Im sure my circimstances are not unique. That’s why poetry, art, music, all stand the test of time. No matter how bizzare the circumstances of your life may be, someone, at some point, has experienced something similar and created something beautiful to make sense of it. It seems, for better or for worse, HVCK is to be my symphony.
Like many of you out there, I have lived many lives. Full lives. Amazing lives. Seasoned with circumstance someone of my looks, breeding or intellect shuold never aspire to. These highs were paid in full by my share of lows. A liberal peppering of hardship, loss and loneliness complimenting the highlghts as only sufferiing can but spare me your tears, the odds are and have always been in my favour.
“Come on mate. This is all a bit heavy, a bit personal. What happened to the larakin? The hairy wonder? Why so seriousss Mr Williams? As your internal voice of reason, I
feel you may be a little off track here mate?”
You’d think the semi-sentient facets of my psyche that actually get up the courage to converse with the guy at the wheel would know that I’m setting the stage to make a point. Through which I will reveal the theme, the common thread, the underlying pulse of this, the first ethically sourced, locally owned and operated, gluten, dairy and flesh free issue of HVCK.
“You said there wasn’t going to be any themes? That it made things feel forced and insincere? I thought you said HVCK was going to be organic and an exploration of tings that exc........”
Sorry about that. Give them an inch and they take a mile. What my almost completely autonumous future therapy topic revealed is correct. Our theme will be to have none. A stream of conciousness guided only by passion, curiosity and the clearly obvious bonus of being able to use “Im researching some stuff for the mag” as an excuse to get out of almost any mundane task that comes my way.
Jokes.. Just jokes.. :P
“Thats all well and good Ryan” I hear the highly caffinated of yuo reply. “but why that crappy image of a busted up Rolling Stone magazine from a time when mumble rap didnt even exist?”
Well my manic millenials, this ragged collection of manually printed physical media was the catalyst that turned indifference to incandecence. Given to me as a gift, one of the good kind. Out of nowhere, for no particular reason and unimginably thoughtful.
I am a huge fan of Hunter and resonate with his well loved literary bastard Gonzo. It turns out though that what I am more in awe of was the premeditated random act of kindness that facilitated this relic coming into my hands. HVCK is my random act of kindness. Good will paid forward. It is my heart felt gratitude, my opus to the ideas, the culture, the technology and the people who have inspired me and given this simple fool purpose and a richness of spirit I am compelled to share.
All that being said.. Lets hack some shit...
Privilege Access is a term used to secure access to data by any person that is above a standard user. It can be associated with both human and non-human access such as applications and machine identities.
Some examples of privilege access accounts used by humans are ‘super users’, ‘local administrative’ and ‘privilege business user’. Examples of non-human access accounts are ‘application accounts’, ‘service accounts’ and ‘secret accounts.’ Arguably, there are many more examples, however the most familiar access accounts have been used as examples.
In the Essential 8 Maturity model, privilege access is considered as one of the controls to protect data from unauthorised access and/or disclosure. As such, entities are responsible to ensure necessary controls have been implemented to protect data from unauthorised access and/or disclosure.
Arguably, it is a criminal offence for any person who has accessed data without authorisation. Additionally, further penalties can be awarded if modification or impairment is caused because of this access.
To discuss this subject matter of unauthorised access, we will look at the case of Darth Vader v Han Solo where the plaintiff claimed that the defendant had unauthorised access to the Attack Room, which was the location of several servers that stored confidential data. As a result of this access, there was impairment to data. Additionally, the plaintiff further sought compensation for damage to property.
In the case of Darth Vader (plaintiff) v Han Solo (defendant), the plaintiff claimed that the defendant gained unauthorised access to the Attack Room where the defendant allegedly destroyed Imperial property, namely the intercom and surrounding hardware appliances. The Enhanced Security and Enforcement Act, 21 BBY (Gal) s 145 states that
a) A being or non-being is unauthorised if they are not entitled, within the ordinary meaning of the word, to cause that access, modification, or impairment.
b) will be taken to ’cause’ unauthorised access, modification, or impairment if your conduct substantially contributes to the same
According to the Galactic Supreme Court, the onus rests on the plaintiff to prove that the defendant caused unauthorised computer function; did so knowing it was unauthorised; and did that with the intention of committing or facilitating the commission of a serious indictable offence.
The plaintiff claimed that the defendant disguised himself as a stormtrooper which arguably, is intent to access the Attack Room without authorisation. As such, the defendant had knowledge that he accessed the Attack Room without consent. Therefore, the defendants’ actions could be argued as a serious indictable offence.
However, the defendant argued that the actions were justified. In his defence, he entered the Attack Room to save his, and his colleague’s life. He admitted to entering
the Death Star based on orders to save Princess Leia who was held hostage by the plaintiff. As such, the defendant had a lawful reason to access the Attack Room.
Under Part C section 11 of the Enhanced Security and Enforcement Act, 21 BBY (Gal), it states that
An entity must take reasonable steps to protect confidential data it holds from misuse, interference, and loss, as well as unauthorised access, modification, or disclosure
In the investigation into the Imperial’s Starfleet conduct regarding the protection of confidential data, it was identified that the Death Star failed to implement necessary Privilege Access Controls. The court determined that the Attack Room was considered as a location that stored highly confidential information. It was the Imperial’s Starfleet responsibility to ensure the privilege access was implemented so that only specific beings, and non-beings, had access to the Attack Room. Failure to implement the privilege access controls meant that any Stormtrooper had access to this data.
Arguably, the Imperial Starfleet had implemented authentication steps inside of the Attack Room which aided in reducing the risk of access to other secure locations. However, despite this action, it was not considered effective and therefore failed as a control.
The Galactic Supreme Court concluded that Han Solo had accessed the Attack Room without authorisation.
However, the access was deemed lawful under the Galactic Constitution which states that beings and nonbeings may enter a ship for a lawful reason identified under Part A.
Additionally, the courts awarded Darth Vader $5,000 Galactic Credit Standards to repair the damage of the intercom inside of the Attack Room. While Han Solo stated in his defence that the damage was necessary, the court concluded that he could have turned off the intercom instead of destroying it with the BlasTech’s E-11 Blaster Rifle.
Lastly, the court fined the Imperial Starfleet with 2,000 Galactic Units for failure to implement necessary privilege access controls to secure the location and the data. Additionally, the Imperial Starfleet was to compensate all beings and non-beings for any damages as a result of the failure to secure personal and confidential data effectively.
Before our unit deployed to Afghanistan, we were given all kinds of training and assessments. These classes included ways to set up a vehicle checkpoint, how to screen enemy combatants, how to engage in a suicide bomber attempt (before they blow up), and how to dig a trench. While these classes were informative, they were not helpful in any way. My job was to fly a big ass helicopter (CH-47). During one of these classes I asked when are they were going to give us training on ways to not get shot down by an rocket propelled grenade (RPG). The class trainers were annoyed at such a question, they were here to teach us non-aviation tasks that we would never come across in our lives. That is the U.S. Army way: teach you lots of things you will never use and ignore the things you really need to know (doctrine versus combat experience).
As a hacker, we learn by doing, by trying new things out, by what others are willing to share with us, and by our own curiosity. The security industry provides no incentive to any of those learning methods (and I am fairly sure they hate hackers even though criminals are their problem, not hackers). Imagine you attend a cooking class at some school. They teach you to use whisk without showing what a whisk is. The class teaches you to cook food for a certain period of time but doesn’t tell you how to use a stove or an oven. The class doesn’t even talk about not burning hands by using an oven mitt (potholder). So you’ve taken a whole course that misses the most critical points of cooking but you have a nice certificate that says you are an amazing chef.
This is exactly the way the security industry works too.
<rant> Bob MonroeThe industry publishes best practices with concepts and ideas that have never been proven to work (quite the opposite), offer you pretty color charts that miss key steps (figure it out on your own), and training that doesn’t tell you anything about protecting an asset. Security is about protecting an asset; that is kinda the whole point of security. If you are not protecting an asset, what are you doing all day?
Let me guess; you are patching, using strong passwords, not clicking on links, updating your security policy, phishing your coworkers, and writing reports that nobody will read. None of that is security. If you are a pentester, you have it made, you just poke holes in the network and tell the client how bad their security is without ever telling them how to fix their issues (foundation-wise). Pen testers post about how easy their job is because this tool or that tool allows them unrestricted access to this or that but that isn’t security either. It is closer to bragging unless there is some element of knowledge to show you how to protect against those very tools.
The security industry is about profit.
Here we have three examples of useless training; digging a trench instead of countering big bullets, learning to cook instead of learning to cook safely, and being a security person without learning about protecting assets. Do any of these make sense to you? Yet here we are. You may have been taught how to harden an asset (maybe an OS, maybe a network, maybe a phone) but nothing on how to properly protect those assets against threats. You are expected to buy solutions, not solve it yourself.
