Category Archives: InfoSec

Ad-blocking is essential for your privacy and security on the web.

Adblocking software has been in the news quite a bit recently due to their increasing popularity.

Guillermo Beltrà spends a lot of time surfing the web.

Yet like many avid Internet users, Mr. Beltrà hates the annoying pop-up advertisements that litter many websites. “It’s just very cumbersome,” he said.

So like a growing number of people, Mr. Beltrà, a Spaniard who works for a consumer protection organization in Brussels, decided to block them by downloading software for his desktop browser that removed any online advertising from his daily Internet activity.

While he acknowledged that advertising was often the primary source of income for many websites, Mr. Beltrà said he remained wary of how much data companies were collecting on his online activities. Mark Scott, New York Times, Blog

I have long advocated the blocking of advertising network because while many user find advertisements “Annoying” there is a far more sinister side to advertising that marketers would rather you didn’t know about.

Unknown to many users is the fact that many advertising networks embed spyware that is designed to track you across the Internet with every website you visit. They do this by embedding trackers into the advertisement that your browser then loads whenever you vist Website X using Advertising Network Z. Now when you visit Website Y who just happens to be using Advertising Network Z you are instantly identified as the person who visited Website X earlier.

But the thing that surprises most people is just how many trackers an otherwise innocent website may harbour. Let’s take a quick sample; I am using the browser extension Ghostery to show detected trackers in the purple box bottom right. (Click Images to Enlarge them.)

So CNN has 18 Trackers and The Daily Telegraph has 26 Trackers setup to betray their readers privacy, and these are only the trackers that Ghostery is able to detect.

Let’s check the last site again with both trackers and advertisements blocked:

Now we can see that AdBlockPlus has removed 23 of the 26 trackers and all the advertisments. Ghostery has detected and blocked the three remaining trackers.

These are only two websites on the Internet that I have chosen to demo for no particular reason. There is nothing abnormal about the behaviour of these sites, it is now a common practice for website operators to install malware (spyware) into websites for commercial gain because there is a lot of money to be made in violating your privacy.

It wasn’t always like this. Advertising didn’t used to involve malicious action towards the end user. Although advertisements have always been annoying it is only over the course of the past decade that they have become a specific threat that users need to block by default.

Fortunately there is a way to block most of these trackers. I highly recommend everybody install AdBlock Plus and Ghostery into their browser. Both programs are free and both will block trackers. Ghostery in particular will give you an alarming insight into just how many trackers are being used to invade your privacy. I have been using both programs for years and would not consider browsing the Internet without either of them.

Opposition to Password Managers is Opposition to Security.

These days password managers are becoming popular security tools for end users to manage their passwords. The most popular solutions available to consumers are Lastpass, Dashlane, KeePass, 1Password and RoboForm. These applications enable their users to create unique-strong passwords for all their online accounts and store them in an encrypted database to keep them safe.

I personally have more than 3,200 credentials stored in multiple encrypted databases. The databases I manage include everything from Electronic copies of my passports, access for this blog, DNS Servers, Email accounts, service providers, application credentials, domain registrars, Encryption/Decryption keys, private x.509 keys, remote access to alarm and CCTV systems and more.

I have worked in IT since 2003, even with only part time contract work the amount to credentials that I have needed to store is phenomenal and if I didn’t clean out the database could be significantly larger than it currently is.

Password managers have become an essential way of life for me. There simply is no alternative when you need to manage so many systems/services, and those credentials need to be kept secure. Of the 3,200+ credentials in storage at least 200-300 of them are for personal use such as, Facebook, Youtube, eBay and anything else I’ve created an account for over 10+ years.

Password Management software is perhaps our best hope for getting users out of the habit of picking weak passwords or reusing the same passwords on multiple services. So it is frustrating to discover that in 2015 some companies are deliberate preventing their users from using password managers.

