Pokémon Go – To Bot, or not To Bot

Pokebot

So I never imaged I would be writing a post about Pokémon but it seems to be all that everyone is talking about lately so why not add my 2 cents into the conversation. Unless you have been living under a rock the last month or so you would have heard at least one person mentioned the famous words “Pokémon Go”, which is by far one of the most popular mobile game in years.

The mixture of real word interaction via the use of Augmented Reality (AR) has everyone playing and trying to be the best. Being a 90’s baby and a big fan of the original Pokémon game I had to give it a try to now being a Level 21 Pokémon trainer and having walked over 89.1 km I have no regrets :).

Sooner our later as you being to advance above Level 20 in the game you quickly realize how difficult it can be to gain Experience Points (XP), to “Level Up”, or to gain Stardust  “PowerUp”. That typically around the time you start to ask yourself  those famous words, should I use a bot? 

Well let’s take a step back for anyone know is not familiar with what a bot is; a bot is basically a computer program that was written to assist you with playing the game. Instead of walking around, socializing, getting your workout in and hitting those Pokestops you basically sit in the comfort of your home and run the program select a location say Central Park and have the bot crawl the park and catch  Pokémons, collect Poké balls, potions everything for you.

After reading several posts, and speaking with others below is a list of reasons why some people prefer to bot while others don’t.

Reasons for using a bot: 

  • New updates makes it harder to catch Pokémon
  • New updates took away tracking and grid feature
  • New updates took away ability to bike or ride in a car while catching Pokémon
  • New updates took away battery saver feature, now you need more battery packs
  • Just want to be the best at all cost

Reasons for not using a bot:

  • Honesty, prefer to play fair and earn your bragging rights
  • Afraid of being banned, which has already started to happen
  • To use a bot you have to supply your login credentials, you are basically trusting that the dev will not steal your creds and access your persona information ( that’s a lot of trust).

They are also other issues facing the game at the moments such as hacked IOS or Android apps that allows GPS Spoofing, basically you can be in NYC and tell they game you are in Japan be able to quickly advance in levels and strength.

Closing thoughts, I believe since Niantic has chosen to block third-party tracking applications such as PokeVisions, which allowed users to see where a Pokémon has spawned, they really should fix their in-game tracking feature and not just disable it. In the end with any system, if the create does not provide a useful features others will hack one together.

With all that said, go on out and Catch Em All… Go Team Valor :).

Useful links:

https://pokemon.gameinfo.io/pokemon

https://www.reddit.com/r/pokemongo/

http://www.polygon.com/2016/7/27/12295344/Pokemon-go-bots-cheats-niantic

http://kotaku.com/pokemon-go-pisses-players-off-yet-again-by-making-pokem-1784773116

https://blog.bugcrowd.com/big-bugs-podcast-episode-hacking-pokemon-go

First impression — 1U App

password_screen_caricaturePassword, password and more passwords. If you are like me then you are  tired of tokens, passwords, two factor authentication and all of the other mystical things out there that is trying to keep us safe in this crazy technological world that we are living in.

I recently attended Ohio Linux Fest 2014  and saw an interesting talk on password security by Dru Streicher a security analyst for Sherwin Williams, you can view the slides  here. He basically gave us an overview on some of the different attacks sounding passwords, then went into a really nice open forum chat about password best practices. Keeping all that in mind, if I knew about the 1U app then, I might have skipped his talk, and spent that time testing the app instead :).

Now just incase you are asking yourself why  should anyone care about password security, or newer technology to help with your authentication process, I would like to point you to an article over at Wallscheatsheet.com titled “How much does a data breach actually cost”. The number that was estimated  for the cost of an average data breach is $3.5 million.

The article then ended by making the following statement “So what’s the hold up? Experts say that banks and retailers have been at a bit of a standoff: Neither one wants to take the plunge to invest in new technology, and both are waiting for the other to overhaul the system. Meanwhile, consumers will just have to shop smart and keep a close eye on their transaction history.”

Luckily they are innovators like Hoyoslabs that wants to help change the landscape of this digital revolution. Before I jump into my experience with trying to setup and test the 1U  on my android Galaxy S4 mobile device I will begin by first explaining what 1U is.

Instead of trying to explain it in my own phones here is the official explanation “”1U™ (www.1Uapps.com) is an app component of the HoyosID® Identity Assertion platform, serving as a replacement for all usernames, passwords, PINs and tokens of any kind, making users’ digital lives more convenient and secure. Using your mobile device’s camera, various biometrics are acquired and upon recognition, the app grants access to you and only you so you can complete transactions and log into secure sites without fear of breach or the hassle of a forgotten password.”