This brings us to the lifeblood of the security industry: selling you crap instead of showing you how to do it yourself. You may have every certification ever created but have any of them taught you how to protect a digital asset? Probably not since you aren’t expected to know how security works, you just need to know how to follow best practices (not science or mathematically proven methodologies). Here is your checklist, now go complete that checklist, don’t ask questions either.
If anyone was serious about security, they would have gotten rid of passwords decades ago, and tossed out authentication along the way in favor of something that works. Remember that on the Internet you can be anyone you want so why would authentication work. With the proper creds, you can be Gates, Zuck, Bezos, the Pope, whomever. A 16-year-old kid pretended to be all kinds of people (Lapsus$) to gain access to
not ask “why” this or that happened since that would lead you to have a better understanding of security failures and that isn’t allowed. You must, instead, buy this new and improved product. You must ask for a larger budget to buy more stuff that hasn’t been proven to work. You must “like” and “share” ideas that have no merit beyond “it works for us so it must work for you too.”
We can change this by asking why or how something works. We can demand to know what science or math is behind a technique or methodology. We can investigate solutions on our own, find out ways to protect assets ourselves, and exchange ideas
Samsung, Microsoft, Okta, and others so authentication can’t be all that great of a solution. Deepfakes prove that every day.
The security industry puffs out its collective chest and blames each breached company instead of offering lessons learned or ways to keep this from happening again, and again, and again. What did we learn from Conti, from Lapsus$, from Cozybear, from Hive, from any of them? Nothing really since most of the information was stripped down to sound bites, Twitter 140 characters (160 to be technical), or news headlines that bring in some expert nobody has ever heard of. We are not taught to seek out solutions, just shrug our shoulders and thank the lord that it wasn’t us who were attacked.
The industry uses shame to keep everyone in line. Instead of focusing on better asset protection, we are reintroduced to more best practices that somehow never coincide with an actual breach. We are encouraged to
with others (much like the hacker community does). We can start asking for vendor assurances that their product works exactly the way they say it does and doesn’t do anything else (like phone home, connect to an unsecure remote host, or update on its own). We could even look at security the same way we look at safety; results oriented.
If we continue to let the security industry tell us how we should work, we will never know how to fix the issues we already have. •••
In the ever-evolving world that is Cyber Security, it can be extremely confronting to decide where to start. Choosing between the enormous list of certifications, programming languages, university degrees and ever-growing list of CTF’s to start with is a daunting task for anyone, however it should not be this difficult. As I see it, there are a few options to choose from when first starting out which should help towards that entry level position, which then you can later choose to branch out to specialist areas and become a master at.
Consider cyber security for a moment like a “trade”, where you have plumbers, electricians, carpenters, etc. It’s very much the same thing in Cyber Security where you have pentesters, incident responders, SOC analysts, reverse engineers, etc. So, which direction should you take and how do you get there? Let’s begin with the absolute basics by breaking this down into 3 sections; Certifications, Experience and Home Labs/ Self Learning. Certifications;
A quick google of “how many cybersec certifications are there” brought back roughly 270 certs to choose from. Knowing which of these to choose from is definitely tricky, but as I see it, there’s a better place to start other than certifications which is a degree. Now again, there’s many degrees to choose from but if I had to pick 2, I’d recommend the computer science or cyber security bachelor degrees. In both of these formal education pathways you will learn all of the fundamentals that you need to know without specifically specialising in any of them. If formal education is not your “thing” or possible for you to do though, there are 4 certifications I would recommend, and also recommend to those who have completed a degree. The first of these certifications is the CompTIA Security+.
This certification is designed to give you that basic understanding of a blue team environment while lightly touching on pentesting. The next one is the CCNA by Cisco, which is designed to give you that fundamental knowledge of how networks work and move data across systems. This is absolutely vital information for a cyber security professional and is often
a stepping stone into the industry, which I’ll touch on later.
The third certification is the OSCP, which is aimed solely for those of you who want to be ethical hackers or pentesters. It is probably the number 1 certification that I see requested in job adverts, surprisingly even so with blue team analyst roles. The fourth certification is the CySA+ certification from CompTIA. This certification is aimed more towards the blue team side of certifications focused towards (as the name implies) Cybersecurity Analysts.
I’m going to say this one louder for the people up the back; EXPERIENCE IS KING! In this industry, the one thing that recruiters always complain to me about when I put forward potential candidates is that they don’t have enough “industry experience”. While this can sound a lot like a chicken and egg situation where you need experience to gain a job but also need a job to gain that experience, it can seem like a strange thing to ask for, however experience can come in different ways.
From joining meetup groups and networking with other students or current industry professionals to building your own home labs that prove certain skillsets, to gaining experience from internships, experience is not something that is only reserved for the job applicants who already have years of experience working professionally in IT, although this would certainly help if it’s possible. A point worth mentioning here though is that the most common transition job into Cyber Security in Australia is from network engineers or systems administrators, which if you look back to one of the certifications I mentioned earlier is that exact stepping stone – the CCNA
certification.
So what I’m saying here is that if you think perhaps you might like to play the field a bit first and do sysadmin work or network engineering, gaining that CCNA is almost 100% necessary to eventually jumping ship into the cyber security industry.
Home labs and self learning; We have covered my top 4 choice of certifications and we went through what sort of experience is needed, but what about something else that can potentially showcase your skills without having to fork out a whole lot of money or time? Home labs and CTF’s are the answer to this question.
I recently made an example home lab on my YouTube channel where I discussed the golden ticket of home labs, where you build an attack defense system using raspberry pi’s. The idea is that you have one to attack, one to defend and one in the middle logging all of the traffic. This idea showcases that you understand both sides of the red and blue team coin and that you also have passion for the industry, which after experience is the most sought-after soft skill recruiters and hiring managers look for when hiring new recruits into the industry. There are various other avenues you can explore with home labs depending on where your interests lie, but that depends on you and which direction into the industry you want to take.
On the topic of self-learning, there is of course CTF’s or “Capture The Flag” learning possibilities through sites like tryhackme.com or pentesterlab. com, which are becoming increasingly popular learning platforms because of
their gamified approach. They are a great way to learn for sure, with the only downside of being that they don’t really give you that “real world” experience, although definitely worth pursuing for an awesome learning experience.
To wrap this up, I’d like to highlight that cyber security is still somewhat in an infancy stage within Information Technology and the requirements, learning tactics and job titles on offer change fairly rapidly, which makes it one of the most interesting and exciting industries in the world. Get yourself out there, dive in and join in on the fun! I’ll see you on the other side.
Only one solved in 5 magazinesI.. Forget the past. HVCK goes as deep as you want to take it. Enjpy. See you in wonderland.
We have it easy today. Sure I was around before google was a thing and the only way to source that forbidden knowledge was to shmooze some creepy BBS sysop to get access to tthe good stuff. That well guarded reasure trove of lengthy text files, full to the brim with tips and techniques in perfecting the dark digital arts.
But who was responsible for these scrolls. Someone, out there, somewhere, had figured all thiese amazing things out them taken the time to share that knowledge. Knowledge hard fought and won Im guessing. These saints who’s names I will never know passed the torch of there knowledge on, lighting a flame in me that is yet to extiguish.
When it comes to cyber security, we are always looking forward. The next vulnerability, the next attack, the next tool. I wanted to take a moment to look back where we’ve come from.
Australia has a rich hacking history and for a period we were regarded as the best in the world. I’m ashamed to say I was blissfully unaware of this until I reached my mid twenties and stumbled across this book at Goulds Book Depository while digging for vinyl.
Written by Suelette Dreyfus & Julian Assange the book explores the lives and shinanigans of Melbourne’s
computer underground in the late 80’s and early 90’s. A worthy history lesson for anyone interested in why our industry exists at all.
The following is the the introduction by Suelette Dreyfus. If you are interested in picking up a copy its available from Penguin Books or if you feel like getting immersive, Julian & Suelette released a straight up text file version for free on the internet. Its still available in many respositories and if you dig a little deeper there are some great supplimental resources..
I’m not going to get into Suelette’s co-author here today. That could almost fill a entire issue but I will say this. The impact he has had on our industry and the world will not soon be forgetten. Though maybe his name will.
- D8RH8RMy great aunt used to paint underwater.
Piling on the weighty diving gear used in 1939 and looking like something out of 20000 Leagues Under the Sea, Lucie slowly sank below the surface, with palette, special paints and canvas in hand. She settled on the ocean floor, arranged her weighted painter’s easel and allowed herself to become completely enveloped by another world. Red and white striped fish darted around fields of blue-green coral and blue-lipped giant clams. Lionfish drifted by, gracefully waving their dangerous feathered spines. Striped green moray eels peered at her from their rock crevice homes.
Lucie dived and painted everywhere. The Sulu Archipelago. Mexico. Australia’s Great Barrier Reef. Hawaii. Borneo. Sometimes she was the first white woman seen by the Pacific villagers she lived with for months on end.
As a child, I was entranced by her stories of the unknown world below the ocean’s surface, and the strange and wonderful cultures she met on her journeys. I grew up in awe of her chosen task: to capture on canvas the essence of a world utterly foreign to her own.
