Hacker 10 – Security Hacker

Author: John Durret

  • Exploit residential router vulnerabilities with Routerpwn

    Exploit residential router vulnerabilities with Routerpwn

    Routerpwn is a web application listing dozens of ready to run local and remote exploits for, largely, home routers. It covers all major brands, all you have to do to test if your personal router is vulnerable to one of the exploits is to search for the make and model of your router and click on the exploit name to execute a javascript window testing a known vulnerability that will automatically break into the network or open up the default router IP, 192.168.1.1 and try a default admin password or privilege escalation.

    To learn more about the exploit click on the plus sign next to the listed bug and you will be taken to a security list like SecurityFocus or Seclist displaying full details of the exploit and the date it was first discovered.

    The site also contains links to lists of default router administrator username and passwords. Another tool can be used to find out an Access Point vendor entering the MAC address of the device, which hex number can be discovered with a simple network scan.

    Routerpwn javascript router exploit
    Routerpwn javascript router exploit

    It is not necessary to be connected to the Internet to use Routerpwn, the site can be stored offline, javascript exploits in local routers will work regardless of Internet access.

    Exploiting a router does not necessarily mean to be able to get into the network finding out a WPA key, some of the exploits in Routerpwn launch a denial of service attack against a router by pinging it non stop and bringing down the whole network. Other exploits show your router configuration, some vendors store keys to reset passwords in plain text inside configuration files that can be seen by mistake using a cross site scripting attack.

    There was an Android application for Routerpwn in Google Play but that link has now been removed, however the website can be accessed from any mobile device or game console that has an Internet browser. Everything has been optimized for access on the go coding it entirely in HTML and javascript.

    New exploits can be submitted to the site and if you would like to find out your own router vendor, the URL http://www.routerpwn.com/detect.html will show you the brand, if it can’t identify it a form will come up inviting you to submit the information.

    Routers are seldom upgraded or flashed by home users, even a exploit that is a few years old will still work against many devices. Routerpwn is a very powerful tool for penetration testers for a very important often overlooked security item that antivirus software does not screen.

    Visit Routerpwn homepage

  • How to stop the NSA from tracking your mobile phone calls

    How to stop the NSA from tracking your mobile phone calls

    The latest documents leaked by Edward Snowden, called “Spain last 30 days“, show that in a single month the NSA illegally spied on 60 million phone calls in Spain. Further details reported by the press mention that although calls were not recorded, location, dialled number, call duration and mobile phone serial numbers were all looked at by the NSA.

    Based on that one can figure out that if the NSA was looking at mobile phones serial numbers they must have a way to link those numbers to people.

    Mobile phone serial vs IMEI number

    There are two kind of mobile phone serial numbers, IMEI (International Mobile Station Equipment Identity) and IMSI (International Mobile Subscriber Identity).

    Mobile phone serial number and IMEI
    Mobile phone serial number and IMEI

    IMEI numbers are embedded in the device, it will be displayed if you type *#06# on your dialpad, forming 15 or 16 digits, the software version called IMEISV contains 16 digits.

    The first 8 digits of an IMEI number identify the model and phone’s origin, the remainder numbers are defined by the manufacturer and could be anything they want.

    IMSI numbers contains 15 or less digits and they are embedded in the SIM card, the number is constantly send by your mobile phone to the network provider, enabling mobile phone companies to trace the phone using a technique known as triangulation. Tracing will work even if you don’t have GPS in your phone, triangulation relies on mobile phone network towers to locate you.

    The first 3 IMSI digits contain the country code, followed by mobile network code and other numbers show subscription details.

    For example if you go abroad the IMSI number will be used by the network to connect you to the foreign company that has a roaming agreement with your home network provider.

    Both IMEI and IMSI numbers are transmitted to mobile phone companies. There are devices that can change a mobile phone IMEI number but in some countries like the United Kingdom this is illegal alleging that it hinders mobile phone theft investigations.

     Stopping NSA metadata collection

     With leaked documents showing that metadata is the main element used to flag calls by the NSA grid, using a calling card would should stop them from seeing the final numbers you are dialling, buying calling cards from a non USA company should add privacy.

    It is probably rational to assume that the NSA knows about the calling card problem and receiving and making lots of calls using them with the same phone could raise a red flag in the system and mark you for further attention. Combining calling cards with different phone lines would be then a good idea if possible.

    Another way that might fool NSA metadata collectors is by using a virtual phone number service like FlyNumber, where two people from Africa could communicate with each other using USA local phone numbers that are then forwarded to the phone of their choice or VoIP. Make sure it is not Skype, past documents showed that Skype is linked to the NSA PRISM global spying program.

