Offensive Security Rants & Threat Actor Roleplay
05 May 2019
Disclaimer: This was for a college assignment, but I think it turned out pretty well. Don’t hold my college work against me though! The professor wore a cowboy hat, unbuttoned jeans, sandals, and was the most chaotic man I’ve ever met
To currently live in a world where our data is worth more than us is terrifying. Our data is valuable to companies and can even be used maliciously against us. Everything we enter online can be used to manipulate us into buying the latest product or can be held against us in a court of law. However, if our data is so valuable, why don’t we work harder to protect it?
This post discusses how data has evolved in the modern day, and why it’s important to protect our data. Rather than falling victim to man-in-the-middle (MITM) , and credential stuffing attacks, it’s important that the average consumer becomes more aware of their security, and privacy online.
Data has an infinite value for criminals in the digital era. As we’ve seen over the past few years thanks to ransomware, our data being made inaccessible is a huge deal, and individuals will pay hundreds of thousands to get it back. Furthermore, once an attacker has taken control of a system, they may decide to blackmail the victim with their own data. Data is something valuable that we will pay thousands to get back, or even pay thousands to hide from others. Therefore, data is a hostage in the digital era. More importantly the average consumer doesn’t make daily backups, use a virtual private network (VPN), think about their digital footprint, and doesn’t think about digital threats until it’s too late.
This section will go into detail about common attack scenarios that anyone can prevent with ease. Although we can never perfect our security, we can make it much harder for an attacker to gather our private data.
Man-in-the-middle attacks can be performed by anyone. Tools like the WiFi Pineapple Nano can be bought by anyone and operated with little technical knowledge. A man-in-the-middle attack doesn’t have to download anything to your personal computer. Rather, these attacks rely on people not ‘caring’ enough about their security and entering personal details on a public network. Not only does this jeopardize your data, but also opens doors to attack scenarios in the future.
Now that we understand what the attack is - it’s important to discuss the mitigation’s:
Credential stuffing involves an attacker using credentials obtained in a data breach. We’re all guilty of using a password on more than one website. Credential stuffing takes advantage of that by recycling these credentials obtained. Furthermore, attackers are able to access data which is kept private via your account login. This could include your phone number or even the last four numbers of your social security number.
The mitigation for credential stuffing is simply to not reuse your passwords. In addition to changing your password, it’s important to use two-factor authentication. This can be accomplished by linking an app such as authy to your account. In addition to apps such as authy - I recommend using a YubiKey which can act as your two-factor authentication, and improve the strength of your password.
To check if your password is in a data dump enter your email on the site haveibeenpwned. If your email and password are found in a data dump then this site will alert you. If so, it’s important to change your passwords as soon as possible in order to avoid this type of attack.
Although this may seem like common sense. Don’t allow people to plug unknown devices into your computer (or phone). However, this also means that you shouldn’t leave your computer unattended while unlocked. Countless times people have asked me (while my computer is covered in DEF CON and hacking stickers) to watch their computer while they go to the bathroom.
In these few minutes I could do the following:
In this video I turned off Windows Defender and gained persistent remote access to the target device in about 30 seconds. Although this could’ve been sped up - it’s important to recognize the catastrophic damage that someone can do in a short amount of time without ever touching your keyboard.
If the attack scenarios above didn’t convince you - then the more complex attacks most likely would. Your data is a prize which can be stolen in a matter of seconds. Some attacks require complexity which relies on mistakes that software developers make, while some attacks rely on common human mistakes.
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”
We’re all hiding something from someone.. Even if we don’t yet realize it.
We’ve slowly been conditioned to believe that our search history isn’t that important. However, our search history reveals more about us than you may think. For example, it may reveal what medical issues you have, or even where you’re going to be vacationing next weekend. Everything we enter and do online is important to somebody.
“There will come a time when it isn’t ‘They’re spying on me through my phone’ anymore. Eventually, it will be ‘My phone is spying on me’.”
Surveillance is evolving faster than ever. We carry around phones whose microphones pick up on keywords and tailor advertisements to fit us perfectly. If a phone can shape our life with keywords - shouldn’t we be more concerned about what a bad actor could do with such information?
Finally, when it comes down to it - our data may haunt us years in the future. Whether it’s a hacker, company, or algorithm, the more information that someone has on you, the easier it is for them to manipulate you.
Security and privacy are more important than ever. Surveillance is evolving, and our data is becoming even more valuable as we shift towards having everything online. Privacy is a fundamental right. What you do online is your business, not mine, not your friends, and not some random company’s.
It’s important for us to recognize how important security and privacy are, and the enormous role we play in controlling how our data is used, and who uses it. Otherwise, we will simply become another statistic for a company to manipulate.