Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots

 

source: https://www1.cs.fau.de/filepool/projects/hotspot/hotspot.pdf

Average cracking time (ACT) of an arbitrary iOS hotspot default password using different GPU clusters.

# GPUs	Hardware	Cycles per Second	ACT
2x	Nvidia Tesla C2075	46.600	3m 18s
1x	AMD Radeon HD6990	180.000	52s
4x	AMD Radeon HD7970	390.000	24s

To automate the process of word list generation, we built the iOS app Hotspot Cracker. This app assists in generating an iOS hotspot cracking word list, which might be used in subsequent attacks on other hotspot users. The app also gives explanations and hints on how to crack a captured WPA handshake using well-known password crackers. Future releases might also automate the process of capturing and cracking hotspot passwords. As computing power on smart devices is limited, one solution is to involve online password cracking services like CloudCracker, to crack hotspot passwords on-the-fly.

As the mobile hotspot feature is probably most often used while being on travel, on conferences, or hotel stays, an attacker will only have a limited amount of time to succeed in breaking into a mobile hotspot. Therefore, a very limited cracking time frame is the main requirement for such an attack to be practically relevant. Taking our optimizations into consideration, we are now able to show that it is possible for an attacker to reveal a default password of an arbitrary iOS hotspot user within seconds. For that to happen, an attacker only needs to capture a WPA2 authentication handshake and to crack the pre-shared key using our optimized dictionary.

As it is always a good advice to replace initial default passwords by user-defined strong and secure passwords, this becomes particular relevant on mobile hotspots passwords. Therefore, users of mobile hotspots, especially of iOS-based mobile hotspots, are advised to change their passwords. In addition, some mobile platforms (like Apple iOS) display the number of connected clients on the lock screen. Therefore, it is a good advice to periodically check that screen for any conspicuous activity. Finally, hotspot capabilities of smart devices should be switched off every time when they are no longer needed, to keep the overall attack surface as minimal as possible.

Vendors of mobile hotspot solutions should improve their way of generating initial default passwords. System-generated passwords should be reasonably long and should use a reasonably large character set. Consequently, hotspot passwords should be composed of completely random sequences of letters, numbers and special characters. It can be neglected that increased randomness could have a negative impact on the memorability of the passwords. Particularly, in the context of mobile hotspots there is no need to create easily memorizable passwords. After a device has been paired once by typing out the displayed hotspot password, the entered credentials are usually cached within the associating device and are re-used within subsequent connections.

Summing up, the results of our analysis have shown that the mobile hotspot feature of smart devices increases the attack surface in several ways. As the default password of an arbitrary iOS hotspot user can be revealed within seconds, attacks on mobile hotspots might have been underestimated in the past and might be an attractive target in the future.

België wil geheime dienst directe toegang geven tot politiedatabank

 

De Belgische Minister van Binnenlandse Zaken Joëlle Milquet wil later dit jaar een wetsvoorstel indienen zodat de Staatsveiligheid, de Belgische burgerlijke geheime dienst, rechtstreeks toegang krijgt tot de databank van de politie.

 

De politie in België kan al informatie uit zijn grote databank delen met inlichtingendiensten, maar Staatsveiligheid zou rechtstreekse toegang tot de Algemene Nationale Gegevensbank moeten krijgen, vindt de minister. De precieze details over de toegang moeten nog in de regering besproken worden. In de databank staan gegevens van personen en bedrijven die ooit in een proces-verbaal gelinkt zijn aan een mogelijk misdrijf. Het voornemen is onderdeel van een groter plan om de ANG anders te gaan gebruiken, aldus De Tijd.

Zo zegt de minister ook dat gegevens in de databank na een bepaalde periode gewist moeten worden, omdat het nu moeilijk is om gegevens weer uit de databank te laten schrappen. Dat gebeurt alleen als iemand overlijdt, of zelf naar de zogenoemde privacycommissie stapt. Volgens de voorzitter van de Vaste Commissie van de Lokale Politie, Jean-Marie Brabant, is het in strijd met Europese regels dat het niet automatisch gebeurt.

Een ander plan van de minister is om de kwaliteit van de databank te verbeteren door meer nauwkeurige criteria op te stellen om gegevens in te voeren. De ANG blijkt namelijk niet altijd even betrouwbaar. Volgens Gert Cockx van politievakbond NSPV zijn de meeste politieagenten huiverig wat betreft de juistheid van de informatie.

