Insights For Success

Strategy, Innovation, Leadership and Security

How to fix issues at hotels, airports and other public WIFI hotspots

GeneralEdward Kiledjian

A captive portal is the intercept page you see when trying to log into most free public WIFI hotspots (e.g. airport, restaurant, hotel, etc.) You are normally shown a page that collects your email and then asks you to agree to the provider's terms of conditions. 

As browsers adopt more secure protocols by defaults (iPhone, Android, Windows, Mac, iPad, etc.) there are situations when your device may not trigger the portal webpage correctly. The browser may block redirection to the portal page because it is typically transmitted using unsecured HTTP. 

In some cases, devices will attempt to detect and open an unencrypted webpage to allow the public WIFI router to inject a redirect URL. WirelessPhreak has a good technical article that discusses why new more secure tech is causing this issue. 

Each smartphone manufacturer uses a different non-SSL webpage to detect a captive portal:

  • Google Android: http://connectivitycheck.gstatic.com/generate_204
  • Apple iPhone & iPad: http://captive.apple.com/hotspot-detect.html

What do you do if that automated portal detection doesn't work? How to you trigger the captive portal?

Enter the webpage Never SSL. If you are connected to a public WIFI (that should work) but are not seeing the captive portal, open your browser of choice and navigate to http://neverssl.com/
 

This will fix your issue and you should be bathed in warm loving WIFI Internet. 

Fun with Shodan and IOT

Edward Kiledjian

Read this related article: Find phishing and malware with a simple search

Search engines have become a favourite starting point for threat actors, so it should also be your starting point. Beyond Google, there are a bunch of specialized search engines that are powerful and scary. This article talks a bit about Shodan. Think of this article as a gentle introduction.

What is shodan

Shodan is often called the world's most dangerous search engine. Shodan attempts to catalogue metadata about its targets and its targets are often Internet of Things (IOT) devices. Hackers and security researches use Shodan daily to find vulnerable webcams, open traffic light systems, SCADA in manufacturing plants and much more.

I'm going to assume you have a free Shodan account.

Browse the categories

If you visit the Shodan Explore section, you can find all kinds of interesting systems listed.

Unprotected webcam

For this example, I searched for the Axis 212 webcam which is known to have many vulnerabilities and a known default password.

As an example, the webcam I highlighted seems to be in a daycare facility and isn't even password protected.

I've blurred out the children and teacher.

Some are unprotected. Some have kept their default passwords (there are lots of default password lists like this one). Obviously many of these cameras are made by a handful of manufacturers in China and are never updated. Once you find a vulnerability on one model it is often workable on dozens of others.

Routers

You can search Shodan for common router brands like Belkin, D-Link, Netgear, etc and then try to log in using the default admin passwords. Above is an example of a Linksys router exposed to the internet without a password. Others are exposed with the default password.

Intel AMT Exposed to the internet

There is a major Intel AMT vulnerability but Shodan shows that 4,647 devices with AMT (on July 22) were connected to the internet.

If you search for "http intel active management" in Shodan, you will get a listing of these devices.

Other searches you can perform

Netgear device with port 80 open to the internet

Bitcoin servers

You can even use the Shodan ShipTracker dashboard to track realtime ship

ShipTracker is harmless on its own, but combined with data available from other sources and the knowledge that many ship systems use default passwords and it is a disaster waiting to happen.

There is a known vulnerability that allows a threat actor to steal or modify information from a Memcached server. This vulnerability was used to target GitHub with a massive DDoS attack. Not all Memcached servers are vulnerable ( I won't show you how to find the vulnerable ones) but how would you search for Memcached servers on the net? The answer is with a Shodan query.

 

Conclusion

Obviously, this is just the tip of the iceberg. A true threat intel specialist will be able to automate Shodan queries and then combine them with known vulnerabilities, exploits or default credentials. I am hoping this article created a bit of interest in you to learn more. 

For this article, I only chose examples that were exposed to the internet and were not password protected. Be careful as laws differ around the world. In some countries even testing default passwords could be considered "hacking". 

Find phishing and malware with a simple search

GeneralEdward Kiledjian

A very important function of any information security team is threat intelligence. Threat Intel can be a complicated and costly service in some cases but can be as simple a running a simple search in other cases. Here is a trick to get you started with the simple and cheap function.

Did you know you can find lots of "fun" phishing and malware links using nothing more than a simple VirusTotal search? Search VirusTotal for Google Storage API (precooked link). 

Go down midway on the results page and voila.

The one I highlighted above takes you to a dropbox phishing site

Some may not be fully formed yet. Some may already be taken down but you can find some interesting opportunities for research. 

Simple "script kiddy" level Threat Intel for you.

2 secrets you need to know for Amazon Prime Day

GeneralEdward Kiledjian

Amazon Prime Day is here and expect millions of customers to go crazy buying things they don't need. At least those unneeded items are deeply discounted, right? Maybe! Thousands of items will be sold at their lowest price ever, but that isn't the case for everything.

The internet is here to save the day again. A free online tool called CamelCamelCamel will show you the truth.

You paste an Amazon link into the search bar at CamelCamelCamel and it will show you the item's price over time.

You copy the Amazon URL into the CamelCamelCamel search bar

Then you scroll midway down the results page and notice that the current promo is actually a good deal.

CamelCamelCamel covers Amazon sites for Canada, USA, Australia, China, France, Germany, Italy, Japan, Spain and the United Kingdom.

Do you want an example of a not so good deal? Here is one for you:

Looks like a good lightning deal...

CamelCamelCamel says this item was sold December 2017 for $53.82, a full $6.48 cheaper. This means that if you don't need this item right away, you may want to wait a bit or find an alternative that may actually be a deal. 

And one more thing

I'll sweeten the pot with one more tip for Amazon Prime Day (PrimeDay) and this one is related to the product reviews. You will notice that those Bluedio headphones seem to have a good user review rating of 4/5 stars (with 273 customer reviews). Can you trust those reviews?

Enter Fakespot! Like CamelCamelCamel you copy the Amazon product URL into the Fakespot search bar and you are presented with a review reliability score

Fakespot isn't perfect but it is a great way to quickly determine how much trust you should put in the user reviews. Notice above the analysis is old. if you see that button, press the ReAnalyze button and wait until you get a new rating.

When I tested Fakespot with these on-special headphones, the user review rating improved from an F to a D. 

The moral of the story is that you will probably find hundreds of great deals worth the asking price but make sure to perform your own due diligence using CamelCamelCamel and Fakespot

Google Chrome's Spectre Mitigation is consuming 10% more RAM

GeneralEdward Kiledjian

Google Chrome has always been a resource hog, but you may have noticed it's been consuming just a little bit more RAM lately (on your desktop).

This new more demanding Chrome is because of the Google's Spectre mitigation efforts.
The Google Chrome security team has enabled site isolation as a default (in Chrome v67 for desktops). Justin Schuh, head of Google Chrome Security, explained that site isolation separates each website process thereby preventing a malicious tab from stealing data from another.

When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using “out-of-process iframes.”

Don't expect to see this update on the Android version anytime soon, the resource consumption requirements are too high (for now).

Chrome is obviously my browser of choice but I have been concerned at the amount of resources it requires and this move (although right from a security perspective) further pushes Chrome in the wrong direction. 

Additional reading: