Con games: How do they do it?

Hello World!

So, this is going to be a fun one. Lots to cover as we jump into what social engineering is and why it works.

Let us get started by listing the names that we give to these types of attacks. There are many terms used somewhat interchangeably, they include but are not limited to:

  • Social Engineering
  • Con(fidence) Games
  • Scamming
  • Fraud
  • Blackmail
  • Extortion
  • Phishing
  • Spoofing
  • Business email compromise (BEC)

Now, these terms don’t mean the same thing. However, they are important for understanding what exactly social engineering is. We can get a good idea what social engineering is from peering at these terms, other than con games which is an alternate name. The terms are all under social engineering, social engineering is the method by which these techniques succeed.

This does fall under the category of “hacking” however it involves very little technical know-how in some cases. Even phishing which we have discussed previously can be automated with tools, recently we have even seen new phishing chatbots.

So now we have gone over quickly what social engineering involves, lets try to understand why it seems to work for the attacker so much. Humans are humans, we simply have a subconscious desire to trust others. This is a massive vulnerability in human psychology, simply put it’s the reason we get conned, scammed, and deceived.

But it’s not as simple as someone blindly believing what they are told, again there’s a lot of victim-shaming when it comes to these things… the victim is never to blame, attackers are sophisticated. Let’s go even deeper in understanding the mechanisms used by these con artists.

  • Authority
  • Consensus
  • Scarcity
  • Urgency
  • Familiarity
  • Trust

If you want a quick guide to spotting phishing attempts, then check out my post here. But its example time… I would love to break down these techniques more, but this is a blog post, its supposed to be enjoyable to read and not feel like a report.

Authority is one of the most common methods, this could be something like pretending to be your nations tax authority (IRS, HMRC etc.). Threatening you with fines or even prison time. We can even look at example of an authority driven attack, whilst this isn’t the most sophisticated attack it allows us to understand the idea.

A scary text message! Fortunately it isn’t real. Source: https://www.worldprivacyforum.org/

Consensus is another common one, particularly common amongst cryptocurrency scams. Social media has become a cesspit full of these… to name names, its mostly Instagram. An example you can do is to make a tweet saying, “I’m locked out of my bitcoin wallet!” You will get a bunch of bots commenting how they had the same thing but @no1metamaskhackerbitcoinrecovery was able to help. I will include a typical Instagram scam so you can see what consensus looks like in action.

A very typical Instagram scheme designed to take your money. We call this an advance payment scam and it’s one of the most common methods. Source: https://finance.yahoo.com

Scarcity is probably the simplest method to use, but the easiest to spot. Think about visiting a website and getting a pop-up saying “You are the 1,000,000th customer, congratulations” which tells you that there’s a “free gift” you can select. Now a gift should be a red flag, sadly nothing comes free in life. But let us again look at an example. It’s not always out to hack you either, think about the scalpers that have been buying up devices like Playstations and re-selling, that’s the same type of idea.

A typical page telling you that you have won a FREE prize. Source: https://www.pcrisk.com/

Urgency is often used in conjunction with other methods, in our example for authority we can see that an arrest warrant has supposedly been issued. Firstly, the tax authorities don’t want you to go to prison… how would you pay your tax? But more importantly this is using the technique of urgency. Its difficult to find an explicit example of urgency, I would argue that urgency needs to piggyback off another technique to be effective. However, we will look at this later. Often multiple of these methods are chained in a single attack.

The same example as Authority but as we can see multiple techniques are chained together to be more effective.
Source: https://www.worldprivacyforum.org/

Finally familiarity and trust both complement each other more than anything else. No example for this but let’s have some fun and theorize our own attack. So, a family member has their account breached (Think about how bad Facebook used to be for this.) and they send you message about a class that you have together… let’s say you both do karate on Friday evenings!

Using this compromised (Or spoofed account) an attacker could send you a “new class schedule” in a Microsoft office document. Because you trust them and you do karate together you are incredibly likely to open this document. You can be compromised by an exploit like the recent Follina exploit that was found in Microsoft Windows Support Diagnostic Tool to run remote code on a target system with just a handful of clicks.

So, that was lots to cover. If this is something that interests you, or you want to strengthen your protection from such things… check out Hacking Humans, a free podcast provided by The CyberWire. Over there they expose scams and talk about how you can defend yourself or your family against the methods listed and more!

