The attack began a week after Wordpress beefed up its security with an optional two-step authentication log-in option.  The site currently powers 64m websites read by 371m people each month.
Comments

How Secure Are Your Passwords?

In an increasingly digitized world, the importance of information security arguably expands at an exponential rate.  Many people and institutions still take a cavalier attitude toward the security of the information about them own and their clients lives that is both theoretically and practically accessible to anyone who is determined to get access to it.  CNN reports on Shodan, a search engine that provides access to information on half a million devices and services connected to the internet.  Excerpt:
Shodan navigates the Internet's back channels. It's a kind of "dark" Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet. . . .

It's stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan. 
What can you do to make sure your information is secure online?  The answer is actually quite simple. Take password protections seriously.  From Three Twelve:
Eight-character passwords are simply not effective enough. According to Wikipedia:"As of 2011, commercial products are available that claim the ability to test up to 2,800,000,000 passwords per second on a standard desktop computer using a high-end graphics processor." Guess how long your 8-character password can stand up against that attack? If you made it to a few minutes, you'd be lucky. The computer can guess EVERY SINGLE COMBINATION of eight lowercase letters in 22 seconds at that rate. Throwing in special characters, uppercase, and numerals greatly increases the complexity, of course. In reality, though, people have pre-computed ALL 8-digit passwords into databases called "rainbow tables" and can just look up (in something like .001 seconds) whether your password has been computed already. . . .

So What Does a Good Password Look Like? XKCD gives a great example: "correct horse battery staple" Check it out--it's incredibly easy to remember, yet its length is 28 or 25 characters, depending on whether you use spaces. This would take the same computer above centuries or millenia to break . . .

Because you have dozens of accounts all across the web, you will need dozens of UNIQUE passwords. For an easy, repeatable way to do that, come up with a system that generates a password for you . . .
Comments

Congress Gearing Up for Next Attempted Internet Crackdown

From EFF:
On Monday, EFF and over 30 other Internet rights organizations sent a letter to members of Congress demanding they vote no on the "cybersecurity" bill known as CISPA. The letter starts off a week in which Congress will hold three different hearings about CISPA and computer and network security. In addition to the letter, each hearing will provide opportunity to voice many of the bill's problems. We encourage you to join the fight and tell your Representative to say no to CISPA.

In the coalition letter, groups including Mozilla, CDT, ACLU, EFF, and the American Library Association called on representatives to oppose CISPA because of privacy and civil liberties concerns:
CISPA's information sharing regime allows the transfer of vast amounts of data, including sensitive information like internet records or the content of emails, to any agency in the government including military and intelligence agencies like the National Security Agency or the Department of Defense Cyber Command. Once in government hands, this information can be used for undefined 'national security' purposes unrelated to cybersecurity.
CISPA may advance in the House at any time. EFF and other civil liberties groups are ramping up the fight against the bill. We'll be raising more awareness and urging users to speak to their representatives about CISPA's dangers.
Comments
See Older Posts...