#hwactivity

Find an example of something in everyday life that could be easily faked and explain how it might be achieved. 

Social Media is something that people use in everyday life and its a pillar of society where people are free to express their views and sentiments.  Given that, and the impact social media can have, making accounts on social media is very easy. They usually ask for name, email, age and all this information can be faked. With regards to email, osintframework.com has resources such as https://randomuser.me/ or https://backgroundchecks.org/justdeleteme/fake-identity-generator/ which provide all this information but also generated usernames/passwords and profile photos.   If a service requires you to verify your email address, you can use a temporary email account such as https://10minutemail.com/10MinuteMail/index.html. The email address exists for 10mins and then disappears (and it’s unrecoverable).  Sometimes, quite advanced services require a mobile number. For this, you can use services like twillio or google voice.  Creating fake/temporary social media accounts is actually a show on youtube

Found out some info for this post via 

SO Appropriate to my something awesome project, this week’s task is to choose a service and download all our information from that service.  I chose Facebook, unfortunately, creating the zip with all my information was taking a very very long time. I eventually canceled my request and made another with a limited subset of information, particularly that which facebook gives to advertisers.  This is what a got from facebook:

Ads: “Your interests based on your Facebook activity and other actions that help us show you relevant ads”

This was really interesting, while there were some topics I would say I’m interested in, there were others which were random. Eg. Some Indonesian technology company, fashion and design, couch??? Come on facebook, if you are gonna collect all my data, get it right.

Another thing facebook gives you is all the companies who have uploaded your information as part of their contact list. Basically, you’ve given them your information at some point (ie. signed up for a newsletter, etc) and they are using that information to now run facebook ads against you. So I was able to see all the companies (which there weren’t that many) who do this. I wonder if there's a way to remove myself from their list. 

Facebook also tells you which ads you’ve clicked on. 

Location: Nothing. I am so happy about this, I find companies collecting location information is super creepy so I'm happy facebook doesn’t have this.

About you: 

Peer Group: University. That’s all it said. Not sure what this is for? 

Facial Recognition: Had a bunch of data which didn’t make much sense on facial recognition. It also had a number for the number of matches currently. 

Address Book: A list of email addresses of all your friends who have made this public to friends. This is creepy, no one knows that facebook has this feature. Keep people’s personal emails private.

Hello, I’m from Nigeria, you are a secret Nigerian Prince/Princess. Please give me your bank details so I can transfer you $4million rubles.  ---

This week we had to try and formulate emails designed to make people send confidential information like social media logins and bank account details Here’s how i went:

One time pads are fantastic if you can use them because if the key is truly random then the encryption is unbreakable. The issue with one time pads is key distribution and because of this, sometimes people use the same key all over again for different messages. THIS IS BAD! This allows an attacker to try and guess and check your key sequence and decipher your messages.  Using a key more than once is called a Many Time Pad, this week we had 5 messages and had to decipher them using what we knew about how one time pads worked (just a simple XOR).  The secret messages are below:  1. LpaGbbfctNiPvwdbjnPuqolhhtygWhEuafjlirfPxxl

2. WdafvnbcDymxeeulWOtpoofnilwngLhblUfecvqAxs

3. UijMltDjeumxUnbiKstvdrVhcoDasUlrvDypegublg

4. LpaAlrhGmjikgjdmLlcsnnYmIsoPcglaGtKeQcemiu

5. LpaDohqcOzVbglebjPdTnoTzbyRbuwGftflTliPiqp

Message 1, 4 and 5 start off with LPA which could very likely be ‘THE’. So, we assume this is the case and try to find the key: 

(x + T(20))mod26 = L(12) ; x = 18

(x + H(8))mod26 = P(16) ; x = 8 

(x + E(5))mod26 = A(1) x = 22 So we find that the first three parts of our key could be 18 8 22. Using this we try to decrypt the first three letters of message 2,3. 

1. LPA -> THE

2. WDA -> EVE

3. WIJ -> CAN

4. LPA -> THE

5. LPA -> THE

Here, we need to use this information to guess the next possible decryption. EVE could be short for EVERY. Assuming this, we can find that the key sequence becomes 18 8 22 14 23. Thus the messages become

1. THE SE

2. EVERY

3. CAN YO

4. THE MO

5. THE PR

From here, I guessed that in message one SE was short for SECRET, YO was short for YOU and MO was short for MOST. Using this information I found the next possible key sequence 18 8 22 14 23 25 14 24. 1. THE SECRET

2. EVERYONE

3. CAN YOU PL

4. THE MOST I

5. THE PRICE 

From here I guessed message 3: CAN YOU PLEASE and message 4 could possibly be THE MOST IMPORTANT. Continuing this process I finally found out the secret messages:

Message 1: The Secret To Winning Eurovision Is Excellent Hair

Message 2: Everyone Deserves A Hippopotamus When Theyre Sad

Message 3: Can You Please Help Oliver Find The Flux Capacitor

Message 4: The Most Important Person In The World Is Me Myself

Message 5: The Price Of Bitcoin Is Too Damn High Given The Data

This was a realllyyyy lengthy process and I probably should’ve spent some time thinking about how to automate this. I did try and use some online tools but they did calculations differently so it didn’t help. But it did show that it’s not too hard (especially when automated) to decipher these ‘perfect’ encryptions. 

