I was always a big fan of “Crack The Hash” contests where all participants are given a hash value, some hints and they try to crack it in a short amount of time. I wanted to make a similar contest for my Twitch followers. While hash cracking contests are fun, they require good hardware to be successful. Unfortunately, my followers are mostly students and due to the economic crises in Turkey, they are not able to buy computers with good hardware.
So, I had to create a contest format in which both rich and poor students can participate equally. It should be a contest of knowledge and hardworking, not money. As a result, I created a format named “Hash Olimpiyatları (Hash Olympics)”. In this format, I announce an attack combination one week before the contest (see details at process and rules section). In one week, the participants are doing analyze and preparing the best lists for the given attack combination. They are not cracking hashes by themselves but they are sending required lists (wordlist, mask, rule) to me before the contest. I’m cracking the hashes in the target database live at Twitch with the lists that they sent.
Bildiğiniz gibi geçen sene, Rockyou wordlistindeki Türkçe kelime içeren parolaları bulmak için bir çalışma yapmıştım. Bu çalışmanın iki önemli eksiği vardı:
Veri seti kısıtlıydı
Türk kullanıcıların içinde Türkçe kelime içermeyen parolalarını tespit edemiyordu
Bu iki problemin üstesinden gelmek için gönüllülerle birlikte Ahmet Külekçi, Rauf Giray Doğan, Murat Öztürk) çeşitli Hack forumlarında dolaşıp sızdırılmış veri tabanlarının dehashed (kırılmış) versiyonlarını indirdik. (Analiz edilen verilerin listesi repo açıklamasında mevcut)
Son bir senedir siber güvenlik sektöründeki maaşlarla ilgili çok sayıda şikayet ve soru aldım. Genel olarak insanlar sektördeki maaş dağılımlarına hakim değil ve aldıkları ücretin iyi mi kötü mü olduğuna karar veremiyorlar. Ben de bu bilgiye çok hakim değildim. O yüzden herkesin konu hakkında bir fikir edinmesi için bir maaş anketi yaptım.
Anketi paylaşırken spam girdilerden korkuyordum ancak neredeyse hiç spam olmadı. Birkaç trol girdinin dışında problem yaşanmadı. Girdi zamanlarına baktığımda arka arkaya çok sayıda bir giriş yapılmadığını da gördüm. Dolayısıyla anketteki veriler güvenilir gözüküyor. Yazım yanlışı olan ve outlier girdileri temizledikten sonra elimde 259 maaş bilgisi kaldı. Veri setini buradan indirebilirsiniz: https://utkusen.com/blog/assets/maas.csv
In the information security field, we have developed lots of thoughts that can’t be discussed (or rarely discussed):
Never roll your own crypto
Always use TLS
Security by obscurity is bad
And goes like this. Most of them are very generally correct. However, I started to think that people are telling those because everyone is telling them. And, most of the people are actually not thinking about exceptional cases. In this post, I will raise my objection against the idea of “Security by obscurity is bad”.
Risk, Defense in Depth and Swiss Cheese
One of the main goal of defensive security is reducing the risk for the target business. According to the OWASP’s methodology, the risk of an issue is calculated with the formula below:
Risk = Likelihood * Impact
Authentication is one of the biggest problems of security since the beginning of the internet. In most cases, we are using passwords for authentication. But it usually causes problems since people are using weak passwords, reusing the same passwords on different platforms or simply giving them away with phishing scams. Not only for websites/applications, we were also using them to unlock our mobile phones. However, companies like Apple provided more user-friendly authentication options such as Touch ID and Face ID where you can unlock your phone with your biometric data.
Authentication with biometric data is cool, but I’m not really a big fan of that. It’s easy to put someone’s finger on their iPhone by force. It’s a great risk for people who are living under oppressive regimes or criminals who want to negotiate after being captured.
What about regular passcodes. It’s something that’s only available in your mind. But this doesn’t mean that you are not at risk. They can torture you to get that passcode, and eventually, you will give up.
What do we need then? We need an authentication mechanism that can’t be captured even by the torture. Assuming that we will compromise under torture, this mechanism should aware that we are under stress.
TL;DR This article contains my experiences on testing amusement arcade’s security. I found a DoS vulnerability on Intercard devices. An attacker can take down entire arcade machines by using this vulnerability.
Me and my girlfriend love to spend hours in local arcades. I always wanted to know how their network works and are they secure or not. But I couldn’t find a comprehensive article about it. I decided to test them by myself.
Learning The Fundamentals
In most of the arcades, you need to have their magnetic stripe card. You need to go to the cashier and say how much credit you want. After that, she gets a random card from the stack, swipes it at a machine, presses some buttons on the screen and gives the card.
Two months ago, I was planning to publish a mobile app for both Android and iOS devices. However, I didn’t know how to code mobile apps natively. I found that there is an app type called “Webview” in which you just prepare a mobile friendly website and serve it inside the app. That was cool. So I coded the web application with Django framework. I just need to install it to a server, set a domain name and go. But what if I have thousands of active users in the future, how much resources will I need. Also, what if my competitors conduct DDOS attacks, will I have time or budget to deal with it? Answer was no. So I need some alternative methods.
Basically, web application were doing following things:
- Gather stats about football games from an API
- Do predictions with precomputed machine learning model
- Serve results inside the app
The first thing came into my mind was using a serverless architecture. I’m a big fan of that concept. It reduces the cost, attack surface, maintenance struggles. I coded few AWS Lambda functions before, for 10-15 users. But when I calculated the cost of thousands of users, it wasn’t cheap as I thought. Lambda+API Gateway would cost higher than $40 per month.
I’m also big fan of static websites. It reduces the cost and attack surface much higher than the serverless architecture. For example, I’m publishing this blog statically via AWS S3 by using Jekyll framework. Since my Django app has no user interaction, I thought maybe I can serve it as a static website as well.
I researched it a lot, tried couple of open source projects but no luck. I always encountered problems. There was no stable solution for converting a Django app to a static website. So I decided to make my own process. After some trials, my old friend httrack was the most stable solution.
I coded an Empire module which detects PII data in given Office documents. You can access to the pull request of mine which includes the module from here: https://github.com/BC-SECURITY/Empire/pull/4
Or, you can get the powershell script alone in here: https://gist.github.com/utkusen/03c8ff388e76d45c1ec79580772d8a78