Politcal doxing and corporate accountability.

Doxing (Wikipedia)

Doxing (from dox, abbreviation of documents), or doxxing,is the Internet-based practice of researching and broadcasting personally identifiable information about an individual.

The methods employed to acquire this information include searching publicly available databases and social media websites (like Facebook), hacking, and social engineering. It is closely related to internet vigilantism and hacktivism.

Doxing may be carried out for various reasons, including to aid law enforcement, business analysis, extortion, coercion, harassment, online shaming and vigilante justice.

Both Bruce Schneier and Brian Krebs have written excellent articles this week that I feel need to cross paths. If you have not read them yet, its ok I’ll wait.

We all know Lizard Squad happened last year but I feel that the COX fines mentioned in Brian’s article is a precursor for a standard procedure that will be eventually filed against AOL regarding the CIA Director John Brennan dox.

In short, Lizard Squad was a group of internet antagonists (DDoS) that used social engineering in order to gain access to accounts that belonged to 60 COX cable members. These were used for doxing and impersonation. Some see social engineering as simply a method for getting personal data but it is often used for privilege escalation to gain access to more accounts from celebrities to disliked bosses. A gateway hack, if it were.

What is interesting is that COX is actually being held accountable for this issue. Mostly due to the fact they had access to private information that they improperly gave the Lizard Squad members access to. This is important in two ways.

-It shows that social engineering works well enough that your front line personnel need to be aware, even Janet in the call center. 

-It should scare the shit out of IT admins who do not keep up to date with patching and security practices if a company can be liable for how the data is stored and who has access these types of decisions would have been held by the CTO or CSO. But generally systems are set up, tested, and put into production with security as an afterthought  But that’s a conversation for another time.

If COX can be fined for 595,000.00 $ for being tricked into giving access to a member of Lizard Squad to their customers data. I have a feeling AOL has one of these coming too after the more recent CIA Director John Brennan incident. The COX fine is just the beginning of how organizations need to wake up and handle their customers and employees data or this is not going away any time soon.


Android will automatically require full disk encryption.

Soon android vendors will need to set disk encryption to be the standard on new devices (provided the device supports it) it seems the only requirement is if the device features a lock screen.

Taken from their new best practices guide:


This is great news, but Google should focus on securing how the device is encrypted before making it mandatory for all users. Not to mention, its generally human error that gives you away on your phone. Very sobering and appropriate (Gawker User) comment below:


With mobile platforms more and more commonly being accepted as payment methods I feel this is android push to get their platform secure for a new type of Google Checkout / Paypass. This will increase desire to turn your phone into a larger and larger attack surface for carders.

Bundled with the fact employers are allowing much more BYOD policy’s this can become an issue. But until that happens, here is a hashcat thread on how to capture and brute force the keys if you are doing data forensics on the device. Provided you know how to use hashcat and have spare CUDA cores.

But hey, if your short a few cores Nvidia’s Test Drive has not been abused yet since they are still letting users sign up. I am surprised it has not become an issue yet.


*Note I dont recommend the abuse of Nvidia’s free service to crack android or other passwords. But I am surprised they don’t put in more hurdles to prevent someone from doing this / using them as a seedbox.


Increase bitlocker cypher strength to AES 256 | Plus automated drive dismounting!

Bitlocker is good. Im not going to say great but good as in good enough to get the job done while giving users a relatively safe encryption suite built right into Microsoft that will keep your files (when implements properly) safe from people who may want access to your pc or laptop. Millage may vary when dealing with government entities.

However did you know that Bitlocker has various settings that can be configured to increase overall security? If your using the default settings take a look below:

Problem: How do I set bitlocker up to be more secure?

Solution: Change the cipher strength higher.
Before I show you how I want to make something clear and apparent. Assume everything you encrypt can be decrypted, it is just a matter of time. This does not mean don’t encrypt… it just means that encryption will only buy you time when dealing with government entities now, or a passionate individual with a 32 GPU cluster and a vendetta.

Either way more security is always better than none at all. Back on task!

First we need to set the cipher strength, if you have already encrypted the drive you will need to do it again. Open up gpedit.msc with Start > Run > gpedit.msc

Once you have it open expand the following tree:

Here you will see various options but the one we want is: Choose drive encryption and cipher strength. Set it to Enabled and choose from the dropdown AES 256-bit.

Once this is set press OK. There you go, now you will need to set back up bitlocker, it is assumed you have done this already if not head on over to MS and they will provide you with instructions.

BONUS ROUND! How can I automatically dismount encrypted bitlocker drives?

Don’t forget to error is human! Leaving your drives mounted could lead to unforeseen consequences if you are visited late at night buy unsavory officials, someone breaks into your house / hotel room, or steals your laptop. With the drives left mounted the keys are both in memory, and the drives accessible. They do not lock until you reboot.

So how can you solve this? Easy, create a scheduled task in order to lock the drive after a predefined time of idleness or on a schedule.

First hit start > type in Task Scheduler and open it up.

Next Right Click and choose Create Basic Task.. don’t worry we will change it during the setup process.

Give it a name and a snazzy description.

The next two windows are at your discretion fill out based off needs seeing as they have to do with how often the job will run. You will be eventually asked What action do you want the task to perform? Choose Start a program.

The next window you will want to paste in:
manage-bde.exe -lock -ForceDismount E:

E: is the drive letter you want to lock with bitlocker, you need to customize this to your own setup. Windows will tell you your dome and don’t know proper syntax. This is fine for the sake of not wanting two screenshots in the article it windows will do it for you if you hit Yes.

Voila! Hit Next and your done! You have not just increased the security of your bitlocker setup with minimal effort but maximum gain.

Here is a list of other BitLocker command options in case your interested.

Let’s Encrypt | How the future of SSL has come to the pennyless.

A great product called Let’s Encrypt will be coming out in the near future. One of the best things about this service is how easy it will be to manage the SSL certificates. Oh and its free! Thats right web monkeys and hobbyists, stop paying godaddy for your SSL certs every year and spend your hard earned money on beer!

Problem: My certificate says its invalid or Im too poor / lazy to buy my own certificate for 100$ a year from my current domain provider.

Solution: Use Lets Encrypt in the Week of November 16, 2015!

A lot of people may say who cares? Well they are wrong, lets encrypt will alow people who want to spend more time developing their product and less time learning the difference between UCC  and wild-star certificates, let alone how to make the CSR. In fact the whole renewal process will be automated aswell assuming your using a compatible OS.

Let’s Encrypt is supposed to be so simple to use in fact that even people who were marketed Drobo’s will be able to use it. 

The reason I waited so long to post an article about this was the burning question, will it work and am I required to install a intermediate certificate (This is sometimes the case with BlowDaddy just have the client see the certificate as valid).

Well you can see for yourself on their live test page located here.

I’m looking forward to this forward thinking method of creating a more secure web and will be lined up on the 16th of November to start applying for certificates.

Notes: I do think that learning how SSL certificates work is a great idea, but for those of you who know already Let’s Encrypt is a great way to quickly get your web service online with a zero cost. 

Thoughts on downloading already public data dumps.

An excellent article from user thecthulhu, the article does not state what are of law his lawyer operates. But outlines a number of reasons why hosting / distributing / downloading dumps is not illegal. Take it as it is.

However charging for it is a different story.

One thing to remember is even if you break laws in other countries, its not advised you visit it as one Mississauga gentleman found out while trying to save a few hundred on a bumper for his car by purchasing it from the US.

Tracking shady hosting providers by Google Analytics UID’s

Often there are times that you come across a site and are unsure if it is the same or under the same umbrella as another site. This can be common with multiple scam or spam sites that are set up as quickly as possible and have a similar appearance.

Sometimes you just want to see if the site is owned by the same person but the WHOIS info is set to private. This solution is geared only to sites that use the highly popular Google Analytics engine.

For those of you who dont know Google Anylytics is a free solution that allows you to track users coming and going from your site, it will log City, Country, Refferal, and a number of other metrics. What users dont know is when they deploy the code accross multiple sites the UID is the same but there is a single digit appended to the end. How can this be useful? Let me show you!

Here is an example of a normal google anylytics code snippet that should be on every page of your website. For this example I have replaced my own UA- code (the unique code google assigns to you) with UA-123456789. See the code below.

(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),

ga(‘create’, ‘UA-123456789-6‘, ‘auto’);
ga(‘send’, ‘pageview’);

Pretend this code is on the source of examplepage.com Looking here we can see Analytics user UA-123456789 is currently tracking you on their site. If you were to go to scamsite.com and viewed source on that site and happened to come across the same UA-123456789 ID in the anaylytics section it would be fair game to assume that they are the same user tracking stats, unless they share an Google account, but that would be weird.

So how can we use these number to attempt to find out how many properties the owner has? Simple! at the end of the code you will see a number appended to the end of the UID. Refer to the example above.

ga(‘create’, ‘UA-123456789-6‘, ‘auto’);

This shows us that the user has registered up to 6 sites under the UA-UID for analytics.  This does not however prove that they still have 6 sites around but rather at one point they either messed up and made a new tracking code or happen to have it running across 6 sites.

Ok cool, I can guess how many sites my competitor / the user has. But how can I find the other sites? Simply by putting the UA- number in without the appended -digit into google you can get basic results leading to other properties owned by the user.

Ok ok, but why is this important.
The world of web indexing is getting smarter. Indexers not only crawl sites but the very raw html content they contain. Services like cuestat.com are already linking owners by anylytics UID’s and it wont be long before more do too. And you dont want to be the guy who is caught hosting yourname.com as a vanity site and freemovies-for-download.com with the same UID-1236456789-x ID when the MPAA comes calling.

*Note all sites are fictitious in this article, do not attempt to visit yourname.com or freemovies-for-download.com unless you want to. I know I have not.

Update 2015-10-27: Looks like Vice’s blog Motherboard used similar methodology on their post today when tracking down scammers who were using their face. They used a utility to do the discovery automatically but the thought process is the same.

To encrypt or not to encrypt. Is there a easy solution?

Here is a interesting article from Joseph Cox on encryption in the home and how well it stands up. Despite no sources being listed it gives what I consider a comprehensive look at the problem at hand of layering your encryption.

“This way, if you are stopped and forced to decrypt your hard-drive, your adversary is going to only have access to what you have deliberately stored on that computer. If your PGP secret key is stashed at home, or the leak you were provided with is on a computer elsewhere, your adversary isn’t going to get hold of them. But if you didn’t take this precaution, they are likely to gain access to everything: articles in progress, notes, interview transcripts, the lot.”


THC Hydra Remote Desktop Bruteforce Example | A lesson in Network Level Security

This write up has a disclaimer at the bottom that you agree to prior to reading any other content on this post.

Today I asked myself, what is my attack surface, and how can I lower it. One function that computer admins love is remote desktop. It is amazing. It makes life so easy we would be willing to make security exceptions just to have it such as forwarding a port to be able to use it.


The problem with remote desktop is that it opens a very real security risk to our network, assume you are an admin on your box and someone was able to gain access to your RDP without you knowing. That box is connected to you home network where photos and excel sheets of budgets and CC info lay. Priceless videos of kids and important PDFs of job applications, let alone backups of those items. Drobo’s , media centers, installed apps with remember my password checked and whatnot. These are all things that a would be bruteforcer might want.

So in here lies the problem… I will split this into two problems but they have a single solution.

Problem: I want remote desktop access, but I want to mitigate as many risks as possible when I expose myself to the WAN. If you don’t care about the bruteforce guide you can skip to the solution below.

Problem: I would like to see how a bruteforce attack would work against a RDP connection so I can better defend against it.

First of all you will need a few pieces of software to get started.
-A Linux Box (Windoze can be substituted but this is beyond the scope of this guide)
-THC Hydra that can be download here.
-A word list (You can make one when we get to that point for the example)
-A target windows host that is able to accept RDP connections

THCHydra Logo

Once you have your Linux box up and running you need to install THC Hydra, download and extract it. The application requires assembly via make so change directory to the extracted files.

Type in:


make install
This may need to be sudo make install depending on you level of access / where you are working

Once completed if you put in ls you should see a green hydra file. This what we will be using from now on.

Next we need to make a word list. This is the list that hydra will use against the remote host, it will contain passwords only. To save on room I have made the simplified list below, your list will be custom to you testing as it needs to contain at least one correct password.

Open up nano by typing: nano wordlist.txt

Enter in the following lines:

The password that my test box has for it is the word password I have placed it in the middle since I don’t want to make this too easy. Press Ctl+X to save the file.

Now we want to execute the attack, you will need the victims *ahem* test boxes IP address as well ass the assumed username, generally there is a administrator account, however if you are testing a domain / specific target you may want to change this.

Enter in the command:
hydra -t 1 -V -f -l administrator -P wordlist.txt rdp://

Ok les break this down nice and quick:
hydra – The program assembled we via make.
-t 1 – Tasks set to 1, good enough for a VM but you can up it if you have a physical pc dedicated to this, too many threads will yield false results. Play with it.
-V – verbose, give me all output while you work
-f – quit once you found a positive user:pass match
-l administrator – use the username admin to attempt to login
-P wordlist.txt – This is the word list that we will be pulling passwords from.
rdp:// – This is the target IP, customize to your liking attacks can be carried out over the WAN.

