1 Year! – Learning together.

Hello World!

It’s been over a month since my last post, it’s been busy. A constant desire to learn new things is something that can be hard to manage. Without a main goal it can be hard to choose the path you want to take, and this industry is truly endless.

Off the back of CYBERUK. I will be working on the guide to identifying phishing/social engineering tactics. According to the most recent Crime Survey for England and Wales fraud makes up almost 40% of crime reported. Whilst the past two years has indeed seen a decrease in conventional crime and rise in cyber-crime, things like burglaries will rise again as we move out of the pandemic… It is not expected the number of cyber-crimes will see a decline any time soon.

I’ve hit a wall recently… having not done any maths since high school. I’m having to teach myself graph theory, calculus and improve my understanding of things like algebra. My goal? I want to understand the mathematics of signals and systems. The posts might trickle in here, but I have not forgotten about it.

Finally, a section for write-ups of things like TryHackMe and HackTheBox will be coming soon. There are loads on the internet for TryHackMe that hands out answers with no explanation why… Something that doesn’t benefit reader, nor writer. HackTheBox is something I need to use to challenge my skills and plan to document all the things I learn. I particularly want to develop these communication skills, teaching non-technical people technical things. Something I struggle with very much given my neurodiversity.

Thank you everyone for reading what I have to say over this first year, it’s been a tough one for me. This has been a huge outlet for me to speak about what I enjoy, helping me get through some difficult times. I really appreciate you all, even if my posts only get high double digits… It puts a smile on my face.

MITRE ATT&CKcon 3.0

Hello World!

A very brief post, over the last couple days I attended ATT&CKcon 3.0. It was full of brilliant talks and interesting people. A talk from educators in the social sciences sector and their students from high school to postgrads. Demonstrating a social engineering attack and mapping it to the matrix, that was one I couldn’t take my eyes off.

There were 24 talks. Something in there for everyone… Red teamers, blue teamers, threat intel or someone who enjoys cyber-security. Some good open-source tool drops to the community which everyone is thankful for. The people at Recorded Future dropped this awesome tool to identify controls for TTPs: https://controlcompass.github.io/resources. There was also the release of SnapAttack community edition. Lots more I can’t list such as a honeypot container, that talk was interesting but a little too much for me to take in all at once. Can’t wait to re-watch some of the talks and view the slides again.

I’m excited for what’s to come with the platform. There is lots of work going on over at MITRE in improving the matrix, expanding that common language between all areas and all teams.

It was good to see at least two Brits involved in giving talks. Travelling across the pond to give a 15–20-minute talk shows serious dedication… and I look forward to seeing those same speakers on home soil soon, CYBERUK is just around the corner now.

Ive updated this to include, they did manage to get swag out to some virtual participants. Lastly, I think the best quote from the conference for me was along the lines of “Is it IoT or is it just Linux?”.

I’m going to be taking a brief break from writing a new piece, I spent some time last night trying to look into the Spring Framework RCE. Which has since been assigned the CVE number of CVE-2022-22965. A tool created by hillu on GitHub will allow for local vulnerability scanning for this issue.

Backup codes!

Hello World!

Building on my misconfiguration of security keys, I had to use a backup code for the first time ever today. I cannot stress enough the importance of these codes for your accounts that have multi-factor authentication. Write them down and keep them in a safe place, they could really save your skin.

Especially when we think that people could have phones stolen, having those backup codes gives you peace of mind that no matter what, you have a way of getting back into your accounts. I just wanted to mention this, as it’s my first experience of getting locked out an account. Well… getting locked out and it being of my own doing.

I’m currently attending MITRE ATT&CKcon and enjoying the speakers very much, I might write about some stuff I have learned. However my priority right now is sticking to my plan for the content here on my site and meeting deadlines, so I’m really not keen to add much stuff to my to-do list right now.

That wasn’t supposed to happen…

Hello World! I’ve successfully broken a YubiKey and locked myself from the accounts, it’s not completely broken it just needs to be reset but what a pain in the backside.

