Site Map - skip to main content - dyslexic font - mobile - text - print

Hacker Public Radio

Your ideas, projects, opinions - podcasted.

New episodes Monday through Friday.


Correspondent

Edward Miro / c1ph0r

Host Image
Host ID: 372

Just an old dude from the internet.

I gave a talk at a local hacker con once about vehicle based surveillance. I also contributed to a privacy/hacking project called Shadowlink with the main focus being the NetP Wiki (The NetP Wiki is a fully collaborative and dynamic guide designed to help navigate the world of privacy & anonymity).

Currently moving prior blogs and content over to my GitHub Page: https://c1ph0r.github.io/

Previous episodes:
hpr2707 :: Steganalysis 101


email: c1ph0r.nospam@nospam.protonmail.com
episodes: 3

hpr2727 :: Passwords

Released on 2019-01-15 under a CC-BY-SA license.

Introduction

Hello and welcome to Hacker Public Radio, I’m Edward Miro and for this episode I decided to record an episode on the importance of good passwords. This will be part one in a series of podcasts I’m going to call “Information Security for Everyone”. As with most of the content I create in the world of infosec, my goal is to present the information in a way that a majority of people can get value from it and anyone can play this for a friend, colleague or family member and make it easy for the non-hackers in our lives to understand.

Passwords

One of the first things most people think about when it comes to online safety is their password. We all know that passwords are to our online accounts what keys are for our locks. Would you use the same key for your house, your car, your office and your safety deposit box? Of course not. And if you did, what would happen if a bad guy could get a copy of just that one key? They’d have access to everything. With so much of our personal, confidential, financial and medical information accessible from our various online accounts, what can we do to make things as safe as possible?

For me personally I employ and advise a three faceted approach:

  1. Complex passwords
  2. Unique passwords
  3. Two-factor authentication (where available)

Clearly the solution is to use a unique password for each account and make them complicated enough that an attacker couldn’t guess it or crack it in an amount of time that would be actionable. One problem this presents to general users is the inconvenience and difficulty in remembering these passwords or storing them in a secure way. This leads into my first bit of advice:

Password Managers

My recommendation is to use a password manager. I’m going to make references to managers such as LastPass because that’s the one I’ve always used, but I’m not saying it’s the best or would be the best for you. There are many great options and I would rather people use the one that works the best for them and not merely the one I like best. Anyways. Applications like LastPass give you the ability to store all passwords in your encrypted “vault” and then request them through browser add-ons or standalone applications. They also have built in features that allow you to generate secure passwords at any length or complexity.

When using a password manager, all you have to remember is your ONE master password. When you sign in, the manager can then decrypt all your saved passwords and let you use them. When I sign up for a website, I use LastPass to generate the longest and most complex password supported by the site and it gets stored in my vault safely for later use.

There are various options online to choose from and I suggest you do some research and try a few different ones to see what is comfortable for you. One thing to consider when using a password manager is that the master password is your single point of failure and should be a long and complex password that you don’t use ANYWHERE else.

If you’re wondering how to come up with a secure password that you can remember there are various strategies online, but I follow this:

Take a poem, song lyrics or phrase that is easy for you to remember. For this example I’ll use the phrase:

"The stars at night are big and bright. Deep in the heart of Texas."

Then I take the first letters from each word and that gives me:

TsanababdithoT.

Then I swap out the vowels for some numbers/special characters. And that gives me:

T5@n@b@bd1th0T

I checked that password on Dashlane’s Password Strength Checker, and got the following results:

It would take a computer about 204 million years to crack your password

And that’s just an example of a very secure password that I thought up in just a few seconds that I probably won’t ever be able to forget it.

2FA (two-factor authentication)

Another very important recommendation I want to touch on in this episode is using two-step authentication. I use it for all accounts that offer it and it’s very easy to set-up and use. It works in tandem with an application on my mobile device called Google Authenticator(though there are others and like LastPass this is just the one I use) and it’s available for Android and iOS. After you install the app, you access the security settings for the account you want to protect and register it with your device.

