 This is Think Tech Hawaii, Community Matters here. Welcome to the Cyber Underground. I'm your host, Dave Stevens, here on ThinkTechHawaii.com, broadcasting live right now, 1 p.m. Hawaii Standard Time. And on YouTube right after this, and of course, we have a podcast, Think Tech Hawaii, on Apple iTunes. Today we're going to keep going with our series, How to be a Hacker. Nice. How to be a Hacker. This is part two, I believe. Part one didn't go so well, so we're going to go with part two. Part one was the DEF CON. So we're going to escalate this a little bit. We're going to go into the phase one of attack phase. This is reconnaissance. And we're going to look at open source intelligence. With me here today, OK? Andrew, the security guy. Once again. Andrew, the security guy is here. Andrew, man. I'm being happy to speak. I'm sure. Alright. Thanks for coming. No worries. Thanks for having me, brother. We're going to do, you mentioned the kill chain. You should describe that to our listeners now. Kill chain. Now that you've said that. Kill with Packard developed it, right? It was a way to describe, I think, the events that lead up to invasion. The events that, I think they got six or seven steps. Seven steps. Well, there's seven major steps, but the kill chain is usually what someone might do. Now, here's what we do in pen testing. We go to the final outcome. This is what we want to achieve. How are we going to achieve that? There could be seven different hacks to get into a computer, and it could be social. It could be access control. It could be several other hacks in through IIS or whatever. We work back. How are we going to achieve those attacks? Right. There could be several different ways to get that information to achieve that attack. Like an access control list, I might be password guessing. I might try to access the SAM on the actual local machine. How am I going to get that? So, either physically or electronically? Right. Right. But the ultimate goal is, I'm getting that machine. Here's all the ways I can do it. And I work my way backwards from what do I need to do first, and it always starts with recon. Recon. Recon. And the cheapest and easiest way to go right from the bat, right from the get-go is something like social media. No. You get your open source resource. You just go to the internet. Or you just call them, ask them questions. So many people just answer questions. Hey, this is your IT team. What would your password be? How sad that that works, right? But it does. I've seen it demonstrated. It works. It's the saddest thing. It's funny how people will give up. Do you think that's... Are they leveraging just that trusting human nature that people have? You want to trust. Yeah. Or people just... I mean, even in our industry, IT people should always be aware that this is going on, right? Right. They take the bait. Well, you let your guard down. You got your preoccupied. You got several other things going on. You got a project list. You got to knock out for that day if someone's on the phone. You might be typing and talking at the same time. You're not thinking. I think some of it's resource related. If I say, what's your bank account number? That gets your attention, right? That's right. But if I say, what's the password to that server? You don't really own it. It's the company server. Do you really or are you that engaged? Who's this man? Oh, yeah, man. I remember you. Yeah. I don't know, but I think I know where it's kept. Let me break open that password file. And I'll tell you really quick. Just to get you off my phone. What's that IP address again? That's the most dangerous, right? So I guess some statistics. Two research center came up with a stat recently. 65% of adults in the US use social media. That's it. It even seems maybe low. That seems low. That's 65% I'll admit it. That's right. And that's conservative. Yeah. And those are the ones that actually know how to use it. There's all the ones that are, you know, they got an account sitting there. They never changed the default password. It's just hacked. And it's wide open. Yeah. And of course they share it with their partner. Yeah. Right. So they, two or three of them using it. Right. Or the whole family. Can you just post stuff on my LinkedIn for me? Yeah, that's right. Or on my, what is it, Facebook or whatever? Facebook. Facebook I think used to be one of the worst. Right now I am considering LinkedIn one of the most open places. That is a very trusting environment. You put up everything about yourself and your work situation. But you match up things with like your certifications and what you do for the company. And I as a hacker now know, oh, well, you're an MCSC and you do IIS. Wow. Guess what kind of servers you have? I pretty much know I'm going to attack Windows, right? Sure. So when I go into to recon and footprint, I'm going to be looking for Windows servers. That's a big problem. What I wanted to talk about is one of the biggest things that happens on Facebook right now is people post pictures way too often. Oversharing. Oversharing. And you might think it's completely innocuous. And the story I'm going to tell you, I'm not going to show the pictures of course because that would be the whole world would have it anyway. I'm not going to participate in that lunacy. But this is a person, she was a great person, she fixed her floor. She put it in her house. Okay, so this is her home. This is her home. And she posted pictures of her new floor. And it's beautiful. Sure. And then I started taking a close look at the pictures. What's in the background? What's in the background? Exactly. I love it. It is terrible. So the first thing I spotted was she's got old school windows with the big iron level. You