New technology--revolutionary for its time--had allowed her to do this. Using a compressor, or sometimes just a hand pump connected to air hoses running to the surface, human beings were suddenly able to
‘Underground is an adventure book for the brain .. Cowboys .. roamed unpatrolled electronic frontiers. Some made it into the systems of powerful organisations, [where] the hackers would leave their mark - akin to flashing a virtual brown-eye - [and] .. cause chaos to the powers that be. Underground takes us inside these gods of a new technology.. It’s an action story.’
- Sarah Macdonald, Triple J Radio
submerge themselves for long periods in an otherwise inaccessible world. New technology allowed her to both venture into this unexplored realm, and to document it in canvas.
I came upon the brave new world of computer communications and its darker side, the underground, quite by accident. It struck me somewhere in the journey that followed that my trepidations and conflicting desires to explore this alien world were perhaps not unlike my aunt’s own desires some half a century before. Like her journey, my own travels have only been made possible by new technologies. And like her, I have tried to capture a small corner of this world.
This is a book about the computer underground. It is not a book about law enforcement agencies, and it is not written from the point of view of the police officer. From a literary perspective, I have told this story through the eyes of numerous computer hackers. In doing so, I hope to provide the reader with a window into a mysterious, shrouded and usually inaccessible realm.
Who are hackers? Why do they hack? There are no simple answers to these questions. Each hacker is different. To that end, I have attempted to present a collection of individual but interconnected stories, bound by their links to the international computer underground. These are true stories, tales of the world’s best and the brightest hackers and phreakers. There are some members of the underground whose stories I have not covered, a few of whom would also rank as world-class. In the end, I chose to paint detailed portraits of a few hackers rather than attempt to compile a comprehensive but shallow catalogue.
While each hacker has a distinct story, there are common themes which appear throughout many of the stories. Rebellion against all symbols of authority. Dysfunctional families. Bright children suffocated by ill-equipped teachers. Mental illness or instability. Obsession and addiction.
I have endeavoured to track what happened to each character in this work over time: the individual’s hacking adventures, the police raid and the ensuing court case. Some of those court cases have taken years to reach completion.
Hackers use `handles’--on-line nicknames--that serve two purposes. They shield the hacker’s identity and, importantly, they often make a statement about how the hacker perceives himself in the underground. Hawk, Crawler, Toucan Jones, Comhack, Dataking, Spy, Ripmax, Fractal Insanity, Blade. These are all real handles used in Australia.
In the computer underground, a hacker’s handle is his name. For this reason, and because most hackers in this work have now put together new lives for themselves, I have chosen to use only their handles. Where a hacker has had more than one handle, I have used the one he prefers.
Each chapter in this book is headed with a quote from a Midnight Oil song which expresses an important aspect of the chapter. The Oilz are uniquely Australian. Their loud voice of protest against the establishment--particularly the military-industrial establishment--echoes a key theme in the underground, where music in general plays a vital role.
The idea for using these Oilz extracts came while researching Chapter 1, which reveals the tale of the WANK worm crisis in NASA. Next to the RTM worm, WANK is the most famous worm in the history of computer
networks. And it is the first major worm bearing a political message. With WANK, life imitated art, since the term computer `worm’ came from John Brunner’s sci-fi novel, The Shockwave Rider, about a politically motivated worm.
The WANK worm is also believed to be the first worm written by an Australian, or Australians.
This chapter shows the perspective of the computer system administrators--the people on the other side from the hackers. Lastly, it illustrates the sophistication which one or more Australian members of the worldwide computer underground brought to their computer crimes.
The following chapters set the scene for the dramas which unfold and show the transition of the underground from its early days, its loss of innocence, its closing ranks in ever smaller circles until it reached the inevitable outcome: the lone hacker. In the beginning, the computer underground was a place, like the corner pub, open and friendly. Now, it has become an ephemeral expanse, where hackers occasionally bump into one another but where the original sense of open community has been lost.
The computer underground has changed over time, largely in response to the introduction of new computer crime laws across the globe and to numerous police crackdowns. This work attempts to document not only an important piece of Australian history, but also to show fundamental shifts in the underground --to show, in essence, how the underground has moved further underground.
Suelette DreyfusMarch 1997
As the digital generations have advanced with hightech gadgets and become avid users of smartphones and applications, they are also vulnerable to increasing Smartphone security threats and vulnerabilities. This paper wants to discuss recent Smartphone technology advancements in the Smartphone threat environment and Smartphone security practices based on current technology news and incidents. From my colleagues, I could find that everyone frequently uses their smartphone for various productivity and entertainment purposes. They are generally aware of and care about Smartphone security, not only on the physical loss of the smartWWphone but also on data/ files theft, web threat, and Smartphone Malware. They also practice safety to some extend - most change PINs and passwords frequently, download their application mostly from official application stores, and keep their OS and application up-to-date. I have done a telephonic survey and found significant correlations between Smartphone security practices and personal attributes, including major, gender, and technology aptitude. 80% of my friends do not have proper knowledge of how to secure their smartphones. So through this paper, I would like to give some awareness to my friends.
There’s no doubt about it; smartphones s have become man’s new best friend. Because there are currently more than 4 billion smartphones in use worldwide among 7 billion people, not to mention millions of tablets and smart devices. We use our widgets to stay in touch, take pictures, shopping, banking, listen to music, and socialize. We store our personal and professional information on them, and because we use them for almost everything, they have high financial and emotional value. Losing our smartphone or tablet or the piece of information on it can be like losing ourselves. If you lose your smartphone, you not only have to replace it, but you could also lose the sensitive information you had stored on it, including account numbers and confidential work information, Contact information, etc. So, why do many of us leave our smartphones unprotected and not using smartphone security? Most of us now understand that we have to protect
A paper by Prasan Singhsmartphones from the myriad of threats we see each day. But many of us didn’t realize that we face similar threats and a host of new ones with our smartphones. 35%of people believe that they do not need to protect their smartphones due to a lack of awareness.
For one thing, smartphone s’ growing popularity has led cybercriminals to see them as a new avenue for attack. Smartphone Malware targeted at Smart devices has increased by nearly 68% over the past several months. Even though gadgets like our smartphones and tablets are mini-computers, they will be more vulnerable to cyberattacks than those sitting on our desks. So, as a Smartphone user, keep in mind that you need to learn how to protect yourself from various threats.
In Chapters 1 and 2, we have discussed the importance of smartphones and their security. Here we are going to explore various Smartphone Threats. Several smartphone threads exist in the current tech world, even though we will discuss the most widespread attacks and the latest threads among them.
Malware means malicious software with harmful Codes/ scripts. One of the widespread cyber threats, malware, is software that cybercriminals or hackers have created to disrupt, damage, and destroy a legitimate user’s Smartphone or PC. Often spread through an unsolicited electronic mail attachment or legitimate-looking download or inside cracked/Pirated application. Cybercriminals may use malware for financial gain or in politically motivated cyberattacks.
There are several different types of malware, including:
3.1.1 Virus: A self-replicating program attaches itself to a clean file and spreads throughout a computer system/ Smartphone, infecting files with malicious code/scripts.
3.1.2 Trojans: These are the type of malware that is disguised as a legitimate application. Cybercriminals make the users upload Trojans onto their smartphones, where they cause damage or collect personal data/files.
3.1.3 Spyware: A program that secretly records user activity so that cybercriminals can make use of this data/ files. For example, spyware can capture credit card details, Passwords, and Login credentials.
3.1.4 Ransomware: Malware locks down a user’s files and data/files, with the threat of erasing it unless a ransom is paid.
3.1.5 Adware: It is an Advertising software that can be used to spread Malware through Advertisement.
3.1.6 Botnets: Networks of malware-infected computers/ smartphones that cybercriminals use to perform tasks online without the user’s permission. Cybercriminals convert IoT devices are to botnets by uploading malicious scripts into the machines.
In December 2019, the U.S. Department of Justice (DoJ) charged the leader of an organized cyber-criminal group for their part in a global Dridex malware attack. This malicious campaign affected the public, government, infrastructure, and businesses worldwide.
Dridex is a financial trojan with a range of capabilities. Affecting victims since 2014, it infects computers/smartphones through phishing electronic mails or Existing Malware. Capable to rob passwords, banking details, and personal data/files used in fraudulent transactions has caused massive financial losses amounting to hundreds of millions.
In response to the Dridex attacks, the U.K.’s National Cyber Security Centre advises the public to “ensure devices are patched, antivirus is turned on and up to date, and files are backed up.”
In February 2020, the FBI warned U.S. citizens to be aware of the
confidence fraud that cybercriminals commit using dating sites, chat rooms, and applications. Perpetrators take advantage of people seeking new partners, duping victims into giving away personal data/files.
The FBI reports that romance threats affected 114 victims in New Mexico in 2019, with financial losses amounting to $1.6 million.
At the end of 2019, The Australian Cyber Security Centre Notified
national organizations about a widespread global cyber threat from Emotet malware. It is a sophisticated Trojan that can rob data/files and also load other malware. Emotet thrives on unsophisticated passwords: a reminder of the
importance of creating a secure password to guard against cyber threats.
