What is with all the Drobo hate?

I know that a number of people dislike drobo. I get it, the device is slow, when it fails it can fail hard, setup can be a pain sometimes.

Im not endorsing them either but I feel its actually not too bad of a product for at home. I can’t also help but feel thats where it fails. You only need to be at a very low skill level to use and set up the device yourself. But from reading the support forums alot of people are not at that level. When you see questions like “Whats single disk redundancy?” or “I pulled a drive out while it was recovering” I cant help but feel like the hate comes from users who fail to understand the basic concepts of raid and would look at you with blank eyes if you asked if they were using iSCSI. But that is exactally who Drobo it is marketed to.

Then on the other side you have the tech users who expect to run VMs on it or get the throughput of 8 disks over a single ethernet interface. While newer models have nic teaming and support SSDs and whatnot I still feel the devices cant compete with even the home synology devices.

All I can say is for anyone out there who was looking for the awnser to the following question: Does the Drobo Pro (2009-2010) support disks larger than 2TB, yes! Larger than 4TB, yes! And will putting in a 8TB disk fuck up my whole raid stack? No, you are fine. Drobo has been decent with patching a product that did not support disks larger than 2TB when it launched up to what I can say works to 8TB.

After suffering two disk failures over the last year I can say that my drobo is still putting along fine recovering fully both times, and has accepted every disk size up to 8TB I have thrown at it to date despite the lack of documentation on their own site regarding these large drives.

DroboPROOOOOOOOOOOOO

So for keeping data safe, here is a cold one to you drobo now I dont have to recover anything from backups.

Introducing WhoIsByIP.com and Lazarus.

whosipromo2_no_ip_nice_try

For the last few months I have been working on a small side project that interested me between checking up on my hashtopus stack. Feeling that its a little more polished and stable I would like to present: WhoIsByIP.com , a site that allows users to reverse IP addresses and domains. Knowing there are other services that allow you to reverse domains and IP addresses I figured this would be a good opportunity to learn some more PHP and  actually create something that may be used by the public. but thats not it!

I also have added the functionality for you to reverse email addresses using obscured ( m***@f*******.com ) formats that sites like Steam and Facebook put out. It will give you a real result of the domain only based on the usage of the domain. The system currently has over two hundred and eight million records, and over nine million domains. Currently we are calling the system Lazarus.

laz2

I have various improvements coming out in the next few months. Including more real time site snapshotting, tor and VPN auto detection, and PDF reporting on the WhoIS side. As for the email resolver we will be adding some error correction on it to allow for easier identification for false positives.

The service will remain ad free, please feel free to share it and give feedback. You can also reach the site at whoisbyipaddress.com in case you are inept at remembering things and enjoy typing.

Update: Lazarus now has color coding to help those who don’t know what common domains are re-mailers, usererror on forms, and common.

WhoIsByIP now also detects over 1,500 unique VPN servers in over the top 10 VPN providers. Tor nodes have also been updated.

Taking Paypals 0$ invoice one step further.

Recently I saw a article on Bruce Schneier’s page regarding a spam vector identified by Troy Hunt where a user can send you a 0$ invoice. While this may seem like an annoyance and not a very big issue I see it as a spear fishing vector when used in conjunction with infected pc’s.

Imagine your PC has been infected with a RAT or trojan virus, or someone has a vendetta against you and decided to send you a malicious url that contains one of the many flash or java drive by exploits around the net today to infect you.

Sure they have access to your PC and can see what you can see, they can also tell when your active but that does not give them full access to your banking. Until they send you a 0$ bill. The infected user then goes to paypals site to inspect the payment and you capture their login credentials as they sign in. You basically set them up for failure.

I have yet to find record of this happening but I did however find an example on twitter of someone being sent 20$ then subsequently being ‘hacked’ the same day.

paypal-nurhd

While the attacker could have gained credentials from a leak or paste, why would they send the user 20$ ? This would serve no other purpose and leave a paypal-ish money trail when now they could simply send a 0$ invoice.

2015 – Year of the dumps | With big data, comes big leaks.