can just put a credit card in there and pop it open. You can see those from the pictures right when you expand it. You can just expand it with a high resolution. This is all part of the recon by the way. Dave is coming to your house. And she had this posted to friends of friends. So anybody that's a friend of her friend can see everything on her website. So it may not be public but tens of thousands of people have access to this. So who knows. What else do you see? So the window latches. I could also see the door locks. I noticed where they're like security like alarm like magnetic contacts. No magnetic contacts. As a matter of fact the worst part about the windows and the doors was I could see foliage everywhere. Oh, outside. So there was absolutely 100% privacy. If you're breaking in a window no one's looking at you. You can hide. You can hide. Yeah, that privacy fence, privacy shrub has that additional problem. That's a drawback. That comes with it. You know, if you're not able to monitor that area, especially if it's not lit or whatever. Right. Yeah. It's called a hiding place. No cameras that I could see outside. And there were some views I could see outside the house. Door locks. Primitive. The old school door locks. Probably four pin, five pin at the most. 16, 17 seconds. Or just a little gun. Or a little. You could bump it, right? Sure. Or just jimmy it. Some of those are just so old. Wow. But the worst part was in the background I could see some of her networking components. Oh. So I could see Amazon Echo. Like out, okay. And there's a LinkedIn router hanging on the wall. And when you zoom it up, this high res photo, you can see the model number of the LinkedIn router. Does she have that P address on it? No. Some people have that. Right. The password hanging on it? No. Like really? No. But you know, you can go to show Dan. Sure. Get the model. The credentials. The default credentials. And I did not try them. But I warned her, if you had not changed this, you need to go change that. And she thanked me. So I think. I want to have a back door to find who it was. And that gear, LinkedIn, there's a bunch of them that you know, it's a problem. It is a problem. And it's consumer grade. So there's not a lot of protection there. But you can see all that. As a matter of fact, there were so many pictures of her house, I could get the exact floor layout. And. I knew exactly the diagram of the house. I could draw a picture of the house's layout. Wow. And also the, isn't there the, don't images have a, the location? The geotech. The geotech. So if I downloaded the image. So you actually know where it is. I know exactly where it is. I tried to get that data. The closer you live to a, an urban zone where there's more cell towers, the geotags are that much more accurate. Oh wow. So then if you say you had a business, you were taking photos of this really cool office that you have. And you posted those on your company website. I could download the, get the geotag. And I could see where you were standing. In relationship to another picture. So I could map the geoco. So now I really do have exact layout. Because I know what angle you were taking from and where you were standing. I didn't think of that. You took that picture. Interesting. So for my physical security standpoint, posting photos online is a bad idea. Bad idea. Bad idea. You know, take it outdoors. Take a picture of Fluffy running in the forest. Have a neutral background. You know, indoor remodeling. Oh, what do we call that? In law enforcement, we call that, you got to have a clean backdrop. You know, take a shot unless, you know, no one's going to get hurt. Your bullet's going to be safe if it misses, right? So same with a photo. Get yourself a clean backdrop. Don't just take a photo. So you recon this person. Yeah. You're trying to, you know, just by going to LinkedIn. Because if you say you can't get to them at their office, you can possibly get to them at home. So learning about what they have that's attackable at home might be much simpler than trying to attack them at their office. And that's one of the main attacker pathways, right? You can't attack the DoD. So you get the small vendor with almost no security. Like me. No, you're a pretty big vendor. Oh, I'm a little small vendor, trust me. We had like 20-something people. We're small. So the guys that supply like nuts and bolts and screws to the DoD have a path, a network path to the DoD for reporting purposes. And if you can hack that, you can have an easier path into the Department of Defense. Sure. Of course, it's not the easiest because it was the Office of Professional Management fell victim to a hack. Duh. And it was, yeah. They're the people that handle security clearances, by the way. So it wasn't them though. It was their subcontractors, actually. I did not know that. Okay, so tell me about this. It was a couple of their... So it was... And so the guys had it, had a breach that they acknowledged that they had. So they actually lost the contract to some other guys that got breached. The other team got breached. I used to have a slide of it. I forget to name the two companies. Oh, man. But it was two of the subcontractors that do all that background check work for OPM. Case in point. They lost all of it. For the little fish. Yeah. I was in there too. Yeah. Some day I'm going to find all my data online. Well, that's Tom Finley who was here. He can look you right up. Oh, I am almost afraid to ask them. They're going to dig up stuff about when I was in a fraternity. It's out there, though. I mean, you know. You want to know what's there. What they can tell you is someone selling it and using it. That's what's important. So other places you can get open source