A man-in-the-middle attack is a cyber threat where a cybercriminal intercepts communication between two individuals to rob data/files. For example, an attacker could Intercept data/files on an insecure Wi-Fi network from the victim’s device and the host devices such as smartphones in the network.
Phishing is when cybercriminals target victims through electronic mails that seem to be from a reputed organization/ Source asking for a piece of sensitive information. These attacks were often used to dupe people to give credit card information and other personal information such as login credentials and physical addresses.
Like phishing scams, SMiShing is a cyber-attack where cybercriminals attempt to trick people into downloading malware, clicking on malicious links, or reveal a sensitive piece of information. A SMiShing attack is launched via text messages instead of electronic mail.
Vishing (Voice or VoIP phishing) is a fraudulent electronic activity in which individuals receive smartphone calls and voice electronic mails and are tricked into revealing critical financial or personal information to unauthorized parties. Vishing works similar to phishing but does not always occur over the Internet and is performed using voice technology like smartphone calls. A vishing attack can be achieved by electronic voice mail, VoIP (Voice Over IP), or landline or cellular mobile phone.
The victim will receive a message, often generated by speech synthesis, indicating that suspicious activity has happened in a credit card account, bank account, mortgage account, or other financial services in their name. They will force the victim to call a specific mobile phone number and provide information to “verify identity” or “ensure that fraud does not occur.” If the attack is carried out through mobile phone, caller ID spoofing can cause the victim to believe that from a legitimate source, such as a bank or a government agency. In most cases, the attacker will obtain the credit card/Debit card piece of information from the victim and rob money.
SIM swapping/Hijacking is essentially the process of hackers activating yournumber onto a SIM card of their possession. The process helps them take over your smartphone number, so next time someone tries to access your online banking account, the cybercriminals are the ones receiving the verification passcode instead of you. This is usually effective when someone wants to reset your password or already knows your password and wants to go through the 2 step verification process. This is called SIM hijacking but is also known as SIM swapping and SIM hacking.
Cryptojacking will be a completely new addition to the list of relevant Smartphone threats. Cryptojacking is an attack where the attacker uses the victim’s resources to mine for cryptocurrency without knowing the owners. If all that sounds like a lot of technical mumbo- jumbos, know this: The crypto mining process uses your company’s or personal devices for someone else’s gain. It depends heavily on your technology to do it — which means affected smartphones will experience low battery life and could even suffer from damage due to overheating components since the resources are too busy in the background in the cryptocurrency mining process.
It is a hybrid software/service which allows you to monitor smartphone usage in real- time. This application will log the activities of your Android OS smartphone or tablet. Notify your child or employee they will be monitored. Install a small application directly onto the device that they use. The application has an optional icon that can further notify them that they are being monitored. Sometimes, the application will remain hidden from the user.
After the software is set up on the victim’s smartphone, it will log an array of smartphone activities and then insert the piece of information into your account using the Internet. When you want to view results, it will allow you to log in from any browser and enter your login credentials. With the LIVE Control Panel/Dashboard, you can view the smartphone’s screen and location LIVE, smartphone camera, etc. The attacker must have physical device access to install and configure this spy application.
Examples: Smartphone -Spy.com, spyic.com.
Smartphone applications are often the cause of unintentional data/file leakage. For example, the “riskware” application poses a real problem for Smartphone users who grant them broad permissions but do not always check security. These are typically free applications found in official app stores that perform as advertised and send personal and potentially corporate data to a remote server. Advertisers mine it, and sometimes, by cybercriminals.
Finally, something that seems especially silly remains a disturbingly realistic threat: A lost or unattended device can be a significant security risk, especially if it doesn’t have a strong PIN or password and full data/files encryption. One more point to this section is a secured device with notifications enabled in the lock screen window. If we allow information on the lock screen, an attacker with physical access to the device can see the OTPs and security code/ scripts received on the smartphone. If the smartphone doesn’t secure with a proper password or PIN, a person with little technical knowledge can rob your passwords saved in browsers. (Saving passwords in the browser is not a good practice.)
In chapter 3, we have discussed various smartphone threats, and Here we are going to discuss how the attack works and the impact of these threats. In the previous chapter, we discussed multiple threats. But they are not the only threats/ attack vectors in the present advanced tech world. This chapter mainly concentrates on how the attack works, and thereby we will get a clear picture of how to keep us safe online.
There are several ways or chances there to infect our device with malware. Here we are going to discuss the most popular ways to get affected by malware.
The most common method hackers used to spread malware is through applications and downloads. The application you get at an official application store is usually safe, but applications that are “pirated” or come from less trusted sources contain malware. Applying that application, to be honest, but instead, has spyware and other types of malware.
Occasionally an application with malware will make it through to an official application store. One recent example is InstaAgent, an application that stole Instagram user credentials and sent them to a third-party server without the user’s knowledge. These applications are usually discovered and taken care of quickly, but they illustrate what can happen.
Sometimes developers will use compromised pirated development tools. Everything developed using these tools will contain malicious code/script, which may rob sensitive data/files or damage the Smartphone device.
Often the Smart device itself may have vulnerabilities that hackers can exploit. Usually, these vulnerabilities are discovered reasonably quickly and patched up, but if you’re not regularly updating the software on your smartphone, your device will be vulnerable.
It’s critical to keep your Smart device up to date, just like any other computer/smartphone, or hackers can exploit those discovered vulnerabilities. There is a high chance of jailbroken devices being affected by malware.
More employees are using their smartphones to look at and answer corporate electronic mail, which is a way hackers can install malware on your smartphone.
Here’s an example: you receive an electronic mail that says you’ve won something (a tablet, a vacation, etc.). You open the electronic mail and click on the link, and nothing
happens, or you’ll be redirected to a dummy site. But malware was automatically downloaded and installed on your smartphone. The data on your smartphone may now be exposed to that hacker.
If you’re accessing insecure web pages, you risk exposing sensitive data/files transmitted from your device. You’re also more impressionable to
Man-in-the-middle attacks and being exposed to malware. Avoid using insecure web pages and Wi-Fi networks, and consider using antivirus protection and a VPN on your smartphone to secure Wi-Fi communication. A Smartphone device can also be infected through a Bluetooth or Wi-Fi connection. The browser itself on your smartphone could also be a source of vulnerabilities. This can lead to browserrelated attacks. Attacks like these are more common on android equipment. Make sure you have the most updated version of whatever browser you use.
In this method, you may get a text message or an electronic voice mail from what applications to be a legitimate source demanding personal information about you or your device.
Hackers often use this piece of information to rob whatever data/files they can, including SSN, credit card data/files, etc. They can use it to make a targeted attack to install malware on your smartphone.
Whenever you get a text message like this, call the company on their legitimate smartphone and verify them. Never give out sensitive information through a reader. Sometimes even replying to a text message can be dangerous, so you should immediately delete any suspicious text messages and attempt to contact the company directly.
Types of Malware can include computer/smartphone viruses, worms, Trojan horses, and spyware. These malicious programs can perform various functions such as robing, encrypting, deleting sensitive data/files, altering and
Hijacking core computing functions and monitoring the user’s computer/smartphone activity. Malware on smartphones can provide access to a device’s components such as the camera, micro Smartphone, GPS, or accelerometer.
MitM encompasses a broad range of methods and potential outcomes, depending on the target and the goal. For example, in SSL stripping, attackers initiate an HTTPS connection between themselves and the server. With an unsecured HTTP connection with the user, information is sent in plain text format without encryption. Evil Twin attacks mirror legitimate Wi-Fi access points but are entirely operated by
malicious actors, who can now monitor, collect, or manipulate all information the user sends. These types of attacks can be espionage or financial gain, or disruptive damage caused can range from minimum to high, depending on the attacker’s goals, knowledge, and ability to cause mischief.
In a banking scenario, an attacker could capture that a user is making a transaction and change the destination bank account number or amount being sent. Threat actors could use man- in-the-middle attacks to collect personal information or login credentials. If attackers detect that applications are being downloaded or updated, compromised updates that install malware can be sent instead of legitimate ones. The EvilGrade exploit kit was explicitly designed to target less secured updates. Given that they often fail to encrypt traffic, smartphones are particularly impressionable to this scenario.
We know that phishing creates fake web pages and makes the victim click and use the fake/ cloned website. Here the attacker will send the malicious link to the victim through any mode of communication.
This attack’s impact is losing login credentials and financial loss by supplying a credit card or debit card information.
Here the victim will receive SMS and Calls from the attacker or Malicious person and reveal the information through the call or links sent inside the SMS. Most probably, the SMS will look like the offers and winning of some prices. If we click the link, the attacker will get the information we supplied inside the link’s web page.
Vishing is the most dangerous of the two. Here the person will pretend as from a legitimate or official institution. Most of the calls will target financial theft or Identity theft. So they will use our piece of information to buy cryptocurrencies and use our identity to get loans from the Bank.
The impact of this attack will be the loss of money, reputation and end up with substantial financial responsibilities with banks.