As if educating users not to write passwords down or reuse passwords in multiple places is not already a challenge. The fact that British Gas has gone out of its way to prevent their customers from using a Password Manager to keep unique passwords safe really shows how out of touch with the modern world they are. Perhaps British Gas would prefer their users to resort to Post-It notes on the monitor?

Anti-vaxxers never ending stalking and threats.

One of the drawbacks to combating anti-vaccination campaigners is the never ending barrage of abuse and harassment that you are subjected to. Sometimes these attacks simply come in the form of verbal (actually typed) abuse over Twitter or Facebook, which is easy enough to ignore/block but some times harassment takes a more direct approach.

Back in 2012 myself and Peter Bowditch were subjected to lawsuits designed to shut us up and intimidate anyone else who might criticise the Australian Vaccination Network, a hard line anti-vaccination “charity”. The president of the AVN, Meryl Dorey dragged the court proceeding out for close to a year. Such vexatious litigation is nothing short of harassment. Of course we did win our cases in the end, but it still occupied a huge amount of time.

More recently a person whom I presume is an AVN supporter has been regularly spamming and stalking this blog. Today they began issuing what I can only interpret as a threat. Given the history of anti-vaxxer behaviour.

Clearly this person located in Perth, Western Australia thinks they are anonymous. So far they have used the following IP Addresses:

May 24 6:55 PM 106.68.217.66 106-68-217-66.dyn.iinet.net.au
May 23 8:07 PM 124.148.233.247 124-148-233-247.dyn.iinet.net.au
May 15 7:46 PM 124.148.64.228 124-148-64-228.dyn.iinet.net.au
May 14 2:24 PM 58.7.73.220 58-7-73-220.dyn.iinet.net.au
April 25 7:33PM 124.148.230.218 124-148-230-218.dyn.iinet.net.au
April 25 3:13pm 106.68.22.127 106-68-22-127.dyn.iinet.net.au
April 25 10:05am 58.7.132.151 58-7-132-151.dyn.iinet.net.au
April 23 10:47am 58.7.76.53 58-7-76-53.dyn.iinet.net.au

The following is known about their system.

They are using Firefox running on Ubuntu Linux and have a VNC client installed on port 5900. Ports 1863 and 5190 are open but I don’t know what for. Their gateway is a Linksys WRV200 wireless broadband router and their network may contain a HP 4200 PSA (Print Server Appliance) model J4117A.

If anyone else has issues or information about this person I can be contacted at: Dan@danscomp.net this isn’t a normal drive-by internet spammer. This appears to be an individual with a score to settle, and I will identify them.

Update on Friday, May 29, 2015 at 8:20PM

It seems this person has returned to my blog on the 28th at 07:26:03 PM only to read this post and shit their pants. Because at 11:47:24 PM that very same day they returned except this time they used the Tor network to try and mask their location.

Here’s some professional advice “Tor will not save you!” if you think for one minute that you can come here to post threats and then hide behind an anonymous proxy server, THINK AGAIN!

Anti-vaxxers co-ordinate Denial of Service Attack against Federal Government

If you’ve seen the news lately then you’ll know that the Abbot government has recently announced plans to strip anti-vaxxers of welfare payments for refusing to vaccinate their children.

Australian parents will lose thousands of dollars of childcare and welfare benefits if they refuse to vaccinate their kids.
The “no jab, no pay” plan, announced by the federal government today, has bipartisan support. Thousands of families could lose payments, with the government estimating about 39,000 children under seven have not received immunisation because their parents are vaccine objectors. But Social Service Minister Scott Morrison said it’s not fair for taxpayers to subsidise parents who choose not to immunise. The Australian

Australian welfare payments have certain conditions that must be met before you can claim a hand out from the taxpayer. For example the Disability Support Pension is only available for people who have a disability. Student welfare payments, called AusStudy in Australia can only be claimed by people undertaking a “full-time study load” who do not earn money via paid employment. While people claiming the New Start job seekers allowance must be looking for work.

 

Other welfare payments such as The Family Tax Benefit part A and the Child Care Benefit. Also have requirements that need to be met before a person is eligible to claim the benefit. In this case it is a requirement to immunise your children to be eligible for payment. However there was a loophole that allowed parents who neglect to vaccinate their children to still claim welfare payments despite not meeting the eligibility requirements. However there was an exemption in place that allowed people to claim “Conscientious Objection” to vaccination that would allow them to claim welfare payments despite failing to meet the immunisation requirements.

 

For years, anti-vaxxers have claimed “Conscientious Objection” to life saving medicine in order to claim a welfare payment they do not meet the requirements for. This is welfare fraud, albeit a legal one. The government has now closed this loophole to prevent tax payers money being spent on people who wish to endanger the community.

Unsurprisingly the Australian Vaccination Network, an extremist anti-vaccination lobby group that is no stranger to committing criminal acts. Is now encouraging members to partake in a “Phone Jam” whereby they attempt to flood the phone lines of Social Services Minister, Scott Morrison.

The idea was first posted on No Vaccines Australia with the stated intention of clogging up the phone lines.

However attempting to “Clog up the phone lines” is a crime in Australia as it is in effect a Denial of Service Attack.

477.3  Unauthorised impairment of electronic communication

(1)  A person is guilty of an offence if:

(a)  the person causes any unauthorised impairment of electronic communication to or from a computer; and

(b)  the person knows that the impairment is unauthorised; and

(c)  one or both of the following applies:

(i)  the electronic communication is sent to or from the computer by means of a carriage service;

(ii)  the electronic communication is sent to or from a Commonwealth computer.

 

Penalty:  10 years imprisonment.

-Criminal Code Act 1995, Part 10.7—Computer offences, Australia

For some reason anti-vaxxers,especially The Australian Vaccination Network like to think they are above the law and free to engage in harassment and abuse as they see fit. So far the Australian Vaccination Network has tried the following (and rapidly growing) list of tactics.

 

This is only a small list of abhorrent or at the very least, questionable behaviour that I have documented on this site over the past 5 years. I know there is a significantly enormous amount of bad behaviour that I haven’t written about yet. Mainly because I haven’t had the time to write a whole encyclopaedia.

#Anonymous script kiddie #opBlackout set for failure.

Anonymous, the so called “hacker” group that is in reality just a script kiddie legion of idiots. Has threatened to take the entire internet offline this Saturday, on the 31st of March. They are expecting to do this by launching a Distributed Denial of Service Attack against the Internet’s DNS Root Servers.

These root servers are an essential part of the Internet’s DNS system. Without DNS servers you (or rather your computer) cannot resolve domain names such as Google.com, Microsoft.com or even DanBuzzard.net to their corresponding IP Address, and without the Root Servers the system collapses.

The DNS System has a hierarchy and at the top of the hierarchy is the “root”. Anonymous knows this and has evidently discovered that there are just 13 servers in the root that are responsible for the entire DNS system below them.

To protest SOPA, Wallstreet, our irresponsible leaders and the beloved 
bankers who are starving the world for their own selfish needs out of 
sheer sadistic fun, On March 31, anonymous will shut the Internet down.
———————————————————————–
In order to shut the Internet down, one thing is to be done. Down the
13 root DNS servers of the Internet.

To protest SOPA, Wallstreet, our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun, On March 31, anonymous will shut the Internet down.
———————————————————————–
In order to shut the Internet down, one thing is to be done. Down the13 root DNS servers of the Internet.

….

By cutting these off the Internet, nobody will be able to perform a domain name lookup, thus, disabling the HTTP Internet, which is, after all, the most widely used function of the Web. Anybody entering “http://www.google.com” or ANY other url, will get an error page, thus, they will think the Internet is down, which is, close enough. Remember, this is a protest, we are not trying to ‘kill’ the Internet, we are only temporarily shutting it down where it hurts the most. Some Twat

However the 13 root servers aren’t really just 13 servers, thanks to IP Anycast the 13 IP addresses actually have hundreds if not thousands of servers behind them. The root servers are all asigned letters A through M and I am informed by a very reliable source that the “I.root-servers.net” server with an IP address of 192.36.148.17 exists in no less than 25 different countries; and that’s just one of 13 clusters of servers.

Another problem that Anonymous has is that DNS Records have a cache. For example I set my DNS records to 86400 seconds (24 hours) which means when you visit my blog your computer won’t need to resolve the address www.DanBuzzard.net to its IP address for upto 24 hours so not only would Anonymous need to achive the impossible of knocking down huge server clusters, but they would need to keep them down for a prolonged period of time because DNS caching is a standard practice.

DNS Root response times.

The idea that a bunch of pissed off teenagers could take down the DNS Root is nothing short of laughable. Just because you can DDoS your mates off their home internet connection doesn’t mean you can take on the huge server clusters that makeup each server in the DNS Root. So quit making up stupid shit, you never know someday you might learn something.

Phishing URLs for #FraudWeek

Earlier tonight a tweet caught my eye.


Incorrect security advice from a government department, who would have thought. You would think the Government could do better, but no. Apparently logging off will keep you safe. This isn’t the early 90s anymore an threats have grown beyond another user on the computer after you. Besides do people really share computer much these days anyway? Even if they do, an errant sibling or spouse is your least concern.

As part of fraud week I thought I would post something a little more useful than the Australian Government. While there are many security threats both online and offline the one I keep needing to educate users about is Phishing. Whereby criminals will impersonate a legitimate website in order to trick a user into supplying their username and password for the legitimate site.

For example have a look at this website. (click the image)

Now take a look at the second website (click the image)

Did you spot the difference? Unfortunately allot of people do fail to spot the difference and become victims of crime due to the theft of their credentials. This is because only one of these websites is real and the other a fake. If you happen to enter your username and password into the fake site then your credentials are in the hands of the criminals running the fake site; this process is called “Phishing”.

Here is the all important difference that users need to be taught to look for.

It’s in the URL, while both sites contain gumtree.com.au only one of those sites is actually gumtree.com.au while the fake site is actually a subdomain in disguise. Just because you see the name in the address bar it doesn’t mean you are at the correct site. In this case the criminal owns 209058589.co (the domain extension for Columbia) and you’re simply visiting a subdomain hosting the fake site.

One of the ways criminals trick users into going to the wrong site is by sending them an email pretending to be from the legitimate site but instead linking to the fake site. Users with HTML enabled are especially at risk because urls are much easier to hide inside of hyperlinks. For example http://www.microsoft.com links straight back to this article, but if placed in an official looking email pretending to be from Microsoft a user could be duped into thinking it’s a link to microsoft.com when it actually links elsewhere. This tactic combined with a good fake site and URL is enough to fool most users.

So as part of #FraudWeek teach some of the less tech savvy users how to spot the fakes. Just because you can spot them it doesn’t mean your friends and family can.

Google Chrome blocking access to a Phishing site.

Fortunately most modern web-browsers have the ability to scare users away from Phishing sites, but they shouldn’t be solely relied upon as some Phishing sites do manage to escape detection. Therefore user education is the key.

A security podcast that I recommend.

While I predominantly focus on Skepticism I do have other areas of interest. One of them is Computer Security. Having been to a couple of Skeptic conventions I have noticed that there is more than a handful of computer people within the skeptics community. So I’m sure allot of the people who do find my blog will also have have some good knowledge of computer security and computers in general. Security Now is a podcast that I think my appeal to allot of technical skeptics, although it isn’t a skeptical podcast itself.

Security Now is a computer security podcast released on a weekly basis and covers security vulnerabilities, firewalls, password security, spyware, rootkits, Wi-Fi, virtual private networks (VPNs), virtual machines, full virtualization, hardware-assisted virtualization, and virtual appliances. I have been listening to it since 2005 when the show was first debut, and I have been following Steve Gibson’s work at GRC.com since at least 2001.