This is why I have my backup key, meaning this is nothing but an inconvenience to me. I was trying to setup my YubiKey with KeePass so id be able demonstrate but didn’t pay enough attention to what I was doing. Oopsie, there is documentation for it setting it up as a master key but I don’t know how viable it is. In the meantime, I disabled the NFC on the key as I don’t currently use it. Well, this won’t be a major issue… I can take all the things I’ve learnt over the last few months from using my key and have an even better configuration this time. Maybe even upgrade my keys.

However, I do want to do two things for people here on AACyber. Demonstrate YubiKeys (Also properly discuss Multi factor authentication) and using keepass2john and hashcat to attack (a poorly configured.) KeePass database.

Lastly, it’s only right I disclose https://ubuntu.com/security/CVE-2022-0725. This is a recent vulnerability found within KeePass; however, it only affects Linux systems. If I can reproduce it on one of my machines then I’ll write about it, but I don’t think I will have much luck. So that’s what is coming, this format I feel is much more engaging with the audience as we aren’t just discussing some app stealing passwords or a google chrome patch, but much more exciting things that we’re all capable of doing.

We also have more to elaborate on KeePass and its abilities, but one step at a time… I’m also looking at getting additional biometric security keys from Feitian for personal use, however I will only talk about YubiKeys as they are the easiest and most accessible security keys currently in the market.

This post caused me some issues for some reason but it should be fixed now.

KeePass and the argument for password managers.

[Update 11th May 2022: I am going to be making changes soon to improve readability of this post, I understand it’s a little more complex than what I am aiming for.]

Passwords: So, let’s start off with the most important question, what makes a good password?

  • Passwords should be at least 14 characters in length.
  • Passwords should be unique, a different password for every account.
  • Passwords shouldn’t contain personal information, such as your birth year or even things like your old street name.
  • Passwords should be a mixture of characters; letters, numbers and symbols, as well as case differences.
  • Passwords should be kept secret, even from those you love and trust… You don’t know how seriously they take security.

Now I wanted to look at the UK NCSC’s guide and their three random word guidance. They recommend using, well… Three random words, claiming that this is more secure than “complex passwords, which can be difficult to remember and yet guessable for criminals.” (www.ncsc.gov.uk, n.d.)

NCSC Technical Director Dr Ian Levy said: “Traditional password advice telling us to remember multiple complex passwords is simply daft.” (www.ncsc.gov.uk, n.d.)

I’m going to be upfront; I disagree… Let me tell you why.

Since about 2014 I have been using a program called KeePass, this program has withstood external penetration tests I have been aware of. With the testers being unable to breach the software. This was my father’s implementation to his organization; it wasn’t adopted by all users. However, the admins had been using it, successfully keeping attackers away from important passwords.

Before I show you KeePass, I will look at the positives of the NCSCs method. The first one that springs to mind is simplicity, not every user is exactly confident installing software on their computer and coming up with three random words is certainly much simpler and easier to understand than a long list of password requirements. Secondly, compared to a password manager there is no risk of “losing” many passwords in one go. Things could sometimes break, or you may lose access to the media device that held your password database or key file, this isn’t a problem with using the 3RW method. Finally, password managers can be quite tedious… Sometimes you may find yourself frustrated and having to go in and out of a password manager multiple times across a short time span. Not just that but the act of having your database on X media and key file on Y media is intimidating to some.

Here’s the KeePass prompt you see when you have created a database, which is a simple process that you will be taken through for the first time. When you do create your database, you’ll be given the option to create a key file or link your database to your windows user account. (I believe this must be a local account, so you may need to switch account type on Windows.) I strongly suggest using one of these, this is your multi-factor authentication aspect of KeePass.

  • Something you know, your password.
  • Something you have, key file or windows user account.

We will go over MFA next and explain this in a little more detail, but for now my recommendation for a basic setup of KeePass is to just keep your database on a USB (You will need the “portable” version for this.) and the key file on your personal computer. Best practice would involve making a backup/copy of both the database and key file, this isn’t required but recommended. A common issue with this is that you’ll constantly be adding new entries to your manager, so will need to make sure you update both databases. Always save your main database, but periodically make saves to your backup maybe once a fortnight.

Here’s a KeePass database, fun fact about me: I like to name my servers after planets and workstations after satellites. (Mainly moons but inclusive of other satellites.)