What it does is provide a “second” password when logging it that is only used one time. When you log in, the site will prompt for the two-step authentication code, you then open the Google Authenticator app and the code for the session will be listed. The codes are only available for a short time and are constantly changing. This makes someone gaining unauthorized access to your account VERY difficult.

A few closing thoughts

Some information security professionals see a password manager as insecure due to it being a single point of failure. I can understand this and would respond that although this might be true, having a complex master password and using the manager in conjunction with two-step authentication makes it a pretty safe and solid system. And even if there is a breach, none of my passwords are the same and changing them is incredibly fast and easy with a manager.

Also, I usually don’t recommend keeping hard copies of passwords, but if you can guarantee the physical security of your password list, this in my opinion is preferable to using the same, insecure password for all your accounts.

Please remember, if you’re like most people on the internet and you use an easy to crack password or the same password on all your sites, all it takes is one compromised account to give bad guys access to everything.

I’m also including a list of links in the bottom of the show notes to everything I mentioned and also a link to the site Have I Been Pwned. This is a service that collects accounts that have been involved in hacks and lets anyone search for their email address and see if their information is already compromised. If it is, do this NOW:

  1. Setup a password manager with a strong master password.
  2. Change all your passwords using the built in password generator in your password manager and save them in your vault as you go.
  3. In the future when breaches happen, it’s incredibly easy to change your password and you’ll also rest easy knowing that the password obtained can’t get them into anything else.

I know this will take a long time. But it’s worth it. Then, you only have to remember one master password and you will be exponentially safer online.

I also linked SplashData’s “The Top 100 Worst Passwords of 2018”. PLEASE don’t use anything on this list.

Well, thank you for taking the time to listen to my basic introduction to passwords. I hope this will help any non-hackers in your life and like I say in all my podcasts, I don’t claim to know all there is to know and love feedback and any opportunities to learn more or collaborate with others in the field. As with most of the research and articles I’ve written in the past, these are geared toward standard users in a business setting and are meant to be a jumping off point for further research and to be a foundation for cyber security 101 level training classes. If you like what I do, and want to have me come speak to your team, or just wanna chat, feel free to email me.

Thank you and have a safe 2019!


hpr2717 :: Mobile Device Security

Released on 2019-01-01 under a CC-BY-SA license.

Introduction

Hello and welcome to Hacker Public Radio, I’m Edward Miro and for this episode I decided to address mobile device security. As with most of the research and articles I’ve written in the past, these are geared toward standard users in a business setting and are meant to be a jumping off point for further research and to be a foundation for cyber security 101 level training classes. If you like what I do, and want to have me come speak to your team, feel free to email me.

As an information security researcher, I have noticed a trend in what potential clients lately have been interested in: cell phones. Almost everyone I have consulted for in the area of private investigations make this area their main priority. This makes sense as users have started to transition to using mobile devices more and more. Not only do cell phones represent the main conduit to the internet for a huge chunk of people, but many use them for work also. Many companies have smartly presented policies against this, but there are still many organizations that allow bring-your-own-device style implementations. In the following podcast I will try to define the threats, defense and considerations in very broad strokes.

Cell phones differ from a standard hacking target in a few ways. For the most part, many of the same vectors are still valid. Remote code execution however is more rare, but not out of the question. I’m going to attempt to present these different vectors in an ascending list of what is most likely to be used as an attack, in my humble (and possibly ignorant) opinion.

1. Passive Surveillance

This vector is one many in the hacking world will already be familiar with and it is a major concern for mobile devices as well. Attackers can monitor an access point where the mobile device is connected and collect packets in all the usual ways. Open public WiFi is a treasure trove and tons of data that’s being sent in the clear can be collected, analyzed and leveraged by attackers.

Defense here is a bit more complicated for the general user, but shouldn’t be too intrusive for most:

  1. Use a VPN on your mobile devices.
  2. Switch to a DNS provider that provides secure DNSSEC.
  3. Implement proper encryption on access points.