So if you have an interest in computer security definitely checkout Security Now. I also recommend Steve’s hard drive maintenance software SpinRite, which I’ve been using the rescue and maintain hard drives.

DDoS attacks are a cowards 'protest'.

There seems to be this belief floating around that the DDoS attacks that are carried out by the so called “hacker” group Anonymous are the equivalent of a legitimate protest. Some members of Anonymous even have the audacity to liken themselves to civil rights protesters; the irony.

Launching a Denial of Service attack against somebody you wish to silence is not the equivalent of a virtual sit-in for several reasons the one of which is accountability. When you conduct a sit-in protest you are held accountable for it, it’s an illegal activity (trespass) for which you can be prosecuted. In contrast when you lunch a DDoS attack on someone’s website over the internet with or without a proxy server you are removing the accountability for your actions. You are hiding like a sniveling coward.

It takes a certain amount of courage to stand-up for what you believe in and throughout history we have seen many examples of just that. People standing up for what they believe in from the civil rights movement to the Tiananmen Square protesters and countless others throughout history. Many of these people put themselves on the line to stand-up for their belief and ideologies and for many the price was high. It is at the very least a tremendous insult to these activists that a group of cowards hiding behind an IP address on the internet could ever compare themselves to real activists.

The group Anonymous is built upon hiding as opposed to standing-up. They are not activists but cowards who hide online and attack from the shadows some even employ the use of proxy networks to further cower away behind their keyboards.

If you think I’m being harsh on Anonymous then take a look at this and explain the logic to me because I cannot find it.

Lastly, they set up this website called mybart.gov and they stored their members information with virtually no security. The data was stored and easily obtainable via basic sqli. Any 8 year old with a internet connection could have done what we did to find it. On top of that none of the info, including the passwords, was encrypted. It is obvious BART does no give a fuck about its customers, funders and tax payers,THE PEOPLE.

Thus below we are releasing the User Info Database of MyBart.gov, to show that BART doesn’t give a shit about it’s customers and riders and to show that the people will not allow you to kill us and censor us. This is but the one of many actions to come. We apologize to any citizen that has his information published, but you should go to BART and ask them why your information wasn’t secure with them. Anonymous Dataleak

Wow, did I just read that? Anonymous is critical of BART.gov for not taking adequate steps to secure customer information. So in response they steal the data themselves and publish it on the web for the whole world to find. They then apologise to the users who have had their information published.

That right there shows the childish attitude towards accountability that characterises the group that calls itself ‘Anonymous’. Protecting privacy and free-speech while violating both? What a joke these so called ‘hackivists’ really are. You cannot claim to defend Freedom of Speech while attacking websites and you cannot claim to value the privacy of follow citizens while simultaneously publishing their personal information on the web.

Lulzsec and Anonymous script kiddie SQL Injection.

I have been following the activities of the so called ‘hacker group’ calling itself “Anonymous” for some time now. Not because I support their activities but because I find the whole Anonymous, Lulzsec and Wikileaks debacle interesting.

While there is certainly a valid argument that Wikileaks is doing some good in the world the same cannot be said for Anonymous and Lulzsec. Although unlike Anonymous at least Lulzsec is up front about why they attack other peoples systems. They admit to doing it for fun and entertainment, whereas Anonymous tries to justify themselves with Hypocritical bullshit. Such as claiming to defend Free-Speech while simultaneously taking down the websites of perceived opponents.

Anonymous even tried to take this blog offline when I wrote the article titled “Anonymous Script Kiddies are not defending the internet.” at the time I didn’t recognise the traffic pattern as an attempted SQL Injection because I wasn’t expecting one and nor was I familiar with the tool they use to “hack” peoples websites. Needless to say the attempted SQL Injection failed and I was able to remain online.