Remember, you are your own strongest password. If something doesn’t seem right, pause, and stop to have a think. Tell the person on the phone you will call them back, if they try to keep you on the phone… Red Flag!

If you’re still not sure after taking a moment, speak to a relative you can trust… even if they aren’t a tech pro.

Hertzbleed (CVE-2022-23823 and CVE-2022-24436)

Hello World!

On June 14th 2022, a new family of side-channel attacks, frequency based, were disclosed to the public. The method is quite technical and above my level of understanding in places, additionally there isn’t anything the majority of people need to do. BUT! There is a way this has potential to affect many people due to mitigation techniques.

As some of you may notice, the name is rather similar to another vulnerability… Heartbleed. This other vulnerability came about just as I was getting into IT and security as a child and caused a headache for the professionals in my life at the time. From what I can tell other than both being cryptographic in nature… the similarities stop there.

So without being technical, what does this mean for us? Well, this vulnerability affects all Intel x86 CPUs and many AMD x86 CPUs. However, the attack would only serve a purpose on a server that handles cryptographic keys.

But hold on… you said it could affect many of us! How is that so if it’s carried out on cryptographic servers?

Well, these CPUs use something called Dynamic Voltage and Frequency Scaling. This is something that can greatly boost efficiency of a computers CPU and help control excess temperatures. This is the primary technology that is taken advantage of in these frequency side-channel attacks, a potential mitigation would be turning off the frequency scaling however… this would have a grave impact on performance.

Whilst it is ultimately up to organizations and individuals how they mitigate, in some areas there may be a drop in performance whilst software mitigations are hurried into production code, this has a chance of affecting some hosting providers. As it stands there will be no patches from Intel and AMD, but their guidance can be found via the hyperlinks.

I would encourage anyone who is interested in the topic, or works in cryptography to review the full paper found here, additionally I will be listing sources I read through to understand (what I am able to) about this vulnerability at the bottom of this page.

Lastly, a reminder about a rule of encryption. If an attacker can read the private key or the plaintext then the encryption technique, its technology and processing power are completely useless.

List of websites to look at regarding this topic (As well as the full paper linked above):

https://access.redhat.com/solutions/6963308
https://www.hertzbleed.com/
https://github.com/FPSG-UIUC/hertzbleed
https://semiengineering.com/knowledge_centers/low-power/techniques/dynamic-voltage-and-frequency-scaling/
https://www.cryptomathic.com/news-events/blog/exploring-the-lifecycle-of-a-cryptographic-key-

TryHackMe h4cked – A Guide.

This is an easy room on TryHackMe, consisting of an analysis of a simple attack and using the attackers’ own methods to break back into the machine.

You won’t find any flags here, or in any of my posts. If you already know what to do and are using this for easy answers, then you need to find more difficult boxes.

For those who are stuck and need help, I hope this is about the right mixture of pointing you in the right direction while holding back enough to make you do the work. Remember that google is indeed your friend, but while there are easy answers out there… you aren’t learning much.

We begin with a .pcap file. This is a packet capture file, commonly captured with a tool such as Wireshark or Tshark.

Syntax to capture this traffic in tshark would be as follows:

sudo tshark -i eth0 -w /filename.pcap -F pcap

This runs tshark as root (sudo), capturing on interface eth0. We are then writing the file to a file called filename.pcap and finally setting the file type to pcap.

However, we have been given a file from a previous capture, so let’s download that and open it with Wireshark (Graphical alternative to tshark).

So going into this blindly, take a scroll down the file and try to see what you can spot in the first 200 lines or so. While scrolling we can see a service being used by line 50, scrolling further you can see a wordlist attack being carried out against that service.

In those first 200 lines of the packet capture and a simple google search you can find the answers to the first three questions on TryHackMe.

Now… depending how much work you like creating for yourself, you can filter Wireshark in multiple different ways. I’m going to be going with the display filter:

tcp.port == 21 || tcp.port == 20

This gives you a view of not only the FTP and FTP-DATA traffic, but also the TCP communications to those port numbers that established the connections. Transmission control protocol is a step down in the TCP/IP model and gives us slightly more information about the connection being made. Luckily for us, we don’t need to do much digging on the connection, only the application layer service File Transfer Protocol.

To further filter these results we can instead use the display filter:

ftp || ftp-data

This removes the TCP traffic and leaves us only with the communications of the FTP server and client.