After reading an explanation like that you can see why I was  excited to be apart of the test group and couldn’t wait to install the application and start testing. Unfortunately  like all good things they soon come to an end.

I downloaded the application from the beta server, did they initial setup however each time got to the final step of the configuration process it kept starting over. This appear to have been a bug, so I reported this to support as well as the person who contacted me to be apart of the test group. Support confirmed it and mentioned it will be fixed in the final version that will be released in the  Appstore and Google Play store.

Until such  time I will be waiting to complete my review once I have a bug free version of the application.

 

Read more: http://wallstcheatsheet.com/business/how-much-does-a-data-breach-actually-cost.html/?a=viewall#ixzz3JAZLTsyI

http://www.1uapps.com/

Domain Theft and the Possibilities for Recovery

Introduction

On October 24th 2012, Diigo, a social bookmarking website allowing signed-up users to bookmark and tag web pages, had its domain, diigo.com, stolen by a domain name thief. . As a result, Diigo’s more than 5 million registered users were not able to access the website.

Domain theft, also known as domain name hijacking, is not a new phenomenon. Back in 2005, the ICANN’s Security, Stability and Advisory Committee (SSAC) issued a Domain Hijacking report outlining several incidents of domain theft. The report defines domain name hijacking as “wrongful taking of control of a domain name from the rightful name holder.”

The present contribution describes the types of domain thefts (Section 2) and explains the possibilities for recovery of stolen domain names (Section 3). Finally, a conclusion is drawn (Section 4).

Types of domain theft

The Domain Hijacking report differentiates five basic types of domain theft, namely: impersonation of a domain name registrant in correspondence with a domain name registrar (Subsection 2.1); forgery of a registrant’s account information maintained by a registrar (Subsection 2.2), forgery of a transfer authorization communication from a registrant to a registrar (Subsection 2.3); impersonation or a fraudulent act that leads to the unauthorized transfer of a domain from a rightful name holder to another party (Subsection 2.4), and unauthorized DNS configuration changes that disrupt or damage services operated under a domain name (Subsection 2.5).

Impersonation of a domain name registrant in correspondence with a domain name registrar

This type of domain theft includes using forged fax or postal mail requests to modify registrant information. In some cases, stolen or copied company letterheads may be also used.

The www.hushmail.com incident is a typical example of impersonation of a domain name registrant. Hushmail was launched in 1999 by Hush Communications. In April 2005, a domain name thief convinced the support staff of Network Solutions, Inc. to modify the administrative email contact information in Hush Communications’ registration record. Then, the attacker used the administrative contact email to submit a password reset request for the Hush Communications account to Network Solutions, Inc. Afterwards, the attacker logged into the Hush Communications account, changed the password, and altered the DNS configuration to point the domain name to his own server. At the end, the thief posted a new home page demonstrating his achievement and embarrassing Hush Communications.

Forgery of a registrant’s account information maintained by a registrar

Domain name thieves may forge the account information associated with a domain name registration to conduct malicious activities, such as reselling the domain. For instance, the forged information may be used by a thief to deceive a buyer that the thief is the actual owner of the domain name.

Forgery of a transfer authorization communication from a registrant to a registrar

This type of domain theft includes acts where the domain name thief submits a fake transfer authorization communication to the registrar. The communication appears to be sent by the registrant, which would allow the thief to take control over the domain name.

For example, in the U.S. case Kremen v Cohen 2001, the California District Court found that the defendant fraudulently obtained the registration of the domain name sex.com by sending a forged letter to Network Solutions, Inc., the domain registrar. As a result, the court awarded $65 million for damages resulting from the fraud.
The court justified the award by stating that, in the five years the defendant operated the “sex.com” website, he reaped profits amounting to more than 40 million dollars. The damage award also included $25 million in punitive damages.

2.4 Impersonation or a fraudulent act that leads to the unauthorized transfer of a domain name from a rightful name holder to another party

This type of domain name theft includes actions that may or not may lead to changes in the DNS configuration. If the theft does not lead to changes in the DNS configuration, it could remain undetected for a considerable period of time. In this case, the motive of the thief is not to immediately disrupt the domain holder’s operation, but to acquire and resell the domain name.

