Pokémon Go – To Bot, or not To Bot

Pokebot

So I never imaged I would be writing a post about Pokémon but it seems to be all that everyone is talking about lately so why not add my 2 cents into the conversation. Unless you have been living under a rock the last month or so you would have heard at least one person mentioned the famous words “Pokémon Go”, which is by far one of the most popular mobile game in years.

The mixture of real word interaction via the use of Augmented Reality (AR) has everyone playing and trying to be the best. Being a 90’s baby and a big fan of the original Pokémon game I had to give it a try to now being a Level 21 Pokémon trainer and having walked over 89.1 km I have no regrets :).

Sooner our later as you being to advance above Level 20 in the game you quickly realize how difficult it can be to gain Experience Points (XP), to “Level Up”, or to gain Stardust  “PowerUp”. That typically around the time you start to ask yourself  those famous words, should I use a bot? 

Well let’s take a step back for anyone know is not familiar with what a bot is; a bot is basically a computer program that was written to assist you with playing the game. Instead of walking around, socializing, getting your workout in and hitting those Pokestops you basically sit in the comfort of your home and run the program select a location say Central Park and have the bot crawl the park and catch  Pokémons, collect Poké balls, potions everything for you.

After reading several posts, and speaking with others below is a list of reasons why some people prefer to bot while others don’t.

Reasons for using a bot: 

  • New updates makes it harder to catch Pokémon
  • New updates took away tracking and grid feature
  • New updates took away ability to bike or ride in a car while catching Pokémon
  • New updates took away battery saver feature, now you need more battery packs
  • Just want to be the best at all cost

Reasons for not using a bot:

  • Honesty, prefer to play fair and earn your bragging rights
  • Afraid of being banned, which has already started to happen
  • To use a bot you have to supply your login credentials, you are basically trusting that the dev will not steal your creds and access your persona information ( that’s a lot of trust).

They are also other issues facing the game at the moments such as hacked IOS or Android apps that allows GPS Spoofing, basically you can be in NYC and tell they game you are in Japan be able to quickly advance in levels and strength.

Closing thoughts, I believe since Niantic has chosen to block third-party tracking applications such as PokeVisions, which allowed users to see where a Pokémon has spawned, they really should fix their in-game tracking feature and not just disable it. In the end with any system, if the create does not provide a useful features others will hack one together.

With all that said, go on out and Catch Em All… Go Team Valor :).

Useful links:

https://pokemon.gameinfo.io/pokemon

https://www.reddit.com/r/pokemongo/

http://www.polygon.com/2016/7/27/12295344/Pokemon-go-bots-cheats-niantic

http://kotaku.com/pokemon-go-pisses-players-off-yet-again-by-making-pokem-1784773116

https://blog.bugcrowd.com/big-bugs-podcast-episode-hacking-pokemon-go

Advertisements

Harassed by NYPD at HOPE Conference 2016

It’s been a bi-annual tradition for me and a few of my friends for the past 6+ years to attend the Hackers On Planet Earth (HOPE) conference over at the Hotel Pennsylvania in NYC. Well after yesterday (Saturday July 23, 2016) that tradition and excitement will now be associated with harassment, and lack of support from the conference organizers or security staff.

The events played out like this; I got stopped by three men (Undercover cops it appears) while grabbing a drink of water in one of the rooms. They ask if my name was “Mr Browne”, I answered no then they demanded to see my ID without first  identifying who they were, or why I was being stopped and questioned.

Naturally I said NO! They then proceeded to threaten me that I was going to be kicked out of the hotel, and prosecuted for trespassing, if I do not comply. I ask how is  that possible, I paid to be here; but they kept demanding my ID. I ask to see their badges, but wouldn’t show it and still wouldn’t say why I was being stopped. At this point the conference security team , and the three (potential officer) were surrounding me like I am a criminal.

I finally showed my ID because I didn’t want to get kicked out, or worst; I then had to go downstairs, leave the presentation and then I was finally showed one badge (Sergeant Thomas Lent -NYPD Intelligence Division-Brooklyn Army Terminal), who then told me “I got stopped  because I fit the description  of a Black man with a beard, who was a person of interest”. 

There is a right way and a wrong way of doing things, that was the wrong way!!! It would have been good to get some support from the conference security team, by informing them I do have the right to be there, and requesting they showed me their badges, or inform me why I was being questioned but that was not the case.

#UnnecessaryHarassment  #NYPD #HavingABeardIsNotACrime

First impression — 1U App

password_screen_caricaturePassword, password and more passwords. If you are like me then you are  tired of tokens, passwords, two factor authentication and all of the other mystical things out there that is trying to keep us safe in this crazy technological world that we are living in.

I recently attended Ohio Linux Fest 2014  and saw an interesting talk on password security by Dru Streicher a security analyst for Sherwin Williams, you can view the slides  here. He basically gave us an overview on some of the different attacks sounding passwords, then went into a really nice open forum chat about password best practices. Keeping all that in mind, if I knew about the 1U app then, I might have skipped his talk, and spent that time testing the app instead :).