Week 6: Threat Modelling Threat Modelling is the practice of identifying all the assets and then all the threats on said assets. An attacker only needs to find one weakness in our defenses, thus as a defender creating a threat tree helps us identify all possible attack vectors (especially the unique and low probability ones). For this exercise, I had to imagine that I’m working for a company that distributes high voltage power across the country. If the network goes down there are huge ramifications to society:

Lifts, trains, traffic lights would cease to function, rendering our cities in difficulty. Within 6 hrs 3G/4G radio communications would no longer work, knocking out key communication channels. Water pumping stations and treatment facilities are unable to supply water to the city systems. After 11 hours, sewerage treatment plants would be inoperable, resulting in effluent and raw sewerage being discharged in the harbor and beaches. Hospitals become incapable of servicing patients at scale, turning patients away. Food becomes scarce as logistics networks shut down and cash becomes scarce.

The above photo is what I came up with.

Hi Nani & Nanu! 

Remember that time I helped you set up your passwords for things, yeah well we need to revisit that. Since then I have gone and got something called an education and wow...we need to change some of your passwords. 

Heres some stats:

47% of passwords based on a name

42% based on significant dates or numbers, such as birthdays

26% based on pets

14% based on locations or places of interest 

20-38% of surveyed users reuse the same password across different sites

20-27% modify an existing password across multiple services

Ok, but what’s the problem with this? Well, attackers can figure out passwords made from the first four by looking at your social media! and if they manage to crack one password then it may be used across many sites! So passwords like 

BestGrandson123

Probably not the best password because there’s a lot of relevant context in it. Even though the worst-case scenario would mean that it would take 2.48 hundred trillion centuries to crack, there are better alternatives. 

Pjo1i2309uf2!

This one, although it’s hard to remember, is much, much harder to crack. In fact, this one will take 16.50 trillion centuries to crack (^_^).

Now I know what you’re thinking, who would want your password? Well, it’s not about directly attacking you, hackers attack companies and then sell that information online. Ok, but if they take say 1million passwords from a company surely it’ll take sooooo long to crack all of them that even if your password was taken you wouldn’t really have to worry too much. Wrong again I’m afraid.

https://medium.com/hackernoon/20-hours-18-and-11-million-passwords-cracked-c4513f61fdb1

This lady managed to crack 11 million passwords in less than 1 day for only $18. 

So here are some rules for making a good password:

Create a long password (at least 12 characters)

Make it unique to each site

Add capital letters, numbers, symbols (symbols are great! use them!)

Avoid using words from a dictionary.

Make sentences that don’t make sense to anyone but you

You can use this site to judge whether or not the passwords you’re creating are strong! https://www.grc.com/haystack.htm

Summary During the cold war, the USA had Titan II Intercontinental Ballistic Missiles (ICBMs) fitted with Nuclear warheads. The power of just one ICBM would be the same as all explosives used in WW2 combined - times 3. The secret nuclear missile silos that housed these ICBMs would be manned by many crews of airforce personnel. The job of many such crews was to uphold the maintenance of the missiles so that they were always ready and so that they wouldn't explode in the silos themselves. On one particular day, inexperienced and rushed crew members made a fatal mistake which caused one such missile to explode while still in the silo.  Assets

There are two clear assets from the Air Forces perspective in this scenario.  1. Safety of immediate Air force personnel working in the silo and on the base

2. Protection of the warhead to ensure it’s in a working state but doesn’t explode until ready.

Threats

1. Crew Staff: While maybe not apparent at the time, a clear threat to the missile was the people that came in contact with it on an everyday basis. 

2. System Failure: Any malfunctions or attacks to the monitoring or control systems could lead to the missile launching by accident and killing millions of people. 

Mitigation Steps

1. Invest in using a less violent fuel source or a solid (rather than liquid) fuel source.

2. Keep a set of spare tools close to the launch bay so that if someone forgets something, they don’t need to consider being lazy about the work

3. A rubber padding that is always secure using suction.

4. A culture where admitting mistakes is encouraged rather than punished. This caused a huge loss of time in the response time to the core problem.