2. Spyware

Many commercial spyware applications are readily available on both of the main app stores. The challenges for attackers lie in either gaining physical access to the unlocked device to install the spyware, or tricking the user into installing it themselves. Most often the target’s spouse or close contact does this. Some of these apps can be disguised to look like innocuous applications as a feature, but with devices that are rooted/jailbroken, they can be completely hidden from the user. I found a few surveys that state the average smart phone user has about 30 apps installed. I don’t think it’s unreasonable to suspect the average person wouldn’t notice a second calculator or calendar app. These apps feature the full gamut of what you’d expect from a spyware app.

Defense against spyware is pretty simple:

  1. Don’t allow unsupervised access to your device.
  2. Use a strong passcode or biometric lock.
  3. Remove unused applications and be aware of new apps that may pop up.
  4. Don’t root or jailbreak your device.

3. Social Engineering

The tried and true vector that has always worked and will continue to work is social engineering. It doesn’t matter what kind of device a target is using if you can get them to click a malicious link, open a malicious attachment, or disclose their password to the attackers. With a user’s password you can conduct a vast amount of surveillance through their Google or Apple account. Not to mention leverage their password into all their other accounts as most users still use the same password for everything. We can also callback to the previous section on spyware by mentioning that many users are already familiar with enabling the installation of 3rd party applications and can be tricked into installing a cleverly disguised spyware application.

Basic OPSEC recommendations are applicable here:

  1. Don’t click strange or unsolicited links or attachments on your devices.
  2. Never disclose your password to anyone through a text message or voice call.
  3. Don’t install 3rd party applications. I’ll extend this to say not to install any shady or questionable apps, even ones hosted by the app stores. There have been instances of vetted apps being malicious.

4. IMSI catchers/Femtocells

I refer to these as DIY Stingrays. Stingrays are devices used by law enforcement to track and surveil cell phone traffic. These devices emulate a cell tower or boost cell phone signals when used in a legitimate way. Mobile phones are designed to prefer using stations that are the closest and strongest. Any technically proficient attacker can DIY one of these devices for not a lot of money. When an attacker deploys one of these devices, the target’s phone usually has no idea that the device isn’t an official cell tower and happily connects and passes traffic through it. The rogue stations can then be configured to pass the traffic on to an authentic tower and the user will have no idea. These rogue towers can not only collect identifying information about the mobile device that can be used to track or mark a target, they can also monitor voice calls, data, and SMS, as well as perform man-in-the-middle attacks. Often they can disable the native encryption of the target’s phone as well.

Defense against this vector is a bit more complicated:

  1. As before, use a VPN.
  2. Use Signal or other encrypted communication apps.
  3. Avoid disclosing sensitive information during voice calls.
  4. There is software that has been developed to detect and notify the user when a rogue station has been detected, but this is not going to be super helpful for standard users. There are also maps online of known cell towers and it is possible to use software to identify your connected tower.

5. Exploits

Speaking very generally, this attack vector is for the most part less of a concern (depending on your particular threat level), but we all know that the chance of this happening in the wild is probably remote for most people. The technical implementations of exploits such as Rowhammer, Stagefright, and Blueborne are well outside the scope of this particular talk, but we would be incorrect to not mention them and what can be done to protect against them. And we should also pay special attention to more and more exploits being developed to attack mobile devices as attackers have started putting a lot of attention in this area. Even though many of these vulnerabilities are being patched, we all know many users are still using old versions of Android and iOS, and many devices are simply outside the support period offered by the manufacturers and will never be updated past a certain point. Couple that with the general idea that mobile devices (or any device running a non Windows based OS) are “safer” because less exploits exist for them is currently a very poor assumption. This will probably get worse as the cost of keeping up with new devices now being over $1000 and many users won’t be able to get devices that are constantly being patched.