Now just incase you are asking yourself why  should anyone care about password security, or newer technology to help with your authentication process, I would like to point you to an article over at Wallscheatsheet.com titled “How much does a data breach actually cost”. The number that was estimated  for the cost of an average data breach is $3.5 million.

The article then ended by making the following statement “So what’s the hold up? Experts say that banks and retailers have been at a bit of a standoff: Neither one wants to take the plunge to invest in new technology, and both are waiting for the other to overhaul the system. Meanwhile, consumers will just have to shop smart and keep a close eye on their transaction history.”

Luckily they are innovators like Hoyoslabs that wants to help change the landscape of this digital revolution. Before I jump into my experience with trying to setup and test the 1U  on my android Galaxy S4 mobile device I will begin by first explaining what 1U is.

Instead of trying to explain it in my own phones here is the official explanation “”1U™ (www.1Uapps.com) is an app component of the HoyosID® Identity Assertion platform, serving as a replacement for all usernames, passwords, PINs and tokens of any kind, making users’ digital lives more convenient and secure. Using your mobile device’s camera, various biometrics are acquired and upon recognition, the app grants access to you and only you so you can complete transactions and log into secure sites without fear of breach or the hassle of a forgotten password.”

After reading an explanation like that you can see why I was  excited to be apart of the test group and couldn’t wait to install the application and start testing. Unfortunately  like all good things they soon come to an end.

I downloaded the application from the beta server, did they initial setup however each time got to the final step of the configuration process it kept starting over. This appear to have been a bug, so I reported this to support as well as the person who contacted me to be apart of the test group. Support confirmed it and mentioned it will be fixed in the final version that will be released in the  Appstore and Google Play store.

Until such  time I will be waiting to complete my review once I have a bug free version of the application.

 

Read more: http://wallstcheatsheet.com/business/how-much-does-a-data-breach-actually-cost.html/?a=viewall#ixzz3JAZLTsyI

http://www.1uapps.com/

Learning your history is important

It is said that if you don’t know your history you are bound to repeat the past. They same holds true even in the world of Malware. The below Infographics helps with bringing you up to speed with what occurred over the last 28 years in the wonderful world of Malware.

A big thanks to the ESET team for creating and sharing this with the community. I would like to pride myself on know a bit more about Malware than the average user, but even so I learned quite a lot form this Infographics.

So sit back and enjoy the journey that begins with Pakistani Brain in 1986 and ends with Windigo 2014.

How Well Are You Protecting Yourself Online?

By Sandra Mills

How many passwords do you enter on a daily basis? With the prominence of the internet in the modern age, it’s probably quite a few. Most password-protected sites often contain extremely valuable personal information as well. Information many cyber criminals would love to obtain and abuse.

Since these passwords have become so intertwined with our personal and financial lives, shouldn’t we make it a goal to strengthen them? However, it seems that most people don’t see the issue, and are often complacent when creating new passwords. Some create weak passwords (such as “password”) without thinking much of what they’re really putting at risk.

With this in mind, we should all make a conscious effort to create high-quality, complex passwords to keep ourselves protected online. There is a lot of data that has been measured concerning this issue, such as what is most effective or most common, and with a few simple tips you too can help fight against weak internet security. Don’t put yourself at unnecessary risk any longer.

Below is a helpful infographic from Instant Checkmate, containing many tips and statistics that should be a good starting point for getting your personal security up to par in 2014. If you want to make sure that you really are protected online, this is the first step.

passwords-infographic

 A big thank you to Sandra for writing today’s blog entry, and what a timely posting since we are always seeing accounts being compromised daily because of weak passwords.

Security Management from an Enterprise Perspective

Security Management from an Enterprise Perspective

By: Karthik

An enterprise invests considerable amount of time in its day to day scanning and managing patched for the infrastructure. But, an enterprise psychological analysis shows us otherwise i.e. most of the enterprises shy away from scanning and patching their business critical infrastructure in a fear of interrupting their already established critical applications. Another side of the story shows that, the enterprise test, scan and manage patches up to the staging elevation but fail to re-asses the same when they go live on production environment. The major challenge here is to convince the stakeholders about the end user impact after running a thorough security scanning and management of patches. Metasploit which is a famous exploit development toolkit adds several exploits to its repository on a monthly basis there by hinting to us that the threat vectors are increasing day by day. In this article we shall understand how to balance the security management with business operations.

Stakeholders generally frown on scanning and patching the critical infrastructure. This is because security teams are considered as a pain to the day to day operations for the rest of the enterprise and also the fact that security management in its real vigor is never atop the priority list for stake holders. For decades we have witnessed that, only after a breach, an enterprise strengthens its security infrastructure. Otherwise the security implemented is pretty mediocre.