about... Open source intelligence about companies. On job sites. If companies post too much about what they want someone to do. Interesting. We're hiring a project manager for cybersecurity. We're hiring a project manager for IT infrastructure. We're hiring a project manager for AWS cloud environment. Okay. Right? And then they go through a list of specific skill sets that you might need. SAP, IIS. You know, go down this list of different skill sets and you can map together what their infrastructure is. SAP, okay. They've got some Linux here. They've got some Apache running. IIS. They've got Microsoft servers that you're hosting a website. You know what to look for. So you're filling in your reconnaissance map so you know what to attack with. So when the time comes, you know exactly what server and exactly what patch level that you're footprinting. You open something like Maltigo or better yet, sorry, Metasploit. And all those attacks are specific to that server. They're built for it. And they're built for it. And if you haven't patched everything up to the minute, that's going to work perfectly. Yeah. And that lowers your time in there looking around, right? Right. So when you're there, the easier or the more opportunity to detect you doing things. Right. You want to get in quickly. Right. Have a very targeted or open a very targeted tool, see if it'll go. Yeah. You just want that seed prompt, don't you? Yeah. You want the command line. So if you get the command line, you can create new users, unlock old users out. And this can be kind of scary. So LinkedIn, I think, and job sites in general are a huge hole. So it's interesting for people, you know, I mean, I think we, you know, because that's used as that, sort of like recruiting, right? Everybody, that's, they have all that stuff up there. And people are, see people advertising for jobs. Now, just like you're saying, with a lot of that data there, you know, so they're kind of defining their environment right there on LinkedIn as well. So I fallen victim to something else on LinkedIn, which is kind of tragic. You put your schools up there. Yeah. And they have a specific place you can put the courses you've taken. Oh. So of course, if you want to do a spearfishing attack on somebody, you'd say, hey, we took this project management course together at HPU. Yeah. Do you remember me? I wasn't on your team, but we got along, we had a beer. Yeah. And you might not remember, but you respond. And they got you. You know, they started dialogue and they'll just start drilling. You know, what did you do last summer? Here's what I did. And they'll get more and more information about it. The more people know, the easier it is to get in, not just physically. Yeah. They share that familiarity, right? So feigned or not, you know, and that's a, that's easy to victimize, because we all want to, we all want to bring some of that history forward with this, or we don't want to admit that we don't. I don't remember you. Oh yeah, I don't know. No, we had a couple beers, and we're like, I don't remember you. I don't think I'd say that. I'd want to be nice, you know? Yes, but I mean, you need to want to be reasonable and nice with somebody. It's not just schools though, you know, if you put your volunteer experience on there, you're susceptible. And they also know where to find you, right? So if you're, if you're associating with certain things, like the, like my Rotary Club, for example, so they can come and try to hack me in my Rotary Club. You never know. Right. So they know where you're going to be, PMI Honolulu, I'm part of the chapter. So if I, if I go to a meeting, they know where, probably I'm going to park. They know where I'm going to be walking back and forth. They know when I'm not home. Yeah. I think they come and like blow up our InfraGuard meeting. That would be worrisome. Now that would, that would just kind of cement it. I think it's probably, it's probably 30 or 40 hours out of pop in Hawaii. That'd be a good population. Hawaii is amazing right now for IT, where unemployment for IT is under 1%. Unemployment for cyber is zero. And then so, so this, this recon stuff that we're talking about, are there, are there a lot of folks doing that? Are you aware? I know, I know you've got a team that does some of that and your students do some of it. Not a lot of people want to admit it. That's the problem. Like I couldn't find a guest for this show or for private investigative work. Sure. And it's called research, right? This is research. This is open source research. You know, exactly. That's kind of how it's termed today. Anyway, you saw the guys at Blackhead and Defconn I'll talk about this. This is Caltech's research. So we're going to take a break really quick. We're going to go pay some bills. We're going to be right back with the cyber underground and we're going to discuss how you get some of these tools for free. Aloha. Welcome to Hawaii. Don't forget to come by and check out some of the great information on stocks, investments, your money, all the other great stuff and I'll be your host. See you to see. But grandmother, what big eyes you have. She said, What are you doing? Research says reading from birth accelerates our baby's brain development. Push! Read aloud 15 minutes. Every child, every parent, every day. I'm going to the game and it's going to be great. Early arrive early. I usually drink, but won't be drinking today because I'm the designated driver and that's okay. It's nice to be the guy that keeps his friends in line, keeps them from drinking too much so we can have a great time. A little responsibility can go a long way because it's all about having fun on game day. I'm the guy you want to be. I'm the guy saving money. I'm