Volgens een anonieme politiedirecteur heeft de database zijn limiet bereikt doordat deze in de loop der jaren telkens is uitgebreid met nieuwe gegevens als bijvoorbeeld kentekens en mobiele telefoonnummers. Het is ook niet mogelijk om links aan te leggen tussen verdachte bedrijven.
Tot slot moet ook de structuur van de databank verbeterd worden. Zo moet het mogelijk worden om binnen de ANG specifieke databases aan te maken voor specifieke doeleinden, zoals een database voor gestolen kunstwerken. Eerdere initiatieven om een specifieke database op te richten, vaak door politieagenten zelf, liepen op niets uit.

Door Christophe van Bokhoven, vrijdag 14 juni 2013 12:20

Read a Mac CD in Ubuntu

Nothing special, but always handy if a i-dude comes over with his music but which was formated for his MAC.

How to mount?
First you need to make sure that you umount the disc in case it got automounted.

umount /media/<username>/<volumename>

Problem is that we not always know which format was used, so let's start to guess:

sudo mkdir /media/test
sudo mount -t iso9660 /dev/cdrom /media/test
ls /media/test
sudo mount -t udf /dev/cdrom /media/test
ls /media/test
sudo mount -t hfs /dev/cdrom /media/test
ls /media/test
sudo mount -t hfsplus /dev/cdrom /media/test
ls /media/test

Most probably you will be lucky to find the right format and you can start abusing the disk :-) LET's PARTY...

Raw Data-Mining: using Wget with TOR

The overall goal of the data mining process is to extract information from a data set and transform it into an understandable structure for further use. Raw data-mining can be seen as ripping all information from a database. This will result in a hugh amount of traffic on server level, causing latency on the provided webservice. Therefore some sysadmins have configured their servers to block the IP which starts demanding a hugh (abnormal) load for a certain timeframe. To bypass this protection, we should make a system which uses a different IP for each request. For this TOR might become handy. At least if this serverfarm is not blocking the TOR exit nodes. :-)

With scripted data-mining, we want to use wget to rip data and tunnel it through TOR anonymous network to avoid IP blockage at the serverfarm? One way to do it is to use wget, TOR, and Privoxy to get what you need.

Explanation: Tor is a SOCKS proxy in which your date is sent over a network in a pretty anonymous fashion. The problem with tor is that it does not offer a http proxy which is what wget can use. So to get around this you can install Privoxy which will allow you to connect to TOR via a simple HTTP proxy.

So, lets get started.

Step 1 - Install the stuff
you can install all you need with the following command

sudo apt-get install -y tor tor-geoipdb privoxy

Step 2 - Configuration
There are a few things that need to be configured.
1. /etc/wgetrc
Find line starting with: #http_proxy =
Replace whole line with: http_proxy = http://localhost:8118

2. /etc/Privoxy
Add the following to the top of the file

listen-address localhost:8118
 forward-socks5 / 127.0.0.1:9050 .

Step 3 - Start every thing up

sudo service tor restart; sudo service privoxy start

Now when you use the wget command your data will be tunneled through the TOR network. you'll notice when you run the wget command that you will see a line like the following

Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8118... connected.

The :8118 shows that your connection is going to Privoxy which in turn goes to TOR.

Note: You download speeds will be significantly redued due to the fact that your data will be tunneling through the TOR network. The configuration of TOR is not in the scope of this article.

Does your payslip contain confidential information?



Would you trust a real estate company when buying a house? Especially if they ask to provide your monthly payslip for finance reasons?

Of coarse we do. We want that house and/or we need the money that we do not have. :-) So we provide them the payslips and trust in god that all remains confidential.

And then there is the almighty Google who sees it all.

Seems that omnicasa.com is providing real estate agencies the ability to have a software in order to manage their business. To maintain pdf's containing real estate information. But some smart salesperson also seem to have put the payslip of 1 of his customers online.

Naughty naughty boy.

I'm pretty sure more payslips are available on internet (just caught 2 others flying by during lunch) Some people getting a lot of money, others not.
But what I fear the most... I have a lot of personal data. RRN, adres, ... I smell Identity Theft !

BTW... Are real estate agencies allowed to request this kind of information? Do they have the approval from the privacy commission? Do they know the penalty for not safeguarding this information?

Let's get another coffee and continue life. :-)

Spread the beans and governmental passwords.

It has been a long time that I have posted something, but it has it's reasons. Belgium is trying to act modern as it think to be as important as any other high valued country. They even try to convince the people that they make HUGH effort in fighting cybercrime. But still many sites get defaced and political party websites get DDOS'ed by bored kids.