What we can do:

  1. Keep your mobile devices updated with most current OS updates and carrier settings. Also keep applications updated. I don’t know how many times I’ve noticed friends or family with devices that are ready to be updated, but the notifications go ignored.
  2. If it’s possible, replace devices when they are outside the support period.
  3. Be paranoid, if it applies to you. What this means is when you use any computer or device, always remember that zero day exploits can exist for years before being disclosed. You could follow ALL the best OPSEC practices, and you could still be vulnerable to exploits that haven’t been disclosed and/or patched. This might not matter if you’re just a general user, but if you work for the government or do intelligence work, act as if.

Well, thank you for taking the time to listen to my basic introduction to cell phone cyber defense. I know most of the information I provided is only the tip of the iceberg and if current trends hold up, this will only get worse in the future. If you want to add to or correct any mistakes I may have made, like I stated in the introduction, feel free to email me and let’s have a conversation. I don’t claim to know all there is to know and love feedback and any opportunities to learn more or collaborate with others in the field.

Thanks again, and have a great 2019!


hpr2707 :: Steganalysis 101

Released on 2018-12-18 under a CC-BY-SA license.

1. Introduction

Hello and welcome to Hacker Public Radio, I’m Edward Miro and I’ve been a fan of HPR for a while now and really love its collaborative and random nature. It’s always been important for me to support the hacking community. I always take any opportunity to give back to this community who have given me so much throughout the years. I’ve also always subscribed to the idea that the best way to learn something is by teaching and I hope to do a good job for all you listeners. This talk is on mystical art of steganalysis which is the process of identifying the presence of and decrypting (hopefully) steganography.

2. What is steganography?

I’m into hacking, but I’m not a professional hacker. Usually I call myself a hobbyist. I like CTFs, crypto challenges, lots of stuff from Vulnhub or OverTheWire, things like that. I’ll provide some links in the end if anyone is interested, but for those who aren’t familiar a CTF, or Capture The Flag, it’s a kind of game that helps you get better at hacking. These days there are tons of VMs that are setup to be intentionally vulnerable to different techniques or attacks. You load the VM and pretend it’s a server you want to attack and follow your standard hacking protocols. Some are setup to be boot to root challenges where you ‘win’ when you get root and some are setup with flags that you can find hidden in the target worth points. There are in person and online CTFs and they’ve gotten pretty popular with the National Cyber League being a major competition. Some are easy, some are really hard and most have really good write-ups that can teach you so much about INFOSEC, penetration testing and actually let you practice the techniques in a relatively easy and legal way.

Where steganography comes in to this discussion is that it’s an element you sometimes see used in the kinds of challenges I mentioned previously and also in alternate reality games, online recruitment challenges by national agencies/big tech companies and militarys. They are even used in real world espionage and intelligence work or super spooky secret challenges like Cicada 3301.

Simply put steganography (and I’m pasting this straight out of Wikipedia): “is the practice of concealing a file, message, image, or video within another file, message, image, or video”. Steganography is used to hide secrets in plain sight. It’s a way to send a message, without anyone detecting that a message is even being sent.

I’ll give you more examples in the next section, but imagine a letter that has a secret written in invisible ink. Only the sender and receiver should know about the invisible ink and any eavesdroppers should be none the wiser. This simple example has been used by countless prisoners whose mail is routinely read and examined. Terrorists and spies the world over also use steganography and are known to embed messages in an image and post it online. With how many image hosting sites there are, with millions of people posting to them billions of images day in and day out, you can see why steganography can be such a challenge to combat. Before I move on to some more specific examples I want to stress again that I’m not an expert on cryptography or steganography. While researching for this podcast it’s overwhelmingly clear that you could spend your whole career focused on only steganography. This talk is just a primer on the subject and only the tip of the iceberg.