But my client is using port 3390, or 3391 or some other arbitrary port that they should not be using in the predefined port range! …No problem simply use the -s option followed by the port number to specify.

Your output will say something along the lines of:
[ATTEMPT] target – login “administrator” – pass “123456” …
[ATTEMPT] target – login “administrator” – pass “654321” …
[ATTEMPT] target – login “administrator” – pass “admin” …
[3389][rdp] host login: administrator  password: admin
[STATUS] attack was finished…

*Note: The user will be kicked to the lock screen if you get a successful user:pass while they are using the computer.

If your attack did not work, then its probably due to windows firewall being enabled or Network Level Authentication being set to on. I cover this in the solutions section below.

Solution: Enable Network Level Authentications, don’t use basic authentication.
This can be overlooked due to the fact when most users set up RDP they just want it to work, this is the problem with RDP. Scrubs spend so much time just trying to get it to work and think about security after so they choose (more compatible) when they set it up not (more secure). So by changing this setting you force the client to authenticate before making the RDP connection so that THC Hydra will fail. Interesting side not is it does not fail, it just sees all passwords as wrong. This setting will cause issues with services in a win/linux environment that use services like xrdp.

Another solution is to move the RDP port to something more obscure like 50001, this maybe not be obscure but most of the utilities i looked at automatically try ports 3389 (RDPs default) 3390 and 3391.

The final and more annoying but secure option is to look into 2FA or two factor authentication. This provides two kinds of protection, one that only the user with the device can log in, and notification when a user attempts to log in but is unsuccessful. This will help you gauge the amount of RDP attempts without having to look at the event viewer. Duo Security is not too bad I have used them in the past and they offer free accounts to non corporate users.

How ever implementing 2FA in you organization may be difficult so you may have to rely on event log. To do this I highly recommend Overseer Network Monitor, this is not an ad, or a scare and but tactic. I love this product, we used it in my previous environment and I would love it where I am working now. It allows event monitoring and email notifications.

There you have it! 4 ways to protect yourself from exploitation via RDP!

*2016-09-16 Update: I have been playing around with various 2FA solutions and I feel the Yubikey is a exellent solution for protecting RDP if properly implemented.

The instructions below should only be used on a local network against your own equipment unless granted explicit permission to do so from the owner of said equipment. This guide is not to be used to attack users over the WAN or people you don’t like / want to hack. The guide is provided for informational purposes only. 

Be smart. Stay Safe.


Hell Forum Closed, Administrator ping arrested. | hell2bjhfxm77htq.onion

Hell forum has been getting a lot of attention recently. Publishers from vice to Brian Krebs have been writing about this onion site that dissipated yesterday.

Hell Forum was a Tor site that facilitated dumps and leaks from various sources with a heavy focus on cyber crime. The site itself had guides on carding, hacks, exploits, and dumps. In the last few days of the forum being online there was a number of releases for sites as recent as May 31st 2015.

Didnt have the skills to be a script kiddie? Hell was also a hub for users to exchange shells and databases the users have collected. This added to the community that had a known reputation among Tor users.

Why am I writing about this?
The main reason is exposure I have only seen one article about this online so far. It seems that the ability collective for users to aggregate and then sell this data seems to be on the rise and Hell forums was the place to go. I also had some observations that were not covered by ThreatStreams post regarding the encryption keys used on the .rar files. And wanted to touch base on the importance of security even over Tor. I highly recommend you read their article once done here.

In brief, Hell ( https://hell2bjhfxm77htq.onion ) administrator ‘ping’ a 33 year old Calgary resident was charged for card skimming today after a extensive six month investigation.  This created an issue for Hell forum users since he was the administrator of the site. During the last month he has been active on the site and still publishing data leaks even after the inital arrest and after the seizure. This would be problematic for users of an underground forum seeing as it could be possible he might have worked with law enforcement in order to attain a reduce the sentence. A daily reminder that even if you use Tor services you need to be security conscious about who you contact, what you do, and the implications it may have just for being associated (or even having an account) with these sites.

After the fourms went down yesterday the repo where the leaks were stored also dissapred into the depths of the deep web. The site ‘ http://agcv47dxxqxqkmw3.onion/Hacked_Data/ ‘ is also gone; as noted by ThreatStream it had a number of data leaks on it some of them encrypted some not. What was overlooked by the article was that a number of the archives that were recently posted were the very public HackingTeam leaks, Wildstar Online (online MMO), Cheap Ass Gamer, and MajorGeeks.com with data as new as March 31st 2015.