    As for stopping location tracking, opening your phone and taking the SIM card and battery off is the only secure way to do that. If this is too inconvenient then stick to VoIP calls tunnelled using a VPN.

  • How mobile phone accelerometers are used for keylogging

    How mobile phone accelerometers are used for keylogging

    Massachusets and Georgia Insititute of Technology researchers have developed a method to log computer keystrokes by placing a smartphone next to a computer keyboard and major its sound and vibration using the smartphone accelerometer. The researchers employed an iPhone 4 for this and noted that sensors in older models are not good enough to pick up remote vibrations.

    Mobile devices accelerometers are used to re-orient your screen using a differential capacitor to measure changes in gravitational pull. Researchers used it to listen in to typing sounds and translate them into text by estimating volume and force produced during keystroking.

    Mobile phone accelerometer
    Mobile phone accelerometer

    The phone was enginereed to interpret what dictionary words sounded like and translate them into text. Accuracy was next to 80% and it only went down after an extensive number of dictionary words were added. Since an attacker might now what kind of information they are after, a customised dictionary with likely terms can be built to increase accuracy.

    In order for this attack to work the smarphone has to be placed on the same table where the keyboard is and there must be no ambient vibrations, like a printer or scanner working in the background.

    The only mitigation strategy proposed by the researchers against this type of attack is to prevent anybody from placing a mobile phone next to your keyboard, not even your own since it could have been infected with this kind of malware to spy on you.

    There has also been previous research showing how a smartphone microphone could be used to pick up typing patterns. With this is mind it is important to never forget that smartphones have the necessary equipment to spy on you, the reason why many government departments do not allow them into the office.

    The research is a proof of concept, do not be surprised if you see NSA spooks showing interest in this and taking it to a step further in the future as smartphones sensors improve even more.

    Smarpthone Keylogging Research Paper

  • List of non USA cloud storage services with client side encryption

    List of non USA cloud storage services with client side encryption

    To truly secure your data in the cloud it is necessary to encrypt it before it leaves your computer and not to trust others to do this for you. You can encrypt files yourself with something like Truecrypt, DiskCryptor or 7Zip but it requires time and extra work.

    This list contains cloud storage services that apply encryption before uploading it to their servers and give you full control of the decryption keys, making it impossible for the company to decrypt anything.

    TeamDrive: Company based in Germany, data is encrypted in the computer with AES256-bit using your own encryption key that the company has no access to. You can decide whether to store your files in Amazon EC2 USA, Ireland or Hong Kong servers, account data is only held in German servers.

    Mega: Based in New Zealand, all data is encrypted with AES128-bit before uploading it to the cloud, a RSA2048-bit key is used to share already encrypted files in between users, their FAQ is very complete explaining the security measures they use and what possible vulnerabilities exist against their business model.

    Mega cloud encryption file sharing
    Mega cloud encryption file sharing

    Powerfolder: German company, it can be used to store and share files in the cloud, they have no servers in the USA and everything is encrypted client side with the AES algorithm. You can password protect folders before sharing them with others.

    TresorIt: Hungarian company, they use AES256-bit to encrypt data before uploading it to the cloud. The company offered $US10.000 to whoever can break their security software. Data can accessed in your smarphone or desktop computer. There are free and paid for plans.

    TresorIt encrypted cloud storage
    TresorIt encrypted cloud storage

    Unseen.is: A full communications suite with encrypted cloud storage on top of email and instant messenger. With headquarters and servers in Iceland, encryption is end to end, the company does not have the key and can not read any messages. Unseen.is is transparent about their technological encryption set up and privacy policy. Have into account that online storage is limited, the service has been designed to only back up your most important files, not a whole computer.

    Notice: Even if the company is not based in the USA, they might be using American servers for storage unless specified.

  • List of USA cloud storage services with client side encryption

    List of USA cloud storage services with client side encryption

    Even with local encryption, it is not impossible for a government to subpoena a tech company and force them to introduce a backdoor in their software. A few of the US companies below allow you to download the security software source code to make it much harder for a government to tamper with it unnoticed.

    Another way to strengthen your security is to use third party cloud encryption programs like Viivo or BoxCryptor, they come with an easy to use interface that makes cloud encryption effortless. These programs can be used in conjunction with cloud services own encryption and it will add a second encryption layer that will have to be broken.

    If you use Linux, EncFS can create an encrypted version of your files inside a folder before syncing it online.

    iDrive: Data is secured with AES256-bit encryption before moving it to the cloud. The encryption key is provided by you and not stored anywhere in iDrive servers, or you can opt for their system based encryption scheme where the company holds the key.