We will go over creating entries and password generation in a moment, but let’s say I wanted to now log into the root account on Ganymede. For the sake of my point. I’m going to ignore potential issues with copying passwords onto VMs, a note for the geeks is to configure SSH (or RDP for windows machines) and port forwarding so you can access machines from a terminal line or software like PuTTY. I would simply right click on my Ganymede entry, click copy password and my password will be copied to my clipboard for 15 seconds to paste into my terminal line. You would likely use it for something like your Amazon account or PayPal account. The same applies for your username, the URL field is for putting the address to the website (or IP to server) and notes for… well, notes.

So how do we use KeePass to create passwords? Start by right clicking anywhere in the folder you wish to create an “entry”, then simply click add entry.

You’ll see the window on the left, click the little key next to the password box and you will be presented with a drop-down selection, click on open password generator and you will get the second window on the right pop up. This is your password generator; it lets you determine how you want your passwords to be created. This is a good place to apply those password rules, plus this will keep them all together and mean you no longer need to remember any password other than your database master key. However, do make sure you save after any edits and don’t lock yourself out of your accounts. Here would be a good place to implement a random word password, but opting for five words over three as the reward for getting into a password database is worth much more of a wait to an attacker.

Lastly here before we move towards our conclusions, let’s look at how many combinations there are if we take the 171,476 words in the dictionary and have users choose 3.

This gives us an output of 8.403325462709 × 1014 (840 trillion) possibilities, now I’m going to save us both the maths on this next one but let’s add numbers to letters and you have a different story, the number increases even more, then even more when you start randomising where capital letters may be… I’m going to say that a little bit of open-source intelligence is likely to eventually narrow down a person’s three-word password, if we’re talking about how many words the average person has in their vocabulary the estimations work out to about 20,000, that’s a significant drop from our original pool of over 170,000. We are human, one of our inherent weaknesses is sticking to what we know… Users are still going to be using words that mean things to them or set passwords like MarchTwentyTwo. Without adequately addressing these psychological factors of security, the three-word method will suffer from similar issues as we have had in the past.

In conclusion I have demonstrated a free open-source password manager that I believe is simple, whilst not as simple as the NCSCs method and many more steps to go through, I believe the use case for password managers is not going to disappear. With so many accounts nowadays, users will struggle to remember their unique passwords to every online store or their social media. Whilst the NCSC themselves are self-aware of this weakness, this means that a way to securely store their passwords is going to be required no matter what scheme you use to create them. This method will also come along with the same human level vulnerabilities that only true randomization can mitigate. Why think of a password when the application you use to store them can think of one for you?

I have decided to push these out piece by piece, this was a chunky read and if you did read it all then I am honestly thankful… You are taking steps to a safer online presence. I will demonstrate some little offensive techniques soon which will be linked into this post to give readers a much more informative experience. Additionally, as we just lightly touched on in this post there is something called Open-Source Intelligence (OSINT). We certainly will investigate when we take a look at phishing, but I encourage you to just give it a google, it’s likely something you do all the time yourself.

Come back next time where we will delve into multi-factor authentication, what is 2FA, 3FA? How effective is MFA? How can I use MFA to protect my account?

Thank you for reading, Sec rity really isn’t possible without u, Stay safe!

http://www.ncsc.gov.uk. (n.d.). NCSC lifts lid on three random words password logic. [online] Available at: https://www.ncsc.gov.uk/news/ncsc-lifts-lid-on-three-random-words-password-logic.

Planes are pretty cool! – Food for thought #3.

Just a little unstructured rambling today from me, I’m sure someone will enjoy the read…

I have begun reading through a 2016 thesis on Security in next-gen Air Traffic communication networks by Martin Strohmeier, it was brought to my attention regarding discussions about a possible use case for software defined radio. This isn’t anything new, the first proof of concept I saw of such methods was I believe from DEF CON 17 in 2009 but I can’t remember the date off the top of my head.