It turns out the method by which these groups infiltrate websites is remarkably unsophisticated. The tool being used by both Anonymous and Lulzsec to infiltrate websites is called Havij, it’s a GUI based SQL Injection tool and is available for download here.

It is only after testing Havij against my own system that I recognised the signatures left in the server access logs by the Havij software. The most concerning thing about this is how easy it is to protect WordPress and a variety of other content management software from this type of vulnerability; yet these attacks keep on happening. In most cases securing your website is simply a matter of keeping the software upto date.

While Lulzsec and Anonymous are using unsophisticated attacks, if they inject a vulnerable website that happens to contain sensitive information it can have direr consequences for the user. As we have seen with the recent Sony hacks in which millions of credit cards were stolen.

I believe the best way to defend yourself from the kids at Lulzsec and Anonymous is by understanding the treat. I don’t endorse trying an SQL Injection on someone’s website without their consent. Use your own system or create a Honeypot.

Here are some resources I have found. To get started with SQL Injections.

SQL Injection Using Havij

Basics And Working of SQL Injection Attacks

Trick for Advanced SQL Injection

I do not condone any criminal activity, nor do I support the actions of either Anonymous or Lulzsec. I am only sharing what I have learned so far. Both screen shots were captured from legal penetration testing of my own systems setup expressly for that purpose.

Anonymous Script Kiddies are not defending the internet.

If you’re following the WikiLeaks debacle you have no doubt heard of the group being called “Anonymous” although they are more of a phenomenon than an actual group or organisation. Anonymous have been launching Distributed Denial of Service Attacks against Mastercard, PayPal. Dubbed “Operation Payback” this loosely connected band of idiots are attempting to bring down websites and services that have refused to do business with WikiLeaks under the misguided view that they are standing up for Freedom of Speech and ‘Defending the Internet’.

However nothing could be further from the truth because Anonymous have even attempted to bring down Amazon for refusing to host WikiLeaks. Of course with Amazon being one of the largest service providers in the world Anonymous failed miserably, although they still attempted to bring down a service that hosts tens of thousands of servers. Such an attack on so many innocent people is not standing up for Freedom of Speech. Knocking someone’s service provider offline has the same effect as adding them to a government censorship filter; they are silenced.

Amazon has been lined up as the next victim of a distributed denial of service (DDoS) attack by the group of online vigilantes known as Anonymous, which has already taken down the web sites of MasterCard, Visa and PayPal, as the WikiLeaks controversy continues.

A Twitter update from one of the accounts used by the group, @Op_Payback, read an hour ago: “TARGET: WWW.AMAZON.COM LOCKED ON!!!”. Subsequent updates gave followers instructions on how to turn their computers into part of a mass botnet set to launch the DDoS attack in two hours.

It is unclear whether the attack is in retaliation for the actions of Amazon Web Services last week in booting WikiLeaks off its servers, or due to the appearance on Amazon.com today of the WikiLeaks cables for a £7.37 charge. V3.co.uk

I decided to briefly point out this hypocrisy in the IRC channel:

If the screencap is hard to see click here.

I had expected to receive at least some half baked ideology in response to justify the DDoS attacks but instead it seems these Script Kiddies are not interested in discussion.

 

As I type this the IRC has come to life; they are gearing up for another attack. I will be watching this out of interest but I refuse to assist any of these idiots. Because these morons are not defending the internet. Instead they are crippling it and stamping on the Freedom of Speech that they claim to protect. Despite what the media tell you these are not hackers because all these individuals are doing is abusing the core fundamentals of the Internet. Packets of information are routed indiscriminately to their destination so a DDoS attack requires no expertise to carry out. All you need to do is send traffic to a target and the Internet does the rest.

 

If like me you support WikiLeaks but condemn Operation Payback and the idiots behind it then say something on Twitter, Comment forms or the Anon-ops IRC (But don’t expect a warm welcome.)

 

Wikipedia: What is a Denial of Service Attack?

 

Anon-Ops IRC: 91.121.92.84 Port: 6667 #OperationPayback