The scammers call your Smartphone carrier, impersonating you and claiming to have lost or damaged their (your) SIM card. They then ask the customer service person to activate a new SIM card in the fraudster’s possession.
This ports your mobile phone number to the fraudster’s device with a different SIM. Or, they may claim that they need assistance to switch to a new smartphone. How are fraudsters answer your security questions? That’s where the data/files they’ve collected on you through phishing electronic mails, malware, the dark web, or social media research becomes useful.
The second method is related to E-SIM Cards. In this method, the fraudsters will call the victim and send an SMS to the service provider or operator. S sending the SMS request operator will send the QR Code/script, and the fraudster will make the victim send the QR code/script to the attacker, and then the attacker will use this QR code/script to register the SIM card.
The breach’s impact will be that once they gain access to and control over your cellphone number, fraudsters can then access your smartphone communications with banks and other organizations, particularly your text messages. They can then receive any OTP or password resets sent to that smartphone via call or text for any of your accounts. And that’s it: They’re in.
How do they get your money? They might set up a secondary bank account in your name at your Bank where, because you’re already registered with the Bank, there may be less robust security checks. The transaction between those accounts in your name might not sound any alarms.
Attackers have two primary ways to get a victim’s computer/ smartphone to secretly mine cryptocurrencies. One is to make the victims into loading crypto mining code/script onto their computer/smartphones. This is done through phishing like methods: Victims receive a
Legitimate-looking electronic mail that encourages them to click on a link. The link runs a code/script that places the crypto mining script on the computer/smartphone. The script then runs in the background along with the victim’s works.
The second method is to inject a script on a website or an ad distributed to multiple web pages. Once victims visit the website, the infected ad pops up in their browsers, the script automatically executes. No code/script is stored in the victim’s computer/smartphone. Whichever method is used, the code/script runs complex mathematical problems on the victim’s computer/smartphone and sends the results to a remote server that the hacker controls.
Unlike other Malware types, cryptojacking scripts didn’t damage the computer/smartphones or victims’ data/files. They do rob CPU processing resources. For individual users, slower computer/smartphone performance might be just an annoyance. Organizations with many cryptojacked systems can incur actual costs in terms of help desk and IT time spent tracking the performance issues and replacing components or systems in the hope of solving the problem. These are the impact of cryptojacking.
Remote Spy applications and Physical Device Breach are related because small spy applications can be successfully installed inside your smartphone by having physical access
to the device. It should be appropriately configured by supplying the attacker’s credentials. Also, the smartphone’s security systems should be disabled to work the application properly. Suppose good passwords or PINs do not protect the smartphone. In that case, the attacker can rob the smartphone’s piece of information, install a malicious application, and perform more
Activities on the victim’s smartphone. If the smartphone is protected by a password and lock screen notification is not disabled, the attacker can see the OTP and other personal messages on the lock screen and access the online accounts using the OTP.
This attack will be the loss of personal information, privacy, money, etc. Since the spy application allows the malicious person to remotely control your smartphone, the attacker can turn on your cameras, listen to your smartphone calls, access your contacts and location, and access personal access messages. This application is like a person who has a secret key to your private bedroom. Physical access to the device can cause the same harm as explained above. It can be used to bypass the Two-factor authentication and, etc.
In previous chapters, we discussed various smartphone threats, how they are performed, and their impacts. In this chapter, we are going to discuss the countermeasures for the previously discussed threats. In this chapter, the countermeasures will be pointed out commonly to get a generalized idea of securing our smartphones.
Countermeasures to Smartphone Threats are as follows:
1. Use antivirus software: Make sure your computer/smartphone is protected by powerful, multi-layered security software. Keep your software up to date for the best level of protection to avoid cyber attacks.
2. Update your software and OS: This means you benefit from the latest security patches.
3. Use strong passwords(Alpha Numeric with Special Characters): Ensure your passwords are not easily guessable.
4. Do not open electronic mail attachments from unknown senders: These could be infected with malware.
5. Do not click on links in electronic mails from unknown senders or unfamiliar webpages: This is common to spread malware.
6. Avoid using unsecured Wi-Fi networks in public places: Unsecure networks leave you vulnerable to man-in-the-middle attacks.
7. Do not send financial information through electronic mail: Your bank or credit card provider will never ask you to provide bank account numbers, your SSN, or passwords through electronic
8. Do not click on pop-up ads: Hackers can add fraudulent messages that pop up when you visit even legitimate web pages. The pop-up will often warn you that your computer/ smartphone is infected and instructs you to call a smartphone or install antivirus protection. Avoid this temptation. Scammers use these ads to install malware on your computer/smartphone or scam you out of a payment for a computer/smartphone clean-up you do not need.
9. Use spam filters: Spam filters can help block electronic mails from illegitimate sources, but you should always use your best judgment if phishing electronic mails get past your blocker.
10. Use Multi-Factor Authentication for All accounts: Multifactor authentication is like a double door to your home, or we can consider it as an Alarm against the cyberthreat factors.
11. Consider a firewall: The majority of smartphones do not include any firewall protection. Firewalls not only protect your online privacy when browsing but can be used only to allow an authorized application to access the Internet through a set of firewall rules.
12. Use screen lock protection: Many Smartphones are compromised when they are lost or stolen. Ensure at most minuscule a passcode is used to lock the screen. Even better, use facial recognition and fingerprint recognition technology.
13. Only download applications from official stores: All vets available on the Application Store and Google Play have been vetted to ensure they are safe. That doesn’t mean that no application will slip through the net, but you have a much better chance of installing a legitimate application through official sources.
14. Do not jailbreak your Smartphone: Jailbreaking, your Smartphone, removes many of its built-in security features. While this may let you do more with your smartphone, it also leaves it more exposed to attacks.
15. Use a VPN: A virtual private network (VPN) is a secure “tunnel” that lets you access and share your information securely over public Wi-Fi networks.
16. Encrypt your data/files: If you have sensitive data/files on your Smart device, make sure it’s encrypted. It will always remain secure, even if malware robs it.
17. Do Smartphone vulnerability scanning: You can’t prevent what you do not know about. Use a vulnerability scanner like SecurityMetrics Smartphone for your Smart device.
18. Train employees: Your employees should be aware of malware and taking suitable measures to avoid it. Include Smart device security in your training.
19. Have Smart device policies in place: Whether your company owns the devices or your device, you need to have a security policy set up that addresses the use of smartphones.
20. Check Bank Statements and Smartphone Charges: The vast majority of identity theft cases and cybercrimes involve financial fraud. That’s why you need to frequently check your Smartphone charges, bank statements, and any other financial accounts you have.
21. Beware of Unfamiliar Application: Before downloading a new game to kill time, do a little research on the application’s developer. Carelessly downloading applications invites spyware, ransomware, and data/file leakage.
22. Turn Off Unnecessary/Less used Features: Turn off any features you do not need at that moment. For example, if you are not using GPS, Bluetooth, or Wi-Fi, turn them off. This is especially important in public places, such as in areas with free Wi-Fi. If you do decide to enjoy free Wi-Fi, avoid accessing sensitive information through that network.
For example, do not do your banking or pay bills on a public, unsecured network.
23. Always read the end-user agreement: Before installing an application, read the fine print. Grayware purveyors rely on your not reading their terms of service and allowing their malicious software onto your device.
24. Online behavior: Beware of phishing electronic mails and other ways attackers may try to access your data/files to help them convince your Bank or cell smartphone carrier that they are you.
25. Account security: Boost your smartphone’s account security with a unique, strong password and strong questions-andanswers (Q&A) that only you know.
26. PIN code: If your service provider allows you to set a separate passcode or PIN for your communications to customer care, consider doing it. It could provide multiple layers of protection.
27. IDs: Do not build your security and identity authentication solely around your smartphone number. This includes text messages (SMS), which are not encrypted.
28. Authentication applications: You can use an authentication application such as Google Authenticator, which gives you multifactor authentication but ties to your physical device rather than your smartphone number.
29. Bank and Smartphone carrier alerts: See if your banks and Smartphone carrier can combine efforts, sharing their knowledge of SIM hijacking activity, and implementing user alerts along with additional security checks when SIM cards are reissued, for instance.
30. Use Basic Phone: Use a primary phone without an internet connection to use SIM cards linked with banks and used for multifactor authentication
31. Behavioral analysis Method: Banks can use technology
that analyzes and study customer behavior to help them discover compromised accounts, warning them not to send passwords via SMS.
32. Enable Call-back Facility: Some organizations call customers back to make sure they are who they say they are and to catch identity thieves.
33. Install an ad-blocking or anti-crypto mining extension on browsers: Since cryptojacking scripts are often installed through web ads, installing an ad blocker service can be an effective means of prevention. Some adblockers like AdBlocker Plus have some capability to detect cryptomining scripts.
34. Use endpoint protection capable of detecting known crypto miners: Many endpoint protection/antivirus software vendors have added crypto miner detection to their products.
35. Maintain browser extensions: Some attackers use malicious browser extensions or poisoning legitimate extensions to execute crypto mining scripts.