We can discuss some cool hacking stuff in a second, but first you need to understand how aircraft work. I’m going to briefly discuss this presentation from Usenix and their demonstrations of attacking an aircraft’s Instrument Landing System. Firstly, how this is supposed to work is done with multiple Tx (This means transmit, commonly receive and transmit are abbreviated to Rx and Tx respectively.) antennas. The localizer has the purpose of aligning the aircraft with the runway, the glideslope is responsible for controlling the rate of descent for the aircraft. The signals transmitted from these antennas are transmitted in a specific way that corresponds to the metrics the aircraft needs to measure. If you know enough about radio and security concepts then I highly recommend you read the presentation this is regarding, I’m not qualified to discuss it in too much detail but will be trying to learn more about this when I can.

So we discussed how the ILS systems are responsible for navigation during landing and very basically how they go about doing that, the presentation takes advantage of some of the behaviours of the aircraft ILS receivers. For example, they are designed to “lock on” to the strongest signal, which is brilliant when you think some airports have multiple runways and therefore multiple ILS systems so a way to figure out what one you need is required. But with what is called an “overshadow attack” an attacker can simply overpower the signals if they have enough information to carry out the attack, which is assumed due to things like FlightRadar24 allowing people to track flight paths and lots of information being already in the public domain regarding these systems. There is another called a “single-tone attack” but this is a little less straightforward than simply overpowering a signal, nevertheless I will touch on it at some point in the future after more reading.

Above, we went over a high-level explanation of one of these wireless attack types that could be orchestrated on an ILS system, just to add one of the biggest concerns I see mentioned is the relative affordability and availability of SDR modules. Now more people can carry out these attacks with less equipment than was required before, even carrying out an attack on board the aircraft… With demonstrated offsets of up to 50 metres and the added concealment an SDR may provide, this represents a serious attack vector that could be exploited to cause devastation and mass casualties.

Ok, so let’s get to some of the hacker stuff, what even brought this to my attention?

Ukrainian cyber forces have been hard at work, I was discussing this topic with some other hackers and a Ukrainian national given a “free pass” to hit Russia, whilst the topic at first was messing with these systems onboard the aircraft. Someone raised the idea of instead transmitting signals that would be expected to come from an aircraft, whilst this again isn’t a new idea… It’s been tested and even with notification and preparation caused an absolute nightmare for air traffic control. Furthermore, the opening for a denial-of-service attack is certainly worth highlighting. Nearly every system operated by a human is vulnerable to operator overload, that’s certainly not exclusive to human operators either. Just sending lots of signals could be all it takes to shut down a section of civilian airspace. It certainly would give Russian airspace controllers a hard time if it was done, however such an attack would be indiscriminate and by nature of naughty things… hard to control.

I will be looking into more of this topic in my spare time, also having just started getting competent with the cloud myself I will be looking to move this site onto an IaaS platform. However, there are many things to weigh up and I might not switch this site itself over but also need to explore the options available to me regarding things like subdomains. WordPress is fantastic and not something I want to leave for any reason, but as we move forward aacyber aspires to officially set up and be able to actively assist in keeping everyone in cyber space safe.

ALDIs DIY soldering iron is a decent buy for £9.99, even comes with 7 grams of solder. Sure, it’s not the best in the world but I’m not selling anything I make yet…

Here comes the “Cyber Army”.

Hello World…

So the Russian government finally pulled the trigger on their invasion into Ukraine, since then we have seen information warfare erupt as the Russian dictator tries to deny any wrongdoing. But I wanted to talk about the “Cyber Army” now threatening Russian government infrastructure, not the Ukrainians in particular but the world as whole.

Anonymous probably the most well known group that have been targeting Russia, dumping credentials and PGP keys from the mil.ru domain. This domain has since been geo-fenced to Russian territory. So what’s the issue… Hackers want to stand up for Ukraine and I have an issue with it?

Not just me, but many voices have spoke out about their concerns. Any party not affiliated with a government and/or its intelligence services should leave Russian systems the fuck alone. Firstly, no matter who your target is this kind of action is strictly prohibited and criminal, it will lead to consequences for anyone carrying out malicious activity… possibly prison time. Secondly, there is a significant risk to legitimate intelligence operations when a bunch of script kiddies start trampling around a system. Imagine hiding for years only to be undone because someone comes along with a drum set…

That is all, I am trying to push my skills more as of recently so the blog may slow down as I allow time for study. A little bit of a rant but it needs to be said, that’s my position on this.