the guy with the H2O and I'm the guy that says, Let's go. Hey, welcome back to Think Tech Hawaii. You are watching the cyber underground with Professor Dave. I don't know podcast. I don't know. But anyway, I get asked all the time about passwords and should we change them all the time? Should we not change them? How do we do that? What do you use? Blah, blah, blah. Right? So I got some advice for you. Check out this thing called Diceware. Diceware is this idea of introducing so much chance into a password phrase that it is highly immune to being discovered or used against you. So basically you're going to use two regular dice. You're going to roll them and you're going to come up with some numbers right each time. And then say you roll them five times. That number is going to correspond to a word. So you're going to write that word down. You're going to do this let's just say seven times. So seven nonsensical words that don't mean anything and those words are going to be your passphrase. That thing is takes a couple hundred years to hack. So try out Diceware or passwords. All right. That's all I got. I love that. That's great. Jeff Milford, President of ISC Square was here with us and he said do that and then add other languages. Yeah. I like that. That's great. Instead of house Picasso and instead of forbidden but verboten add some German in there. That's a great one. I like that. I want to dig around into Diceware and it's got enough it's good. That's seven of those words. The tricks they're going to it's figuring out how to remember those seven but seven of anything you can't Americans. Yeah. In Europe. It's eight and more. Is it? In eight to 10 actually. Can they remember it? Well, look at their phone numbers. They have a two digit country code and they have two sections. I don't think I know anybody over there. Oh, get out. You got to get out. Oh yeah. We're like 1-808 where they're like 035 or whatever. Yeah. Yeah. 35. Yeah. Yeah. Try it. So they have longer numbers to memorize. I think that was the downfall right there. The mouse. Yeah. As soon as we get the man line away. Let's talk because this next tool you're going to talk about is a powerful but you know it doesn't use a mouse. So let's talk about this. We have our regular computer and we don't want to mess it up but we do want to do some research. So how do we do research with another computer on our computer so we don't mess up our computer. Windows version of what. Well we can do anything we want when we virtualize. Yes. We this is our host machine. We want to put a guest machine on it. So my Mac can run a guest operating system of Windows, of Linux, of another Mac and if it blows up it's okay. I delete it. I recover it from a file. I'm up and running in a couple of minutes. I don't have to do a reinstall or anything. So virtualization software is really the future environment. We virtualize servers and that's why we can bring them up and take them down and we can manage resources so much better. We don't have this big clunky thing. We got one clunky thing but it represents 20 virtual things. Or 50 computers. You can do this at home. Yes and this is the best way to do things if you're going to do research or especially programming because you don't want to mess up your system. So you get some virtualization software on Mac it would be you have oracles VBOX which is free. You have VMware which is a paid for thing but students get that free. Or you can use the Microsoft Hyper-V. Hyper-V. Which is what's on here. And that will parse out threads in your processor, section off memory and let you use a little bit of your physical machine to do this guest operating system. So you're safe. You have a little bubble. You can do security research. You can get to do security research is a version of Linux called Kali. Kali Linux. K-A-L-I. I believe actually that's a God in Dendi religion. Yes it is. I don't know what his name is after. Kali is I believe a God of Death or something. I know it's massive when you look at the library of tools it comes with. That's right. So Kali comes pre-loaded with all these great tools not just something called Maltigo. Maltigo. I don't know this. You pronounce it Maltigo because it's supposed to be malware. Maltigo. So this can be paid or free. Free versions like community versions a little pared down but it's still very effective and then you can pay for a more intensive tool for penetration testing if that's your career. You probably want to pay for that but Maltigo will allow you to drag in a name of a company and click go and it goes and finds all the connections on the internet having to do with that domain. It'll come back with all the email addresses, all the associated websites, names, phone numbers. It's an extraordinary amount and it puts it in a diagram for you so you know where the connections are what's connected to who the service like via port 80 or port. It comes back with a lot of all the things it can come back with but that's just one of the tools in Kali Linux and that maps from the internet so that's all the publicly exposed links to IBM.com and nobody can be mad at you because this is totally legal it's completely up front they put the information out there and some of the sad parts is that people can complain but when you own a company you put yourself out there you make a company website you're C level people because you want people to know you're not just some company from the Bahamas trying to make a couple of bucks laundering money you're real so you put real people on there you put a contact email for service and support you really want to you want to make yourself friendly and accessible but in the other hand it's information people can use against you so