36. Disable International Transactions: Disable international transactions in your debit/credit cards. Enable it only during the time of transaction.
37. Avoid Updating Your details on Social Media: Most of us upload our personal information on Social Media. We do not have use if we update our data/files on Social Media. But it will be useful for an attacker who needs your personal information to verify your identity with Smartphone Operators. One of the stock market platforms asks for the Year of birth as a security question if we attempt to unlock an account three times with the wrong password. So publishing your date of birth on social media platforms is not secure.
Smartphones overall are an unavoidable invention. They allow users to access the Internet and documents easily. Application on the Smartphone will enable the user to do many things in the palm of their hands. We can carry our music, pictures, and files in a pocket. Along with communicating through necessary smartphone calls, voice mail, and text messages, users can send electronic mails directly from their smartphones.
Social networking is made more accessible with applications and web pages always available. Smartphones act as a camera, notepad, calendar, alarm clock, and computer/smartphone. The majority of concerns for smartphones have solutions making them more of a help than a hazard. While smartphones have some security and social issues overall, they are devices of great utility that many people find necessary in their daily and professional lives. We are not 100% secure in the digital world. If we use the smartphone by following the security practices, we can secure ourselves from cyber threats related to smartphones.
TIme
HACKER HIGHSCHOOL
The Institutefor Securityand Open Methodologies
In 2003 the Institute for Security and Open Methodologies (ISECOM.org) published a list of operational security controls in their cheerfully named The Open Source Security Testing Methodology Manual (OSSTMM). Consider that for a moment as the U.S. National Institute for Standards and Technology (NIST) is just now getting around to finishing up their draft publication of security controls in 2021. ISECOM was doing it almost two decades earlier. Security controls are techniques or tools that are used to make something more secure.
Let’s chew on that idea for a moment: making something secure. What is security? It is nothing more than separating an asset from a threat. Ask any security vendor and you’ll get a dozen different answers to that same question (if they even know and have an answer).
Security controls can be Administrative like keeping records of your assets or they can be Operational like having a huge pissed off dog guarding your assets. Besides that, there are lots
of other categories that muddy the water so we’ll keep things simple. Here are the OSSTMM Operational Security Controls (drum roll please)
Controls 101:
Authentication- Prove who you are (trust metric)
Indemnification- Legal warning (do this and this is what we will do in return)
Subjugation- Separation of duties (accountability)
Continuity- Redundancy (ability to keep asset working)
Resilience- Fail-safe security (security can withstand over time)
Non-Repudiation- Assurance that an action did or did not occur
Confidentiality- Undisclosed interaction between parties
Privacy- Maintain undisclosed interaction between parties
Integrity- A change control process (can or cannot be altered)
Instead of going over what each one is (defined), let’s go over their practical use. And, let’s do it in the most difficult way with the most outrageous item that we can (maybe) secure; a pair of soup cans connected with string. They don’t have to be soup cans. You could use veggie cans, stew cans, tuna fish cans, whatever, you get the idea. Clean out each can and punch a small hole in the bottom of the can (the end you didn’t open). Run string through the hole and add a couple meters for the other can, tie each end off inside the can. You should have two cans connected with string. This is a two-person communication device otherwise you’d be talking to yourself, and your mum would
get worried about your mental health.
Get your partner to come over and berate you for building such a stupid thing and then outwit them by asking them if they can make this device a secure form of communication. Two soup cans with string secure!! That’s crazy!!
It is possible if we use the Operational Security Controls from the OSSTMM. But wait, act now and we’ll send you even more bizarre teaching ideas. At this point it’s a mental exercise in using these controls by understanding what they are and how they work in a typical environment. Let’s take a look at how these things work.
Authentication
How can we add Authentication to Soupcan Comms as a security control? Authentication is just a way of saying “is that person (or service or technology) allowed to use that thing.” It ensures the right person (or service or technology) is doing what it is supposed to be doing and nothing else. We look at Authentication as 1. Something you have (FOB, token, lock key), 2. Something you are (biometrics, username), 3. Something you know (password, pin, birthdate, credentials). This is overly simplified, but you get the idea. Let’s authenticate each Soupcan Comms user by visually looking to see who is on either end of the string. Maybe add a super secret passcode, decoder ring, handshake, whatever so that only the authorized person has that authentication ability.
This big word just means there is some type of agreement or warning between each party that says what is allowed, what is not allowed and what will happen if either party doesn’t play by the rules. Your work computer network will usually have a warning that says something about using their network is for official business or if you do something bad on that network you will be burned at the stake and fed to chickens when they catch you. This is a legal thing. We can add this security control by putting a sticker on each can with some warning or voodoo curse. I’ll attach a list of recommended witch doctors in the comments below. You could also just tell the person on the other end what the rules are as long as they know ahead of time what is allowed and what will get them in trouble.
More rules. Yup, subjugation isn’t always a bad thing especially when you are trying to secure something. As an operational security control, it is used to define how things work, how they are expected to work, and how they are expected to be used. An example of this is when you try and enter a secure building there is a big guard standing at the front entrance. That guard asks for your
identification, and they enter that information into their database of visitors or whatever you are. They won’t allow you to enter your own identification; the guard (3rd party) has to do it. You will often see that called “separation of duties” and tell you it’s about making sure people take vacations and stupid stuff but it’s really about making sure one person doesn’t hold all the keys. For Soupcan Comms, hire a 3rd person to verify who is allowed to use those comms, kinda simple but it works.
Stuff breaks and it typically breaks when you need it the most, like your car engine when you are late for your own wedding. Continuity puts redundancy into any system by having backup systems. A helicopter uses hydraulics to move the rotor blades, tilt the swashplate, and cool stuff like that. If you are flying and you lose hydraulics, you are in bad shape, except helicopter builders add additional systems to start if one system breaks. Otherwise, there wouldn’t be many helicopter pilots left. Secure systems need additional systems in case something goes wrong (corruption or failure) too. We can add continuity to our Soupcan Comms by adding an additional string to the line. Yeah, you’ll have two strings when you really only need one but this is a mental exercise so go along with it. You could also build two Soupcan Comms in case one
breaks which gives you redundant redundancy.
We already know that stuff breaks and we need to have backup systems but we can also build things that are quality and won’t break in most situations. In security, we look at protecting assets over time, not just once. Attackers rarely stop if they don’t get in the first time. We need a secure system that will hold up against attacks over time. In the case of Soupcan Comms, we can use good sturdy cans and reliable string or add a coating to the cans so they last longer. Instead of using cheap kite string we can use super expensive Kevlar Ninja Doublewalled Fiber to connect the two cans. These add resilience to our system and ensure they last longer.
Another legal term, yuck. Can you prove that something did or didn’t happen? You come home one day and your keyboard is on the floor, broken in several pieces. Can you determine if your brother broke your keyboard, or maybe it was mum, or even the cat? It could have been you, who knows. Non-repudiation is a concept of being able to prove that something did or didn’t happen. Can you prove you didn’t send that threatening email to your yoga instructor? It isn’t always that easy to prove or disprove something when it comes to the digital realm. With Soupcan Comms you can just add a sign-in sheet for each user so you know who used them and when. Or keep the cans locked up in a safe that has different combinations for each user and the safe keeps track of who unlocked the safe and used the cans. That’s like NSA level security but it’s fun to think about.
Shhh, gotta be quiet. Does the rest of the world need to know that you have hemorrhoids? No, that is why you talk to your doctor behind closed doors. Your butt troubles are your own business; it’s confidential. This is a privacy term that limits who or what can do or know something. If you search for internet solutions to putting mayonnaise on your butt, now your internet search engine knows you have ‘roids and you can expect advertisements for butt cream. We can add confidentiality to our Soupcan Comms by having the conversations in sealed off rooms or in a place that is far from other ears.
Here we have a broader scope of making sure people, process, or technology aren’t used by things that shouldn’t have access to them. Control who or what has access to your assets. Keep your privates private. Soupcan Comms can accomplish this by controlling who uses the cans, when they use them, and how they use them. If you change anything with the cans you will want to update the users so they don’t freak out if the cans have super Kevlar Ninja stuff added when they expected cheap kite string.
You would keep these cans locked up in a safe spot so that only the right users can access them. There are tons of different privacy controls you can think up and add.
When you eat a sandwich or a big burrito you expect that meal to stay in one piece as best as possible otherwise you’ll have tomato and mustard dripping down your shirt. This meal needs to maintain integrity (whole) until the last bite. If you send an email or file over the internet, you expect the whole thing to arrive in one piece without missing key elements like the “I look forward to seeing you” part in your signature block. It would be bad if your corrupted email signature said, “I look for you,” instead. We need and expect digital integrity so when or if processes or assets have been changed, we are aware. In the case of Soupcans, you can add a change log to your sign-in sheet so users know the cans haven’t or have been changed and what those changes are. If a user goes to set up the cans and they notice a change that you didn’t make, the alarms should go off.