So, now we can answer questions 4-7 from the information in those FTP and FTP-DATA packets.

Now this is where this information no longer becomes useful, we have identified the user account and the password the attacker has used to gain access. But the attacker has uploaded a backdoor…

Few ways of going about this, you can go through the .pcap and look for interesting traffic, if you look closely. Immediately after the attacker does a HTTP GET on the shell.php, we have a whole bunch of traffic between the attacker’s port of 53734 and our port of 80 (HTTP). Some of this traffic is particularly large and contains PSH,ACK packets. Not all of this is cause for concern, but let’s have a further look by following the TCP stream of this traffic.

Due to the way this type of shell works, we can see the commands run by the attacker and the output from the server, use the information gathered from the TCP stream to answer questions 7-12.

Finally for question 13, if you need to, google the GitHub project and it should tell you what it is.

I’m going to leave out the second task, if you have followed the steps then you can use the same tools against the server to break back in.

But I will not leave you in the dark and give you the missing pieces of information… use the tool netcat (to spawn a listener, socat if you’re feeling fruity). To upload the file there are a few methods that can be used, depending on the target system and preference. The ways this takes place are plentiful, but you can use FTP commands to place the file on the target system in this scenario. To gain root, it’s much simpler than you may think, ensure you read the TCP stream thoroughly… the rest you need is all there in the information we gathered about the attacker’s actions.

1 Year! – Learning together.

Hello World!

It’s been over a month since my last post, it’s been busy. A constant desire to learn new things is something that can be hard to manage. Without a main goal it can be hard to choose the path you want to take, and this industry is truly endless.

Off the back of CYBERUK. I will be working on the guide to identifying phishing/social engineering tactics. According to the most recent Crime Survey for England and Wales fraud makes up almost 40% of crime reported. Whilst the past two years has indeed seen a decrease in conventional crime and rise in cyber-crime, things like burglaries will rise again as we move out of the pandemic… It is not expected the number of cyber-crimes will see a decline any time soon.

I’ve hit a wall recently… having not done any maths since high school. I’m having to teach myself graph theory, calculus and improve my understanding of things like algebra. My goal? I want to understand the mathematics of signals and systems. The posts might trickle in here, but I have not forgotten about it.

Finally, a section for write-ups of things like TryHackMe and HackTheBox will be coming soon. There are loads on the internet for TryHackMe that hands out answers with no explanation why… Something that doesn’t benefit reader, nor writer. HackTheBox is something I need to use to challenge my skills and plan to document all the things I learn. I particularly want to develop these communication skills, teaching non-technical people technical things. Something I struggle with very much given my neurodiversity.

Thank you everyone for reading what I have to say over this first year, it’s been a tough one for me. This has been a huge outlet for me to speak about what I enjoy, helping me get through some difficult times. I really appreciate you all, even if my posts only get high double digits… It puts a smile on my face.

MITRE ATT&CKcon 3.0

Hello World!

A very brief post, over the last couple days I attended ATT&CKcon 3.0. It was full of brilliant talks and interesting people. A talk from educators in the social sciences sector and their students from high school to postgrads. Demonstrating a social engineering attack and mapping it to the matrix, that was one I couldn’t take my eyes off.

There were 24 talks. Something in there for everyone… Red teamers, blue teamers, threat intel or someone who enjoys cyber-security. Some good open-source tool drops to the community which everyone is thankful for. The people at Recorded Future dropped this awesome tool to identify controls for TTPs: https://controlcompass.github.io/resources. There was also the release of SnapAttack community edition. Lots more I can’t list such as a honeypot container, that talk was interesting but a little too much for me to take in all at once. Can’t wait to re-watch some of the talks and view the slides again.

I’m excited for what’s to come with the platform. There is lots of work going on over at MITRE in improving the matrix, expanding that common language between all areas and all teams.

It was good to see at least two Brits involved in giving talks. Travelling across the pond to give a 15–20-minute talk shows serious dedication… and I look forward to seeing those same speakers on home soil soon, CYBERUK is just around the corner now.

Ive updated this to include, they did manage to get swag out to some virtual participants. Lastly, I think the best quote from the conference for me was along the lines of “Is it IoT or is it just Linux?”.

I’m going to be taking a brief break from writing a new piece, I spent some time last night trying to look into the Spring Framework RCE. Which has since been assigned the CVE number of CVE-2022-22965. A tool created by hillu on GitHub will allow for local vulnerability scanning for this issue.