At least my nagging to the Belgium defence about inappropriate web- and networkdesign started to irritate the military sysadmins who then with "many kindness" asked to stop investigating google results about their network. Mission accomplished. Awarness is step 1 of the digital healing process :-)

Comité I was another thing that I had on the list. SecOps, PsyOps at Belgium,...
But the sun started to shine and there is more in life than reading in my dark dungeon.

And then there are the beans. Maybe white beans in tomattosaus. Or jelly beans.
Or government beans. Those which contain database information. Like the one below:

<bean id="db2XaDatasource" class="com.ibm.db2.jcc.DB2XADataSource"> <property name="databaseName" value="dt00eva" /> <property name="portNumber" value="3792" /> <property name="driverType" value="4" /> <property name="serverName" value="10.13.2.17" /> <property name="currentSchema" value="EVAADM" /> <property name="user" value="evajava" /> <property name="password" value="YHhpiWPp" /> </bean>

password has been wiped out. :-)

So this seems to be related to the website of "Fonds voor arbeidsongevallen" where Eva seems to be an important name. If you are looking for my source? Then have a google search on:"be.fgov.faofat.evalea2"

It seems to be a habit in Belgium to use the public internet as a hugh clipboard. And then hoping this gets wiped afterwards. Or sysadmins belief their website is of no importance just like their work. I assume they only work for the money and not for the "Digital Passion".

But have you ever left a bean in the wild? It grows and starts it own life.
And one day that bean will become the feeding ground of hackers.

Ooh well... I'm not a farmer nor will I ever plant beans. I leave it up to the specialists to terminate the weed.
Sleep tight.

Do we have a non-disclosure agreement with Belgium Defense?

"He who plays with the devil, could burn his fingers." 

Lots of people know this application: "HijackThis". Whenever you get stuck with your PC for some reason, some tech people will ask you to pull a HijackThis report. Nothing wrong at first sight.

But HijackThis grabs a lot of information. Information about your IE settings and thus about proxyserver definitions, etc...:

 IE - HKU\S-1-5-21-1935655697-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1935655697-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;*.mil.intra;portal.mil.be;dghr.mil.*;http://intranet;http://10.999.0.999;intranet.mil.intra
IE - HKU\S-1-5-21-1935655697-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxyREMOVED:REMOVED

The example above was found back on a Dutch computerforum where they were discussing about the ecops virus. Information that should be covered in a non-disclosure agreement as it contains a small part of network-design information. And that agreement was never signed between the "Belgian Defense" and "The Internet".

If you look to the export, I could also tell that Belgian Defense has Dell machines with next info:

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000813 | Country: België | Language: NLB | Date Format: d/MM/yyyy

1,99 Gb Total Physical Memory | 1,24 Gb Available Physical Memory | 62,09% Memory free
3,33 Gb Paging File | 2,69 Gb Available in Paging File | 80,71% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 21,68 Gb Total Space | 0,04 Gb Free Space | 0,18% Space Free | Partition Type: NTFS
Drive D: | 50,00 Gb Total Space | 0,16 Gb Free Space | 0,33% Space Free | Partition Type: NTFS
Drive G: | 15,62 Gb Total Space | 3,49 Gb Free Space | 22,32% Space Free | Partition Type: FAT32
Drive H: | 465,76 Gb Total Space | 224,79 Gb Free Space | 48,26% Space Free | Partition Type: NTFS

Computer Name: LAPTOP-XXXXXX | User Name: XXXXXX | Logged in as Administrator. 

Next items are installed: F-Secure, Java 6 runtime, Windows Defender, Azureus VUZE remote, Adobe Reader 9, Free YouTube to MP3 Converter, ICQ lite, ... And this poor guy, Patrick, likes to read "De standaard" as this was set as his homepage in IE8.

I suppose any hacker  would benefit if having such information to make a custom virus. And when he will pretend to be the helping hand of this "soldier in need" at the forum, it will be easy social engineering to hand over the virus to get triggered in the military network. Think about the MiniDuke or the ATP1 report.

So if they are so free to provide all this info to the public, I'm not surprised that they got infected with the ecops virus. 

And maybe also some nice side note. Keep in mind that also copy-write organizations like BRAIN or BAF might be reading this info and find it interesting when someone would have torrent software (Azureus) or Youtube-mp3 convertors on their machine.