Year of the Dumps – 2015 | It has been a interesting year for monitoring data dumps. The biggest being the fact that the news has been following it closer as well. The largest story being Ashley Madison, it will be included in what I feel will be the closest thing this site will ever have to a threat assessment containing over 100 dumps from various sources around the web. I don’t want to focus on how these are pulled off or specifically call a few grey market startups out but rather I want to give a overall idea on the status of the dump industry, targets, and direction it may be heading.

Without getting into the paper too much here are a few items it covers:
-100 Dumps from various sites
-Break down of industry targeted, language, and encryption used.
-Developments and strategies used by individuals with the dumped data for economic gain.
While this servers to give an idea or a snapshot of what kind of industies are vurnable it does not scratch the surface on the information if it was possible to capture all the dumps from 2015. Thus only 100 were chosen (Dont worry its still about 537,879 users not counting hand picked ones).
The paper also covers

See below for my paper titled : Year of the Dumps – 2015

cover-2015

Bitlocker adds support for XTS-AES 256-bit in Windows 10!

Good news since my last article windows has added support for drive encryption for up to XTS-ARS 256-bit. Provided you are using a Windows 10 machine that is updated past 1511 or later.

00401

Currently there is no way to change the level of encryption for drives that are already encrypted. So you will need to disable bitlocker , set the GPO as written in my previous article and then encrypt the disk.

00402

This version is available from windows update or from the newest MSDN image.

Just be aware of a few things, removable drives will not work on previous versions of Windows 10. And there is currently an issue with SEDs and Bitlocker so steer clear if you are using them.

vtech db dump and the accountability of parents

The vtech hack has been the under talked story of the week. Until it was revealed today that the hacker had access to hundreds of thousands of files that could contain images of children. Suddenly it exploded, you saw news agencies that would not cover this story all over it.

Broken by Motherboard and Troy Hunt is that fact that vtech (the mfg. of choice for cheap LAN line phones) and line of children’s toys had been hacked. While the information currently (2015-12-01) has yet to be sold or traded to the level I have seen. It has really started to garner the wrong attention for the wrong reason.

Before I go any further, yes children should be protected, and yes vtech messed up. But it was how this happened should be considered. As stated in previous articles “assume everything that is encrypted will be decrypted, expect everything that is secret will be known” And with dealing with kids, there is no exceptions to this rule. The main goal is to ensure those items (photos, chat logs of children) never exist in the first place.

So let’s step back for a second.

Imagine this, vtech asks their IT dept. to set up a DB and some kind of web UI that allows kids to play games and interact with their toys. They use simplistic MD5 encryption because they figure, hey who will want to hack this? Kids don’t have this kind of knowhow. Then months later marketing sees how well received the online games are and then ask the IT team to set up a system the hardware engineers need for shipping a product that allows kids to send photos to their parents, communicate and so on. Code is reused from the original product without thought the fact that the content they are encrypting will carry a higher weight in privacy then before.

Is this their fault? Yes. But not just theirs.

Parents… were an important part of this process. The sign up required that requires parents to be a part of that Troy Hunt covers in his well-written article. The amount of trust they put into vtech was unwarranted and unfair to them. However it bears the heavy burden of a good lesson. Don’t trust a private company with private information of your child. If we can’t keep our affairs on Ashley Madison secret then how can we expect more for a child? For some parents they don’t want to give their children phones or unmonitored internet access to kids 4 to 9 years of age (the recommended age for this product from amazon.com). So why give them access to products that allow malicious hackers access to view photos of your kids?

I neglected to write an article about this for a number of days due to the fact it was just yet another data leak. But the fact that innocent kids images have been included in the leak I feel it crossed a line. No one liked public data leaks, more so when they are in them. But some companies fail to yield to the warning given to them by the exploiter even when given in good faith. Thus they feel they must leak the data in order to make a point to keep more malicious users away. I hope for the sake of the kids this leak does not get more public than it already has.

So what’s the solution?

vtech should have built in a higher level of cryptography and level of privacy (i.e. obscuring the children’s information in their DB) before it was rolled out. In something more secure than MD5, this algorithm has been around since 1991 with its first flaw found in 1996. The crypto should have been stronger. It’s sad to think that the protection built into the forum you use to buy car parts for your 1992 Honda civic is higher held than the one that allows you to talk and see your children.