Backup codes!

Hello World!

Building on my misconfiguration of security keys, I had to use a backup code for the first time ever today. I cannot stress enough the importance of these codes for your accounts that have multi-factor authentication. Write them down and keep them in a safe place, they could really save your skin.

Especially when we think that people could have phones stolen, having those backup codes gives you peace of mind that no matter what, you have a way of getting back into your accounts. I just wanted to mention this, as it’s my first experience of getting locked out an account. Well… getting locked out and it being of my own doing.

I’m currently attending MITRE ATT&CKcon and enjoying the speakers very much, I might write about some stuff I have learned. However my priority right now is sticking to my plan for the content here on my site and meeting deadlines, so I’m really not keen to add much stuff to my to-do list right now.

That wasn’t supposed to happen…

Hello World! I’ve successfully broken a YubiKey and locked myself from the accounts, it’s not completely broken it just needs to be reset but what a pain in the backside.

This is why I have my backup key, meaning this is nothing but an inconvenience to me. I was trying to setup my YubiKey with KeePass so id be able demonstrate but didn’t pay enough attention to what I was doing. Oopsie, there is documentation for it setting it up as a master key but I don’t know how viable it is. In the meantime, I disabled the NFC on the key as I don’t currently use it. Well, this won’t be a major issue… I can take all the things I’ve learnt over the last few months from using my key and have an even better configuration this time. Maybe even upgrade my keys.

However, I do want to do two things for people here on AACyber. Demonstrate YubiKeys (Also properly discuss Multi factor authentication) and using keepass2john and hashcat to attack (a poorly configured.) KeePass database.

Lastly, it’s only right I disclose https://ubuntu.com/security/CVE-2022-0725. This is a recent vulnerability found within KeePass; however, it only affects Linux systems. If I can reproduce it on one of my machines then I’ll write about it, but I don’t think I will have much luck. So that’s what is coming, this format I feel is much more engaging with the audience as we aren’t just discussing some app stealing passwords or a google chrome patch, but much more exciting things that we’re all capable of doing.

We also have more to elaborate on KeePass and its abilities, but one step at a time… I’m also looking at getting additional biometric security keys from Feitian for personal use, however I will only talk about YubiKeys as they are the easiest and most accessible security keys currently in the market.

This post caused me some issues for some reason but it should be fixed now.

KeePass and the argument for password managers.

[Update 11th May 2022: I am going to be making changes soon to improve readability of this post, I understand it’s a little more complex than what I am aiming for.]

Passwords: So, let’s start off with the most important question, what makes a good password?

  • Passwords should be at least 14 characters in length.
  • Passwords should be unique, a different password for every account.
  • Passwords shouldn’t contain personal information, such as your birth year or even things like your old street name.
  • Passwords should be a mixture of characters; letters, numbers and symbols, as well as case differences.
  • Passwords should be kept secret, even from those you love and trust… You don’t know how seriously they take security.

Now I wanted to look at the UK NCSC’s guide and their three random word guidance. They recommend using, well… Three random words, claiming that this is more secure than “complex passwords, which can be difficult to remember and yet guessable for criminals.” (www.ncsc.gov.uk, n.d.)

NCSC Technical Director Dr Ian Levy said: “Traditional password advice telling us to remember multiple complex passwords is simply daft.” (www.ncsc.gov.uk, n.d.)

I’m going to be upfront; I disagree… Let me tell you why.

Since about 2014 I have been using a program called KeePass, this program has withstood external penetration tests I have been aware of. With the testers being unable to breach the software. This was my father’s implementation to his organization; it wasn’t adopted by all users. However, the admins had been using it, successfully keeping attackers away from important passwords.

Before I show you KeePass, I will look at the positives of the NCSCs method. The first one that springs to mind is simplicity, not every user is exactly confident installing software on their computer and coming up with three random words is certainly much simpler and easier to understand than a long list of password requirements. Secondly, compared to a password manager there is no risk of “losing” many passwords in one go. Things could sometimes break, or you may lose access to the media device that held your password database or key file, this isn’t a problem with using the 3RW method. Finally, password managers can be quite tedious… Sometimes you may find yourself frustrated and having to go in and out of a password manager multiple times across a short time span. Not just that but the act of having your database on X media and key file on Y media is intimidating to some.