Securosis Patch Management Cycle

Securosis Patch Management cycle: securosis.com

In the above image, we see the securosis patch management cycle representing the activities across any technology platform. The importance towards implementing stringent security measures and infrastructure is gaining value in the current decade, as we have seen maximum number of Data breaches and exfiltration happening around the world. Instead of staying isolated, security teams must work closely with the operations team so that, they are no longer considered intrusive by the rest of the organization. Each cycle of vulnerability assessment for business critical applications should include a thorough analysis of its impact on the operations as well as the threat surface presented by the organization. Generally, internal security teams run a set of automated tools and end the story by patching the suggested patches by well-known tools like Nessus and Accunetix. Not all production environments of the enterprise are a plug-n-play environment for the patches. Each production environment undergoes its own share of customization before going live to the end user. A logical error might lead to vulnerability/Zero day which the general automated scanner cannot detect.

Vulnerability scanning and management of patches must be more than just a compliance check which enterprises go through. The difference between a vulnerability assessment and penetration testing matters in these scenarios. Organizations undergo vulnerability assessment to see the attack surface exposed to the hackers whereas a penetration test would determine which among the following vulnerabilities is exploitable. There must be a lot of interaction with the business stakeholders and the security teams for a successful security analysis of the business critical applications. Most of the time, stakeholders do not completely understand the process behind the approach of Security teams. Owing to these, the stakeholders shy away from completely trusting the end user impact after the inspection. The stakeholders should understand the core difference between application level security and infrastructural security. In the infrastructural security the knowledge required about the hosts and services is minimal compared to application level assessment. Automated tools fail to completely cover the customized APIs and applications. Passive scans have their own advantages of not actively probing the target, thereby not disturbing the operational state of the critical applications. On the other hand detecting XSRF, SQLi, XSS etc. are not covered under passive scans. Enterprises need to understand that attackers generally attack the application layer more compared to infrastructure. For a deeper look into enterprise security, check out the CISM training course offered by the InfoSec Institute.

Most security practitioners advocate the frequent scanning of patches to manage and mitigate undiscovered risks. Applying security scanning at all phases: development, QA, staging, production and maintaining a strict program to avoid any kind of unexpected data breach. Threat modeling can be implemented right from the development stages to combat the security bugs in early lifecycle. This makes sure that developers as well as QA would learn to develop and test products being security aware. It’s always advised to hire professional firms to find difficult to find bugs after the internal teams complete their rounds of security tests. This would make sure that production environment would go live with little or no major security flaws knows to the enterprise. Over the past decade, most of security breaches and data exfiltration attacks happened over the production environment and the reasons are discussed above in detail.

Experts suggest that mirroring production environment and running security tests without causing any dreadful impact to customers is the way to proceed in continual security assessments. Continual security assessment is needed because; an application with unknown vulnerability today might be explored tomorrow for a Zero Day. Vulnerabilities found in mirrored environments can be used to produce a daily dose patch and get validated on the production environment. Making the process granular is the key here. Bugs raised must not be forgotten and must be patched based on priority. The efforts of bug hunting are only fruitful when the bugs are patched in a timely manner. Handling the way a patch is deployed in a system can differ from system to system. Suppose a patch is being deployed for a web application, then a couple of changes in the code and uploading to the server does the trick. But in case of operating systems, they might require a reboot in order to be effective. Load balancers play a critical role in patching of systems which need 24/7 uptime.

Remedying vulnerabilities is a never ending process and not every security test would give you threatening bugs. The catch here is to understand the vulnerabilities that are exploitable and its impact on the business as well as the end users.

Tails,cause we care about our privacy

tails-torTails, is a live system that aims at preserving your privacy and anonymity. It helps you to use the Internet anonymously almost anywhere you go and on any computer but leave no trace using unless you ask it explicitly.

How does this work you might ask?

Tails relies on the Tor anonymity network to protect your privacy online: all software are configured to connect through Tor, and direct (non-anonymous) connections are blocked.

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

In short if you have every used a bootable Live CD/DVD/USB media before its the same concept just that this project focus on your privacy.

What’s under the hood?

A set of note worthy Firefox extension:

  • Adblock Plus
  • Cookie Monster
  • FoxyProxy Standard
  • HTTPS-Everywhere
  • NoScript
  • Torbutton

Screen Shot 2013-05-26 at 1.14.06 PM

 

A few extra bonus applications for the paranoid at heart:

  • Create ecycrpted volumes with TrueCrypt
  • Securely delete files with Nautilus
  • Manage passwords using KeePassX
  • By default your browser is pointed to https://startpage.com/, the world’s most private search engine.

Lastly, another option that felt was nice was the ability to use the “Windows Camouflage” mode, this basically makes Tails look more like Microsoft Windows XP. This is useful in public places in order to avoid attracting suspicion.

So now you have a new OS to enhanced your desire for privacy. Have fun and please let us know what other methods you are using.