    JungleDisk: Used to back up your computer files to Rackspace Cloud Files Service or Amazon S3. During installation you can create your own AES256-bit encryption key that nobody else will know with data being encrypted before leaving your computer.

    JungleDisk cloud encryption Android client
    JungleDisk cloud encryption Android client

    Cubby: Client side encryption with AES256-bit, any content added inside the Cubby software is automatically encrypted before syncing it with the cloud, there is an option to sync data in between your computers and avoid the cloud altogether.

    Elephant Drive: You are given a choice of using the company encryption keys or creating your own, if you create your own keys Elephant Drive will only store a hash value of them to compare it with the entered password when you ask for access. The company will not be able to access your data even if they are forced to at gunpoint.

    SpiderOak: It can be used to share and back up files, data is encrypted in your computer with AES256-bit in CFB mode and HMAC-SHA256, the company has no knowledge of what data is stored in their servers or what your password is. SpiderOak software works in smartphones and Linux as well as Windows.

    Bitcasa: They implement convergent encryption to remove duplicate files stored in their servers, a way to save space in cloud servers by not backing up duplicate files that exist in another user account. With this system the company does not have to decrypt or see the data which is kept ciphered with AES256-bit.

    Bitcasa cloud encryption software
    Bitcasa cloud encryption software

    TarSnap: Targeted at the open source community, Tarsnap works in Linux, BSD, Solaris and other Unix based operating systems. Command line interface or shell scripts will encrypt and sign your data before uploading it, the software source code is available for download.

    Make sure not to fall for Dropbox or Google Cloud Storage security marketing ploys. Those companies only encrypt data server side. They do not protect you against a subpoena forcing a company to hand over the encryption keys.

    The only way to be safe from NSA accessing your data stored in the cloud, is if if the cloud company never had access to the encryption key. In that case, the NSA could only try a brute force attack against hashed passwords and it would not get them too far if you have assembled a very long encryption passphrase.

  • Islamic terrorists release Mobile Encryption Program for Android phones

    Islamic terrorists release Mobile Encryption Program for Android phones

    The Global Islamic Media Front, a Jihadist propaganda arm for Alqeda, Somalia’s al-Shabaab and the Pakistani Taliban, has released an encryption program for Android and Symbian smartphones.

    Originally named “Mobile Encryption Program” it is being advertised as being able to send encrypted SMS messages and files as a way for “fighters in the frontline” to securely communicate in between them. The program is using the Twofish algorithm in CBC (Cipher Block Chaining) mode, the program is based in public key encryption and digital fingerprints can be displayed to make sure that encryption keys have not been tampered with. Encrypted messages can be exchanged in Arabic and English using up to 400 characters, one of the settings allows you to enter SMTP and POP3 hostnames detailing port numbers to send encrypted files via SSL email, it will work with any SMTP email provider.

    Ballkan Islamik Media Front video
    Ballkan Islamik Media Front video

    Various terrorist groups, like Alqeda in Yemen, encourages its supporters to communicate with them using encryption programs produced by their propaganda arm.

    Global Islamic Media Front programmers have avoided the AES algorithm, a US government standard, but it is highly unlikely that a couple of guys in the bedroom can defeat the best mathematicians the NSA can hire and billions of dollars of budget available to crack it. With all of the available open source encryption program this is totally uncalled for, they could have easily saved themselves the effort, unless of course the CIA wanted them to release this tool.

    As soon as you spot that The Islamic Emirate of Afghanistan financial department is using a Gmail address and most terrorist related files are hosted in American servers, you can tell that everything is under control. However, the GIMF is highly skilled at creating amazing videos with beautiful background music and footage to recruit new members.

    The Global Islamic Media Front official download site is down at the moment but you can read the announcement at the usual jihadist terrorist NSA monitored forums, like Ansar1, Ballkan-Islamic or Shumukh al-Islam forum.

    Ansar1 announcement of Mobile Encryption Program (Jihadist forum gone)

  • How Egyptian police quickly cracked journalist’s computer password

    How Egyptian police quickly cracked journalist’s computer password

    According to Mike Giglio, a NewsWeek correspondent, Egyptian police got hold of his laptop during his coverage of the latest Egyptian protest in Tahrir Square against the ousting of Mohammed Morsi,  cracking his password protected computer on the street to check what was inside, with just a few seconds of time and very little cost in terms of software and training.

    See below screenshot of Mike Giglio Twitter account explaining Egyptian police password cracking quick method:

    Mike Giglio password cracking Egypt
    Mike Giglio password cracking Egypt