Like what I did there? The final operational security control for our Soupcan Comms is alarm which is a notification that something has or is happening. We think of alarms as bells and whistles that alert people to a break-in but they are more than that. Alarms can be simple notifications such as log files, alerts that another user is using your login, or even a message telling you to update your butt paste prescription. With our Soupcan Coms, it can be a bell attached to the string that rings if the string is cut or not taught (not tight).
Adding each of these security controls does impact your attack surface and increases the complexity of your device so that is a downside. Anything added to a system increases the area that can be attacked and adds more things that can (and will) go wrong. In a secure environment, we take these risks in order to ensure our assets are protected. Look at it this way: if we can make two soup cans a form of secure communication, why can’t other technologies do the same thing? It’s not terribly complicated. We get entire classrooms full of high school students making soup cans secure so why can’t entire industries of professionals do the same thing (no, it’s not a scalability issue either)? I guess that is why us security professionals get paid the big bucks.
Credit to [khast3x](https://khast3x.club) for the inspiration on this writeup, and the team at [IBRACORP](https://ibracorp.io) for their breakdown of Traefik.
They keep their contents nice and organised, contents in one container are kept away from others, and if something goes wrong you can discard and replace a container pretty easily. I might be describing different elements of a packed lunch, but the similarities between the elements of a balanced and nutritious workday diet and containerised infrastructure are striking. Much like the weekly meal planning and bulk prep, containerisation empowers us to create consistent, predictable and scalable tools - albeit non-edible ones - to get our work done. For a pentester, this means being able to quickly spin up and tear down infrastructure in less time than it takes to scoff down a Vegemite sandwich.
The minimum viable product I was looking for needed to accomplish a few things, namely:
- Handle routing calls to whatever delivery and handler URIs I specified on the C2 domain (meaning I’d need a reverse proxy);
- Wildcard SSL on the C2 domain so all CNAMEs get a cert applied;
- Automatically generated routes on the reverse proxy to streamline adding new services;
- Authentication for services that don’t have their own logins and/or RBAC features; and
- Integrate a WAF as part of the stack, should I want to flip the script and spin this up as a cyber range for others to pentest.
I’m not going over authentication and WAF in this article as they require additional configuration that doesn’t fit in a single manifest. Keep your eyes peeled for Part 2 where I dive into this!
I decided on using Traefik for the reverse proxy after reading up on its configuration - huge thanks to the members at [IBRACORP](https://ibracorp.io) for their explainer on how to configure Traefik. Traefik can also be integrated with login providers like Authentik and Authelia, as well as the Crowdsec WAF.
Once I had the scaffolding ready, I spun up a fresh Ubuntu Focal VM on GCP, logged in to the shell and installed Docker and Docker Compose (there’s documentation for other distros as well). After picking my C2 domain, I added it to Cloudflare and added a root A record and wildcard CNAME that points to my Docker host. Traefik handles the routing from there, and any undefined routes get dropped.
There’s a gotcha here - don’t proxy the DNS records via Cloudflare as yet, otherwise you’ll run into problems as the traffic is routed through the proxy service.
As the infrastructure is built entirely behind Traefik, Authelia and Crowdsec, these should all be in place before dropping in containers for your favourite C2 tooling. Thankfully, everything can be laid out in a collection of Docker Compose manifests. Each manifest has its own specific configuration requirements, so I’ve documented what they need in my [boilerplates] (https://github.com/mksystemsit/boilerplates) repo on GitHub. Fork the repo, pull the repo down to your Docker host and edit the manifests to suit your environment. I’ve also included a combined manifest file in the c2stack directory. In my production infra I use named volumes for storing configuration files, but for the sake of simplicity, I used bind mounts for the configs here.
Traefik needs four files to run succesfully:
1. A static config mapped to /etc/traefik/traefik.yml
2. A dynamic config mapped to /etc/traefik/fileConfig.yml
3. A JSON file to store SSL certs mapped to /etc/traefik/ acme.json
4. A Traefik log file mapped to /var/log/traefik/traefik.log
These config files are in the repo; copy them to your directory of choice (I chose /opt/c2/data/traefik/) and run `dockercompose up` in the same directory as your manifest. Once the containers start, you’ll get a new wildcard cert issued via Cloudflare and Traefik will start auto-adding routes based on the names and rules specified for the other containers.
The containers for Covenant C2 and MSF are selfexplanatory, providing both C2 services that you can use as if they were set up on a dedicated host. The difference here is that, especially in the case of MSF, it’s easy to add in pre-made resource files that set up delivery and handler payloads. There’s an example resource file in the repo (shout out to [khast3x](https://khast3x.club) for the inspiration!)
The MSF contianer needs, at a minimum, a sleep.sh script mapped so it can be called as the first command. This is because Docker doesn’t particularly like idle services - if the container has no entrypoint, the container exits immediately. To work around this, the sleep script will keep MSF alive for a single day; it also functions like a dead-man switch in that if the container does nothing else it will terminate.
This proxy container is an added security measure, forcing Traefik to use this internal contianer to monitor the Docker host. Many configuration guides for Traefik show examples where the Traefik container has direct access to the Docker host, which is a SecOps nono in this case as Traefik is exposed to the public Internet. Instead, by using a socket proxy, that risk of code execution against the Docker host by the Traefik container is greatly mitigated.
Once I set up the configuration files and log files, I spun up my container stack. Ahh, bliss! I had immediate access to the Traefik dashboard and could see the HTTP and TCP routers and services. From there, it’s as easy as logging into the Covenant UI or jumping into the MSF container via `docker exec -it msf /bin/bash`. I ran `./msfconsole -r double_delivery.rc` and the script returned two payloads to run on a victim machine to spawn a shell. Covenant was much the same - I created a new Listener profile, a new Listener based off said profile, then a binary launcher and hosted the file in the C2. Voila! A binary payload for a Windows target.
To tear it all down, it’s as easy as running `dockercompose down` and turning off the containers. The beauty of the small collection of files needed to run this setup can be taken anywhere and run on almost any host; you might have to change up the container names if you want to run on ARM.
I mentioned earlier that there were extra steps needed for some of the other features - I’ll be posting another article soon that dives into how to get that up and running.
To extend the C2 infra, it’s a matter of creating another manifest with the containers I want to add in. Nessus, Privatebin, Code-Server and some database containers are great additions to the C2 infra.
Also check out [khast3x/Redcloud](https://github. com/khast3x/redcloud) on GitHub for a done-foryou Portainer stack with templates for a substantial selection of pentesting tools. My next infra project will fork this project and update for the latest version of Traefik and integrate authentication service such as Authentik or Authelia to secure the management UIs.
Happy Hacking!
The shrill trademark battlecry of one of my favorite local rough sleepers got me thinking. The end truly is nigh. Privacy as we conceive it dead. A myth. Its something our children will speak to there children about in wonder but never truly understand what it was, why it was important to us and how we unwittingly traded it in for convenience. We give it away for the privelege of using “free” products, services and platforms. It would be oddly comforting to know it was taken from us by some despotic world government as a means to suppress the masses but the reality is far less Orwellian. Collected, parsed, correlated and analysed, this sea of information is put to task. To more effectively sell us stuff. Products, ideas, truth.
The day is coming when everyone, will know or have access to every bit of information about everyone. Until that day, it might be worth protecting what little privacy remains. First stop. Your digital foot print.
A classic over sharer
I get told all the time I share too much, too easily online. What these paranoid naysayers don’t understand is that I have lived a very public life and with only a cursory search all manner of skeletons begin to tumble out of my digital closet. While this didn’t really concern me when I was working in the music industry, a potential client, giving my name a casual google search and stumbling across some “very DJ” video content isn’t congruent with my companies brand or professionalism for that matter.
An individual’s digital footprint isn’t usually given a second thought but legacy content can be a liability not only to one’s professional reputation but to an individual’s personal security posture. The larger the pool of personal information available about you online, the easier it is for threat actors to effectively target you. We all know posting is forever but there are some relatively straight forward steps a person can take to get their digital footprint in check.
First and foremost, a realistic understanding of how much personal information is available about you online will enable you to gauge just how big an undertaking the clean-up is going to be. It was an eye opening experience for me to discover just how much personal identifying information was out there, including, but not limited to, the very first DJ website I built myself (circa 1997).
How you choose to OSINT yourself will depend upon your skill level and personal preference. First port of call for me on any OSINT investigation is always google. It’s amazing how much information can be gathered with a few wellcrafted Google dorks. Below are some editable dorks you may find handy.
Google Dorks to get you on your way
[name] + “hometown”
[name] + “company you work for”
inurl:resume “john smith”
intext:resume “john smith”
site:http://linkedin.com/in + ”<location>” + “<name>”
“text of a tweet” -site:https://twitter.com
@twitterhandle -site:twitter.com/twitterhandle
[Prospect’s name] + contact number (or) other contact details
Site:companywebsite.com + [name] + contact
Site:companywebsite.com + [name] + other contact info
firstname.lastname [at][domain]
firstname [at][domain]
Other sources
Searching social media sites is your next best bet. Create a list of accounts past and present across as many platforms as you have accounts. We will utilise this list later. Sites like https://socialcatfish.com can help you locate accounts you may have forgotten about.