The parents, this is tough one as it requires absolute vigilance on the parents end, and how can you trust the thousands upon thousands of vendors out there. The fact of the matter is you can’t, and you don’t have to. Just make judgement calls on product such as: Does my 4 your old really understand the complications of their toy being on wifi all the time? No? Then maybe I should look into something else.

It’s hard to be a parent, but with the season for giving to the ones we love, we should not avoid items that flash or are from the future, or are even from vtech. We should avoid placing the items in our kids hands that all people of a malicious nature to take over.

In ending this is not call for you to put your children in tinfoil hats, or to walk to vtech and burn down their offices but rather a word warning. The internet holds a lot of information that kids, adults, and even computers can learn from. We should not limit it, nor should we fear it. We just need to be aware of the weight of putting what we don’t want into it knowing someday it might just come back out.

 

Politcal doxing and corporate accountability.

Doxing (Wikipedia)

Doxing (from dox, abbreviation of documents), or doxxing,is the Internet-based practice of researching and broadcasting personally identifiable information about an individual.

The methods employed to acquire this information include searching publicly available databases and social media websites (like Facebook), hacking, and social engineering. It is closely related to internet vigilantism and hacktivism.

Doxing may be carried out for various reasons, including to aid law enforcement, business analysis, extortion, coercion, harassment, online shaming and vigilante justice.

Both Bruce Schneier and Brian Krebs have written excellent articles this week that I feel need to cross paths. If you have not read them yet, its ok I’ll wait.

We all know Lizard Squad happened last year but I feel that the COX fines mentioned in Brian’s article is a precursor for a standard procedure that will be eventually filed against AOL regarding the CIA Director John Brennan dox.

In short, Lizard Squad was a group of internet antagonists (DDoS) that used social engineering in order to gain access to accounts that belonged to 60 COX cable members. These were used for doxing and impersonation. Some see social engineering as simply a method for getting personal data but it is often used for privilege escalation to gain access to more accounts from celebrities to disliked bosses. A gateway hack, if it were.

What is interesting is that COX is actually being held accountable for this issue. Mostly due to the fact they had access to private information that they improperly gave the Lizard Squad members access to. This is important in two ways.

-It shows that social engineering works well enough that your front line personnel need to be aware, even Janet in the call center. 

-It should scare the shit out of IT admins who do not keep up to date with patching and security practices if a company can be liable for how the data is stored and who has access these types of decisions would have been held by the CTO or CSO. But generally systems are set up, tested, and put into production with security as an afterthought  But that’s a conversation for another time.

If COX can be fined for 595,000.00 $ for being tricked into giving access to a member of Lizard Squad to their customers data. I have a feeling AOL has one of these coming too after the more recent CIA Director John Brennan incident. The COX fine is just the beginning of how organizations need to wake up and handle their customers and employees data or this is not going away any time soon.

 

Android will automatically require full disk encryption.

Soon android vendors will need to set disk encryption to be the standard on new devices (provided the device supports it) it seems the only requirement is if the device features a lock screen.

Taken from their new best practices guide:
https://static.googleusercontent.com/media/source.android.com/en//compatibility/android-cdd.pdf 

crpt

This is great news, but Google should focus on securing how the device is encrypted before making it mandatory for all users. Not to mention, its generally human error that gives you away on your phone. Very sobering and appropriate (Gawker User) comment below:

Comment

With mobile platforms more and more commonly being accepted as payment methods I feel this is android push to get their platform secure for a new type of Google Checkout / Paypass. This will increase desire to turn your phone into a larger and larger attack surface for carders.

Bundled with the fact employers are allowing much more BYOD policy’s this can become an issue. But until that happens, here is a hashcat thread on how to capture and brute force the keys if you are doing data forensics on the device. Provided you know how to use hashcat and have spare CUDA cores.

But hey, if your short a few cores Nvidia’s Test Drive has not been abused yet since they are still letting users sign up. I am surprised it has not become an issue yet.

nvidia

*Note I dont recommend the abuse of Nvidia’s free service to crack android or other passwords. But I am surprised they don’t put in more hurdles to prevent someone from doing this / using them as a seedbox.