let me give an example and I'm not going to tell you and I noticed a couple things right away of course it was high resolution so I zoomed in I could see that the front door lock did not have a four pin keypad but every place inside the lobby once you're in did except for one door and was right behind the secretary so there's your way in another thing I could see the bottled water company there's a bottle of water you know the bottle which is that would already been delivered on the desk where the receptionist was right I could see FedEx and UPS so I could imitate any one of those vendors including DHL and definitely get in the front door right so there's a good way to talk you in I could see the kind of people that walked in there they were dressed in a variety of different ways so I would not stand out if I walked in in tennis shoes and jeans it's not like fancy shoes you can blend in in just about any environment so all these things from one picture does that scare you? no because you got a company and you got to put pictures out there I absolutely understand this is a piece of things that I think people need to think about we haven't been to our office but I have a man trap like honestly first of all you can't get in the door but even if you do you're trapped in that room describe the man trap for us to get into that room into the so it's just a small vestibule so it's more like a little hallway with two doors it's probably 8x6x8 50 square feet but you got to get in the first door there's an intercom outside so if you don't have an access card you cannot get into that room anyway but say someone followed someone in trying to force their way in or whatever they still can't get anywhere there's a window there you have to talk to my receptionist to get it out the back so they don't have to stay there so if someone wanted to start shooting through that window with the hole in it for example you've got a way to isolate yourself or at least slow this person down right so the other there's two other doors that lead that vestibule you can go back outside or you can go into the conference room or you can go in the hallway but those also have access control and they're heavy duty fire doors so they're not dangerous unless you're a really big guy you're one of these 300 pound dudes that can hit the door hard then you need a really heavy mandra you might start shooting you're going to make noise whatever you do you're going to cause the people are going to know why something's wrong and then they're going to hopefully egress before something bad happens and that's what you do physical security with your company so you've got to think about all these things and it's a piece of the puzzle because say you saw a picture you would encounter all this physical security that could stop you right so one of the other things I saw in that picture was talking about in the lobby was they had a camera there like they could take ID photos of people oh maybe to make a visitor badge or whatever but it was plugged into a USB port it was a USB camera I knew it was so obviously the receptionist has a computer with active USB port so you could be one of the guys walking in hey I need this thing printed could you just put it in and then you're in the network so all this from a picture one picture on your website just trying to be nice so folks out there be careful what you take a picture of get a clean backdrop and make sure maybe you run that picture you're going to put on the web run it by somebody like us otherwise somebody not like us but with our skill sets could do something terrible to you just have some little bit of insight I don't even consider the amount of data that's available do you remember we used to show like you used to walk in some companies and their computer room was right behind the reception they were like showing it off they want to show off their INIAC or whatever window size computer they were huge back then and today that's just a window in that's another way in I think it's they're trusting it to data centers like Amazon which have multiple locations right it's hard to find those data centers it's difficult to pinpoint on the map where that data center is and it's almost impossible to pinpoint any kind of floor layout yeah they're heavily protected so yeah we do some of that work that's good they're difficult to get into and you never see pictures of them actually I guess not you know and yeah I think you're right I mean if you do it's like a wall of servers like it just looks so yeah it could be anywhere you know is that Dell or what is that you know so open source intelligence to review you can do it if you virtualize on your computer but you don't need to you can do this you can download Maltigo or these open source we're going to cover Wireshark next week next week we're going to cover Wireshark you and Hal then virtualize a computer on your computer so you can keep yourself safe while you do it and that's what I suggested you go to some of these just go to Google but do remember that that traffic is trackable yeah don't think you're just out there without the ability for people to forensically see where you went and what you did if you don't know what you're doing especially good point every place you go is trackable yeah don't load up that tool just because you can yeah you're not invisible that's illegal you're never invisible alright thanks everybody for coming back here and spending some time with us on the cyber underground hope to see you next time next episode Hal our professor Professor Hal Professor Hal and Andrew the security guy will be covering Wireshark it's an open source packet analysis tool it's extremely interesting hope to see you then until then stay safe