3. Examples (also from Wikipedia, the great repository of all knowledge)

  • Analog:
    • Head shaving
    • Invisible ink
    • Knots tied into ropes
    • Messages hidden under stamps on envelopes
    • Mixed typeface
    • Using a grille cipher
    • Sending messages via newspaper classifieds
  • Digital:
    • Noise in images or sound files
    • Text commented out in source html or other code
    • Using different color text
    • Fractionalized comments
    • Audio signals/spectro
    • Hidden control characters and non printing Unicode

The possibilities are almost endless for how this technique can be applied.

4. Why should we care?

When we are doing a CTF or crypto challenge and are presented with an image or media file we are pretty well assured there’s something in there, though not every image you find while doing a challenge or CTF will utilize steganography so don’t overanalyze. I’ve known people who are really into alternate reality games spending 100s of hours doing spectrographic analysis and for our purpose(and the scope of this podcast), there should be some clue that steganography is being used. The challenge then becomes how we direct our work flow as to not waste any time and be the most efficient in cracking that particular part the puzzle. There are MANY stego tools out there, some of them homebrewed, and unless the designer of the challenge puts in a clue, you might spend hours trying different algorithms or tools. And even if you do, there’s no guarantee you’ll get anything at all. A lot of the tools that will be mentioned in the next section rely on fingerprinting how known algorithms process data. This is not only a big problem for hackers like us with our CTFs and games, but even more so for governments who are charged with keeping us safe. So if you’re looking at possible steganography, you need to build a good workflow and I noticed a post on Reddit a few weeks ago with a user asking about image forensics. There was a comment posted that was so good I forwarded it to my hacking friends and it inspired me to do this podcast. I’m using the comment as a potential framework for my own personal work with images and steganography. It helped me to develop my own protocol and I wanted to share it with you all and if anyone wants to expand on it or improve it please do so. Thank you /u/Alexeyan!

5. Proposed work flow

This is coming straight out of the post on Reddit. I thought about rewriting it, but it didn’t seem necessary and I will be giving the author full credit. I add a couple more tools on at the bottom and a few closing thoughts:

  • First: Look at the image. Maybe it tells you something important.

  • Use binwalk to check for other file type signatures in the image file.

  • Use Exiftool to check for any interesting exif-metadata.

  • Use stegsolve and switch through the layers and look for abnormalities.

  • Maybe the Flag is painted in the LSB image, or some QR-Code.

  • Maybe there are random pixels that look strange in a certain layer, that’s a hint for Bit-Stego.

  • Use zsteg to automatically test the most common bitstegos and sort by %ascii-in-results. (This one auto-solves about 50% of all image stego challenges)

  • If the file is a png, you can check if the IDAT chunks are all correct and correctly ordered.

  • Check with the strings tool for parts of the flag. If you found for example “CTF{W” in a chunk, check what is on that position in other IDAT chunks.

  • The harder ones can be a lot more tricky though.. JPG coefficiency manipulation, Frequency analysis, …

  • But usually those are frowned upon, because they require a lot of guessing (if no hiding tool is provided)

Some other go to tools not mentioned above:

  • Stegdetect
  • DIIT(Digital Invisible Ink Toolkit )
  • StegSecret
  • ILook Investigator (for law enforcement)

Detecting steganography is hard work. There are computer scientists who do only this. While we aren’t at that level for the information being presented here, it will require a lot of digging and trying different tools. Hopefully following these steps will help identify the more common techniques in an easier way than trial and error.

One last thing I want to mention is that part of how I see detecting steganography in CTFs or cyptochallenges is having a certain mindset and always looking at things in various layers. I try to look at everything within the challenge as if there could be something right in front of my eyes. I mentally flip through different layers and see the codes within the codes. And remember if you’re playing an alternate reality game, a CTF or a crypto challenge, generally speaking, the designers want you to play through the game. They will leave clues if you need them. They want the players to get to the end. Don’t overthink things.

Well that’s all I’ve got for today. I hope you enjoyed this podcast and got something useful out of it. Like I said in the introduction, I’m Edward Miro. Have fun, and good luck!

6. Sources


Become a Correspondent