 

Increase bitlocker cypher strength to AES 256 | Plus automated drive dismounting!

Bitlocker is good. Im not going to say great but good as in good enough to get the job done while giving users a relatively safe encryption suite built right into Microsoft that will keep your files (when implements properly) safe from people who may want access to your pc or laptop. Millage may vary when dealing with government entities.

However did you know that Bitlocker has various settings that can be configured to increase overall security? If your using the default settings take a look below:

Problem: How do I set bitlocker up to be more secure?

Solution: Change the cipher strength higher.
Before I show you how I want to make something clear and apparent. Assume everything you encrypt can be decrypted, it is just a matter of time. This does not mean don’t encrypt… it just means that encryption will only buy you time when dealing with government entities now, or a passionate individual with a 32 GPU cluster and a vendetta.

Either way more security is always better than none at all. Back on task!

First we need to set the cipher strength, if you have already encrypted the drive you will need to do it again. Open up gpedit.msc with Start > Run > gpedit.msc

Once you have it open expand the following tree:
Tree

Here you will see various options but the one we want is: Choose drive encryption and cipher strength. Set it to Enabled and choose from the dropdown AES 256-bit.
CS

Once this is set press OK. There you go, now you will need to set back up bitlocker, it is assumed you have done this already if not head on over to MS and they will provide you with instructions.

BONUS ROUND! How can I automatically dismount encrypted bitlocker drives?

Don’t forget to error is human! Leaving your drives mounted could lead to unforeseen consequences if you are visited late at night buy unsavory officials, someone breaks into your house / hotel room, or steals your laptop. With the drives left mounted the keys are both in memory, and the drives accessible. They do not lock until you reboot.

So how can you solve this? Easy, create a scheduled task in order to lock the drive after a predefined time of idleness or on a schedule.

First hit start > type in Task Scheduler and open it up.
tsk

Next Right Click and choose Create Basic Task.. don’t worry we will change it during the setup process.
tsk2

Give it a name and a snazzy description.
tsk3

The next two windows are at your discretion fill out based off needs seeing as they have to do with how often the job will run. You will be eventually asked What action do you want the task to perform? Choose Start a program.
tsk4

The next window you will want to paste in:
manage-bde.exe -lock -ForceDismount E:

E: is the drive letter you want to lock with bitlocker, you need to customize this to your own setup. Windows will tell you your dome and don’t know proper syntax. This is fine for the sake of not wanting two screenshots in the article it windows will do it for you if you hit Yes.
tsk5

Voila! Hit Next and your done! You have not just increased the security of your bitlocker setup with minimal effort but maximum gain.

Here is a list of other BitLocker command options in case your interested.

Let’s Encrypt | How the future of SSL has come to the pennyless.

A great product called Let’s Encrypt will be coming out in the near future. One of the best things about this service is how easy it will be to manage the SSL certificates. Oh and its free! Thats right web monkeys and hobbyists, stop paying godaddy for your SSL certs every year and spend your hard earned money on beer!

Problem: My certificate says its invalid or Im too poor / lazy to buy my own certificate for 100$ a year from my current domain provider.

Solution: Use Lets Encrypt in the Week of November 16, 2015!

A lot of people may say who cares? Well they are wrong, lets encrypt will alow people who want to spend more time developing their product and less time learning the difference between UCC  and wild-star certificates, let alone how to make the CSR. In fact the whole renewal process will be automated aswell assuming your using a compatible OS.

Let’s Encrypt is supposed to be so simple to use in fact that even people who were marketed Drobo’s will be able to use it. 

The reason I waited so long to post an article about this was the burning question, will it work and am I required to install a intermediate certificate (This is sometimes the case with BlowDaddy just have the client see the certificate as valid).

Well you can see for yourself on their live test page located here.

I’m looking forward to this forward thinking method of creating a more secure web and will be lined up on the 16th of November to start applying for certificates.

Notes: I do think that learning how SSL certificates work is a great idea, but for those of you who know already Let’s Encrypt is a great way to quickly get your web service online with a zero cost.