Another item that has not yet been reported is that the keys to the archives were actually lines of his PGP Block.

A small collection of the leaks utilize the passwords: `mQINBFUiprYBEADKX+oGpwzjjQ7bUr7XUjfP5C/xCR3dQfdcmflkBf3HdK7ARZ3p`, `58iY0pmkQa6EMlNFXcBt75QW3wUFxSFrfy2aN2D/+UTCz/H08Q6wMNITyvtXy5uc`,

When looking at this I noticed that they are in line with what the current PGP key that ‘ ping ‘ used posted below:

Version: GnuPG v2.0.22 (GNU/Linux)


Its probable that other lines could be the key to unlocking the now gone archives.

Seeing as ‘ ping ‘ is not going to be releasing the keys any time soon for the remaining archives this is the best lead existing Hell users would have had to open the files, one the locked archives was suspected of being  the second batch of the federal leak in 2013.

In closing, there will always be more “Hell” forums that spring up as long as there is a demand for it. Users should always keep in mind that when using Tor you are only as secure the service you use. Once you put identifying data into the service you have removed any barriers it has put up for you.

Exploits and large companies | How nothing has changed since 1998


I am posting something a bit different today a opinion article on something I feel to be true. The basis is from a video from 1998’s L0pht testimony and a comparison of how little things have changed since then.

Recently in the Washington Post there was an article about the hacker group called L0pht and their plea to the government on how private companies need to be responsible for the software they put online. They were trying to bring to light that if you want a more secure system then don’t put it online. This does not mean that offline systems are impervious to attacks either.  The testimonial is worth the 1 hour run time and I recommend you listen to it on youtube. It is very important if your business is accountable for holding data records, login info, and customer info. This is not related to my previous article but rather all kinds of software I see day in and day out.

I just wanted to touch on a few items on the video that I believe to still be prevalent in todays online culture and mentality of corporate security.

“Can the systems be secured? In most cases they can be … they can be remedied by incorporating relatively trivial and inexpensive cryptographically secure authentication.”
Often some of the insecure items I come across are due to no security at all, whether they end up using plain text to store data in the database or don’t use common and readily available technologies like HTTPS or TLS in order to transmit over public forms of communication. Having something is always better than having nothing.

“Insecure software is cheaper and easier to sell as there is no liability tied to the manufactures” … “encourage companies to include this [security] in their products and hold them liable when their products fail.” 
Selling software is easy, ensuring it has perfect security is impossible. No product will ever be truly secure, it is not a matter of if but rather when.

“I don’t think it is possible to create a fool proof system, but I don’t think that should be the goal. The goal should be very difficult to get in.”
Putting hurdles in the way of would be exploiters slows them down and keeps away the script kiddies. This in combination with monitoring incursion events would keep organisations aware. Security needs to roll forward with the times, it is not something you can deploy and hope it will work for the lifetime of the product.

“If you have sensitive information then you should not share it with networks that are less secure or less trusted”
As straight forward as this sounds it could be a simple as allowing VPN users from outside of the office in or more commonly BYOD enrollment in the office.

So that leaves us with what can be done about it.
For starters listen and be aware to what is going on in both the industry and with your own systems. I am not saying go out now and update your Watchguard and Ironport devices and patching every device on the network. Simply I am referring to read up on what is going on, is there a new exploit for TLS downgrading that could affect my S3 instance? Are my offsite backups stored in an encrypted manner? Is there documentation on how strong this manner stands up to bruteforce techniques? Have I looked at the FTP logs for unusual activity? Maybe I should not have a FTP account that could expose the internal file server.  All of these questions lead to new avenues of learning and awareness.

Also, listen to users who are trying to help. Its much easier and cheaper to ignore a problem, however when a internal or external user lets you know there is a issue with the current implementation list, getting upset will only make the user think twice about letting you know in the future. I see this as one of the biggest roadblocks on reporting issues. It is far easier to sell a exploit online and actually make money than it is to report it and then have pressure from the company. In a more recent example with starbucks. Imagine if this exploit was sold.
“The unpleasant part is a guy from Starbucks calling me with nothing like “thanks” but mentioning “fraud” and “malicious actions” instead.”
The selling of zero days and exploits also hurt the company far more than if they were to fix it after it was disclosed to them. This comes at a higher cost to both the organization and the clients that had put their faith and more importantly their data into the organization.