Late last year, a neat little device called PoisonTap surfaced. With it, anyone can easily steal passwords, credit card numbers and other sensitive data from any computer – even when it’s locked. But hot on the heels of PoisonTap came its antidote: Beamgun.
PoisonTap takes advantage of Windows’ and OS X’ inherit trust in devices connecting to USB and Thunderbolt ports. A lot of different devices can be connected to these ports. Keyboards, mice, printers, scanners, storage devices, and network cards. Just to name a few. Both Windows and OS X will happily activate whatever device is connected without asking the user if it’s OK. Even if the computer is locked. Because if someone has physical access to the computer, they always have good intentions. Right? Wrong. It’s a terrible assumption to make, and one PosionTap takes advantage of. A better assumption is that everyone who has access to a computer has malicious intentions.
When connected to a USB or Thunderbolt port, PoisonTap quickly registers itself as a network card, and effectively becomes a man-in-the-middle (MitM) on the computer. As a MitM, PosionTap can intercept all inbound and outbound network traffic.
Continue reading "Defeating PoisonTap (and Other Dirty Tricks) with Beamgun."
A while back I wrote about the WiFi Pineapple, a wonderful little device that can be used to “audit” wireless networks. The device makes it surprisingly easy to act as Man in the Middle (MitM), a technique used by hackers to effectively steal all your passwords and credit card numbers. The cheapest version of the WiFi Pineapple, the Nano, costs just shy of $100. Not a lot of money, but it’s a bit too much for me to spend on a device that can’t be used for anything cool without breaking more laws than I can count. But now there’s a new toy available that does many of the same things as the WiFi Pineapple: PoisonTap.
Price tag? Around $5.
PoisonTap also plays the role as the MitM, but there’s a big difference. While the WiFi Pineapple hijacks wireless networks, PoisonTap needs physical access to the computer you wish to audit. Because of that, it’s easy to dismiss PoisonTap as pretty useless. It’s hard to get physical access to an unattended computer, isn’t it? No, it’s not. If you’re working in an office environment, simply take a look around you at lunch time. And if you have access to a conference center or a hotel, take a look inside. I bet you can find an unattended computer within minutes.
Another reason you might dismiss PoisonTap as worthless, is the size of the delivery vehicle. The version of PoisonTap demoed by its creator, Samy Kamkar, runs on a Raspberry Pi Zero. While the Zero is small, it’s not exactly invisible, and not hard to spot. But the PosionTap software doesn’t have to run on a Raspberry Pi, it’s possible to install it on even smaller computers. Both LANTurtle or USB Armory are viable options. Not too easy to spot one of those connected to the back of the workstation tucked under your desk, is it?
On top of that, the PosionTap doesn’t have to be connected for long. Just leave it plugged in for a minute or two, then pull it out, and walk away. The target computer is now infected, and a persistent backdoor has been installed.
Continue reading "PoisonTap – The $5 Tool That Steals All Your Stuff."
In 2011, I deleted my Facebook account. But now, through my selfish need to spread the good word, my old nemesis has sucked me back into its cold and clammy embrace.
Deleting a Facebook account can quickly prove to be social suicide. In my case, that wasn’t much of a problem. Contrary to what you might have heard in April, I’ve never had an outrageously active social life. The people I spent time with still answered they phones, and Anniken, who was on Facebook, was my other social lifeline. Even without Facebook, I’ve somehow miraculous managed to get on with my life, and function like a normal human being for the past five years.
A while ago, however, I decided to start dabbling in cryptocurrency. More precisely, I wanted to get a Steemit account. Steemit is a bit like Reddit, but its users don’t seem to be narcissistic trolls who want to see the world burn. Also, the content on Steemit is mostly user generated, whereas Reddit functions a lot more like a link machine. The most attractive feature of Steemit, however, is that users get paid for the content they create. If you write a popular article, you are awarded with STEEM, the platform’s cryptocurrency. STEEM can then be traded on one of the many cryptocurrency exchanges.
There was one huge issue with Steemit at the time, though: You had to have a Facebook account to register.
Continue reading "Facebook Sucked Me Back In!"
Ever since whistle-blower Edward Snowden exposed government security agencies around the world as lying bastards who spy on our every move on the internet, I’ve gradually taken steps to tear myself away from Big Internet. In my PRISM Break series of posts, I have – over the last two and a half years – ditched the closed source browser Opera in favor of Mozilla Firefox, replaced Google with DuckDuckGo as my default search engine, and moved all the content I had on public cloud storage services to a self-hosted ownCloud server.
But there is still one thing that ties me to the prying eyes of FVEY & Friends: E-mail. For a long time, I’ve been using Google’s Gmail to cover my (declining) e-mail needs. Why? Because it’s free, has tons of storage space, and is very reliable. But Google has to earn money somehow, right? Of course. They do this by having a look-see through your private e-mail correspondence:
Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.
The above paragraph is copied from Google’s current terms of service (archived version). Unlike government security agencies, Google is perfectly honest about what they are doing with your data. So if you’re OK with Google snooping, then Gmail is a great service. I’m not OK with that, and about eight months ago I started the hunt for an e-mail provider that takes security and privacy seriously.
Continue reading "The Final PRISM Break Push: Secure & Private E-Mail."
With my COMODO-signed SSL certificate about to expire, I took the plunge and configured all my domains with certificates from Let’s Encrypt. I’ve tested it for a while on vbox-host and it works well. The only downside is that it has to be renewed every third month, and that’s not an automated process. At least it’s not out of the box, but I’m sure it’s possible to set something up with a script and a Cron job – I’ve just not been down that avenue yet.
To be honest, I’m still a wee bit skeptical about a system where two parties rely on a implicitly trusted third party – in this case Let’s Encrypt – to communicate securely. As I pointed out in the post I wrote about Let’s Encrypt last year, you can’t be entirely sure that no one is playing around with the private root key, making their own certificates for your domains. With their own certificates for your domains, signed with the private root key from Let’s Encrypt, someone could perform a man-in-the-middle attack without anyone noticing.
But there is a technique slowly being adopted by modern browsers that can, if not make it impossible to perform a man-in-the-middle attack against a website, at least make it a lot harder: HTTP Public Key Pinning, or, as it’s more commonly know as; certificate pinning.
Continue reading "HTTP Public Key Pinning & You."