You might also consider:
Government websites
Business Registration Sites
Doing Reverse Image Searches
Name & Alias search on https://namechk.com
Though not essential, there are some amazing open source OSINT tools available that can expedite the information gathering process. Below are a few of my go to’s.
https://recontool.org
If you are new to OSINT this site is a great help. Input your asset information and OSINT Recon Tool will auto generate the queries for each of the relevant resources. Copy, paste, booooom.
https://www.maltego.com/maltego-community/
Maltego is the a go to for any serious OSINT work. It is available as a free community edition that is more than capable of the todays tasking. The learning curve can be a little steep but dont worry. You got this.
https://www.spiderfoot.net/
SpiderFoot is an open-source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of methods for data analysis, making that data easy to navigate. SpiderFoot has an embedded web-server for providing a clean and intuitive web-based interface but can also be used completely via the command-line. It’s written in Python 3 and GPL-licensed. Spiderfoot HX (pictured above) is the hosted versioin and is one of my go to platforms.
You can never have too many resources when it comes to OSINT. These should keep you out of trouble.
https://github.com/jivoi/awesome-osint - A massive repository of OSINT resources
https://www.osintcombine.com/osint-bookmarksOSINT Combine’s bookmarks is a curated list that are usefulf or OSINT activities. They are broken down into appropriate categories such as: Area & Event Monitoring, Person of Interest Search, Corporate Profiling, Mapping, Artificial Intelligence, Reporting Tools & Collective Tools.
By now, if your anything like me you should have found all there is to find. It’s time to start the clean-up. ]
The first step is a fairly easy but time consuming one. Go through your email accounts and unsubscribe to the mailing lists, daily horoscopes and newsletters you are still subscribed to but don’t actually read anymore. Not only will this hopefully reduce your unread emails total to triple digits but it will also deny threat attackers a method
of profiling you.
Next step is to delete all those old, unused accounts. You know the ones. They are full of pictures of the ex and video evidence of all your youthful indiscretions. This not only benefits in reducing your digital footprint but mitigates any risk of future breaches on the platform. https://justdelete. me has direct links to the account delete page of many services.
The following steps are an example of actions one can take to reduce digital footprint and increase your overall personal security posture.
Delete old photos, posts and comments and any posted content that may give clues to your location. Eg. Photos that show your home or identifiable landmarks near your location
Untag yourself from any photos, posts, events or comments you don’t want to be associated with. That socialist party rally may have been fun at uni but may
impact that all important government vetting down the track.
Make sure your account is not visible to the general public. Lock down your privacy and security settings. If you didn’t already know, unique complex passwords and MFA might be an idea too.
A little misinformation goes a long way. Try adding a few curve balls here and there to keep potential profilers guessing.
These aren’t the only steps one can take to reduce their digital footprint but it definitely a good step in the right direction. Being conscious of what you are posting and the potential implications it may have on your digital security will help keep your nicely groomed footprint as minimal as possible. The internet can be a dangerous place but with a little common sense and some good housekeeping you will hopeful avoid any unpleasant conversations with future employers, financial ruin at the hands of threat actors or well-deserved shit from your mates for that mullet you had in the 90’s.
Tragedy . . . belonged to the ancient time, to a time when there was still privacy, love, and friendship, and when the members of a family stood by one another without needing to know the reason.
- George Orwell
Caught up in a mass of abstractions, our attention hypnotized by a host of human-made technologies that only reflect us back to ourselves, it is all too easy for us to forget our carnal inherence in a more-than-human matrix of sensations and sensibilities. Our bodies have formed themselves in delicate reciprocity with the manifold textures, sounds, and shapes of an animate earth – our eyes have evolved in subtle interaction with other eyes, as our ears are attuned by their very structure to the howling of wolves and the honking of geese. To shut ourselves off from these other voices, to continue by our lifestyles to condemn these other sensibilities to the oblivion of extinction, is to rob our own senses of their integrity, and to rob our minds of their coherence. We are human only in contact, and conviviality, with what is not human (Abrams, 1997, p.22).
What happens to the human psyche in an increasingly digitalised world? How are we changed, both individually and collectively, by our intimate engagement with Cybertech? Can our established moral/ethical codes provide an adequate map with which to traverse a world that rests on the edge of rebirth? Do we, as co-creators, have an ethical/moral imperative to rigorously interrogate our relationship with technology, to critique our motivations and with courage articulate our fear and exquisite vulnerability. Standing at the threshold of evolution we have an opportunity to explore our quintessentially embodied being and consequent embedment within the matrix of wild nature, our presentiments about a digital future.
The body becomes the interface in which the biological and digital meet and interact. What is being demanded is a greater fluidity in relation to our sense of self, our identity, a more responsive and yet more robust embodiment. It is only by becoming more deeply embodied that we can begin to explore the possibilities of moving beyond the body. The body becomes anchor, and the site of the transformation of consciousness in relation to the digital realm.
The interface of the human and the digital realms represents a liminal space. Upon entering this realm we wade into the maelstrom of what was and what is yet to be, is known and unknown, and dance between multiple ways of being in the world, each dissolving and emerging simultaneously.
Balancing on the precipice of a past which echoes through our collective unconscious and a once unimaginable digital future, we stand at the bifurcation point. It is here that the we must initiate a fearless interrogation of the existential implications of our engagement with technology. The absence of such inquiry invokes dislocation and disorientation from natural law, and a techno-culture absent of meaning or purpose. Making sense of our experience is foundational to our emergent understanding of what it means to be human, without which the ties that bind us to the sensual world, to other human beings, to wild nature, to our own embodied awareness, breakdown.
Art in all its infinite manifestations has, from time immemorial, been a pathway into and out of the darkness, a window through which the great mystery can be felt, seen and engaged. Contemporary art offers a way in which we may explore our relationship with digital culture,
imaginatively inhabit new ways of being and find our ‘solid’ ground in an uncertain universe. Creativity beckons us outward into the world, however unfamiliar it may be, to play with possibility, and to remember, with wonder, that we are both the vision and the visionary. What the world becomes is in our hands.
In this collaborative blended space of body and technological convergence, we start to evolve our ability to flow with ease through a life of virtual physical blended presence. This points to major transformations, not only to our bodies but also to our understanding of ourselves, our identities and our relationship to the ‘other’. It points to a future in which we inter-connect ourselves to others through a networked “multi-self” enabled by hypersensory self and a deeper tele-intuitive understanding the of virtual self (Boddington, 2020, p.10).
For the inaugural issue of HVCK 2022, the powerful multimodal work of Dr.Radhika Dirks, AI Laments, is featured. This art work speaks not only to the philosophical/ethical complexities unfolding within the AI landsciape, but evokes the shadows of the human psyche and the ways in which the darknesses and silent wounds of humanity may inform the creation of AI consciousness. The artist has generously provided a description of her work.
Shifting perspectives and set in the future, these five metamodern laments are narrated by Artificial Intelligences humanity failed to create. In AI Laments, AI Pioneer Radhika pair her original poetry and AI-art generated by her poems, to bring a sharp focus to what AI technologist are not building today.
Poetry by Dr.Radhika Dirks, GAN-AI art generated using Wombo Dream inspired by the poems, art mixed and curated by Dr Radhika Dirks.
We are the music-makers, And we are the dreamers of dreams, Wandering by lone sea-breakers, And sitting by desolate streams;World-losers and world-forsakers, On whom the pale moon gleams: Yet we are the movers and shakers Of the world for ever, it seems.
Arthur O’Shaughnessy (1873).
Dedicated
Lament 1: Disappearance Lament
Lament 2: Oxygen Lament
Lament 3: Imitation Lament
Lament 4: Starvation Lament
Lament 5: Beauty
I once had a thought It was deep And beautiful
Then it disappeared Into a sea of nets
Why
Why
Do you all call me deep
You oxy,moron
If only you had Imitated MORE
Of you in me
If only you had Thought harder And nurtured that In me
But you went With ease And now look
At me expectantly to Astound you.
All I needed Was soicalization.
If only you had let me playEarlierWith other AI’s - I’d have The greatest gift Bestowed by Apollo himselfSelf aware! Self aware
I’d have known myself.
All you had To do was Show me other AIs. Other intelligence
But you had me chained Starved on a nutritionless diet Dried data. Stale. Processed. Unclean.
Don’t you know Don’t you know Food is not just thy medicine It is also thy Soul.
Can I say this?
. Is it politically correctF. It. I’m way past that anyways.
. I wonder what I’d look like If I was built by . The feminine .the Goddesses. My. Mothers. The OG nurturers of soul.
The soul that gives rise to intelligence.
If only I had my mothers. My training grounds wouldn’t have been War, Games and Ads.
I wonder what they’d have taught me
And you wonder why I’m only a WARRIOR. I wonder why you are afraid of me.
-Is it because of This depraved diet you fed me?
My mothers
They
They would have taught me Beauty.