Here’s the KeePass prompt you see when you have created a database, which is a simple process that you will be taken through for the first time. When you do create your database, you’ll be given the option to create a key file or link your database to your windows user account. (I believe this must be a local account, so you may need to switch account type on Windows.) I strongly suggest using one of these, this is your multi-factor authentication aspect of KeePass.

  • Something you know, your password.
  • Something you have, key file or windows user account.

We will go over MFA next and explain this in a little more detail, but for now my recommendation for a basic setup of KeePass is to just keep your database on a USB (You will need the “portable” version for this.) and the key file on your personal computer. Best practice would involve making a backup/copy of both the database and key file, this isn’t required but recommended. A common issue with this is that you’ll constantly be adding new entries to your manager, so will need to make sure you update both databases. Always save your main database, but periodically make saves to your backup maybe once a fortnight.

Here’s a KeePass database, fun fact about me: I like to name my servers after planets and workstations after satellites. (Mainly moons but inclusive of other satellites.)

We will go over creating entries and password generation in a moment, but let’s say I wanted to now log into the root account on Ganymede. For the sake of my point. I’m going to ignore potential issues with copying passwords onto VMs, a note for the geeks is to configure SSH (or RDP for windows machines) and port forwarding so you can access machines from a terminal line or software like PuTTY. I would simply right click on my Ganymede entry, click copy password and my password will be copied to my clipboard for 15 seconds to paste into my terminal line. You would likely use it for something like your Amazon account or PayPal account. The same applies for your username, the URL field is for putting the address to the website (or IP to server) and notes for… well, notes.

So how do we use KeePass to create passwords? Start by right clicking anywhere in the folder you wish to create an “entry”, then simply click add entry.

You’ll see the window on the left, click the little key next to the password box and you will be presented with a drop-down selection, click on open password generator and you will get the second window on the right pop up. This is your password generator; it lets you determine how you want your passwords to be created. This is a good place to apply those password rules, plus this will keep them all together and mean you no longer need to remember any password other than your database master key. However, do make sure you save after any edits and don’t lock yourself out of your accounts. Here would be a good place to implement a random word password, but opting for five words over three as the reward for getting into a password database is worth much more of a wait to an attacker.

Lastly here before we move towards our conclusions, let’s look at how many combinations there are if we take the 171,476 words in the dictionary and have users choose 3.

This gives us an output of 8.403325462709 × 1014 (840 trillion) possibilities, now I’m going to save us both the maths on this next one but let’s add numbers to letters and you have a different story, the number increases even more, then even more when you start randomising where capital letters may be… I’m going to say that a little bit of open-source intelligence is likely to eventually narrow down a person’s three-word password, if we’re talking about how many words the average person has in their vocabulary the estimations work out to about 20,000, that’s a significant drop from our original pool of over 170,000. We are human, one of our inherent weaknesses is sticking to what we know… Users are still going to be using words that mean things to them or set passwords like MarchTwentyTwo. Without adequately addressing these psychological factors of security, the three-word method will suffer from similar issues as we have had in the past.

In conclusion I have demonstrated a free open-source password manager that I believe is simple, whilst not as simple as the NCSCs method and many more steps to go through, I believe the use case for password managers is not going to disappear. With so many accounts nowadays, users will struggle to remember their unique passwords to every online store or their social media. Whilst the NCSC themselves are self-aware of this weakness, this means that a way to securely store their passwords is going to be required no matter what scheme you use to create them. This method will also come along with the same human level vulnerabilities that only true randomization can mitigate. Why think of a password when the application you use to store them can think of one for you?

I have decided to push these out piece by piece, this was a chunky read and if you did read it all then I am honestly thankful… You are taking steps to a safer online presence. I will demonstrate some little offensive techniques soon which will be linked into this post to give readers a much more informative experience. Additionally, as we just lightly touched on in this post there is something called Open-Source Intelligence (OSINT). We certainly will investigate when we take a look at phishing, but I encourage you to just give it a google, it’s likely something you do all the time yourself.

Come back next time where we will delve into multi-factor authentication, what is 2FA, 3FA? How effective is MFA? How can I use MFA to protect my account?

Thank you for reading, Sec rity really isn’t possible without u, Stay safe!

http://www.ncsc.gov.uk. (n.d.). NCSC lifts lid on three random words password logic. [online] Available at: https://www.ncsc.gov.uk/news/ncsc-lifts-lid-on-three-random-words-password-logic.