An example of such a theft is the blogtemplate4u.com and dhetemplate.com incident. Both domain names were previously registered and managed by a U.S. company and registered through Go Daddy Operating Company, LLC. Suddenly, an unidentified and unauthorized person used the name and the password of the company manager to log into his account and transfer the Domain names to another Registrant and Registrar (OnlineNIC, Inc.). In this incident, no changes had been made to the DNS configuration, and the services of the two domain names had not been affected.

The manager of the company submitted a Uniform Domain Name Dispute Resolution Policy (UDRP) claim to the online ADR Center of the Czech Arbitration Court requesting the transfer of the domain names to his company. UDRP is an administrative procedure allowing trademark holders to submit complaints to ICANN-accredited dispute resolution providers for disputes involving domain names that have been registered by an ICANN-accredited registrar. On November 21, 2012, a panelist of the Czech Arbitration Court delivered a decision transferring the domain names to the manager of the company.

Unauthorized DNS configuration changes that disrupt or damage services operated under a domain name

Unauthorized DNS configuration changes can be a result of DNS spoofing attacks (also known as DNS cache poisoning). In this kind of attack, data is introduced into a Domain Name System (DNS) name server’s cache database that results in the domain name server returning an incorrect IP address, diverting traffic to another computer (often the computer of the domain name thief). A typical example of DNS spoofing occurred in 1997 when Eugene Kashpureff redirected users attempting to connect to the InterNIC website to his own website.

Possibilities for recovery of stolen domain names

At present, victims of domain name theft can re-take control of the stolen domain names through dispute resolution procedures (Subsection 3.1). In addition, ICANN also considers the use of an emergency action channel (Subsection 3.2) between registrars that will be used in cases where an urgent response is required.

Dispute Resolution Procedures

The Uniform Domain Name Dispute Resolution Policy (UDRP) and the Transfer Dispute Resolution Policy (TDRP) established by ICANN are designed to impartially assess the factual circumstances of the case with the aim of determining the appropriate outcome of a dispute.

The Uniform Domain Name Dispute Resolution Policy (UDRP)

The Uniform Domain Name Dispute Resolution Policy (UDRP) is an effective means for recovery of stolen domain names. The total cost of UDRP (including attorney’s expenses) may vary between $1,000 and $2,000. The procedure will take at least two months to reach a decision. In order to succeed in a UDRP proceeding, a complainant must establish three elements: (1) the domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; (2) the registrant does not have any rights or legitimate interests in the domain name; and (3) the registrant registered the domain name and is using it in “bad faith.”
A party who lost the proceedings may file a lawsuit in a national court against the domain name registrant.

In order to establish whether a domain name has been registered in “bad faith,” the UDRP panel will examine several factors, such as (1) whether the registrant registered the domain name with the aim of selling the domain name registration to the complainant, (2) whether the registrant registered the domain name to prevent the owner of the trademark or service mark from using the mark corresponding to his name, (3) whether the registrant registered the domain name primarily to disrupt the business of a competitor, and (4) whether the registrant tried to attract visitors by creating a likelihood of confusion with the complainant’s mark.

The Transfer Dispute Resolution Policy (TDRP)

The Transfer Dispute Resolution Policy (TDRP) is used for resolving disputes between two registrars engaging in Inter-Registrar domain name transfers. A TDRP dispute can be brought to the registry for a decision, or to a third-party dispute resolution service provider. In case that a registry operator is chosen, the decision of this registry operator may be appealed by the registrars to an independent dispute resolution provider. A decision made by an independent dispute resolution provider may be appealed only before a court.

3.2 Emergency action channel

The emergency action channel will provide 24/ 7 access to registrar technical support staff who are authorized to assess the situation and establish the magnitude and immediacy of harm. They are also entitled to take measures to restore registration records and DNS configuration to “the last working configuration.”

The emergency action channel will be supported by a contact directory of parties who can be reached during non-business hours and weekends and a companion policy. The companion policy will identify evaluation criteria (including circumstances and evidence) that a registrant must provide in order to obtain an immediate recovery of the domain.

The following circumstances will be taken into account when distinguishing when an urgent recovery policy may be a more appropriate action than the TDRP: (1) immediacy of the harm, (2) the magnitude of the harm, and (3) escalating impact.

Conclusion

This article has shown that domain name theft is a serious issue that can lead to the loss of the domain name and the interruption of services operating under it. It has also shown that domain name theft is a broad term that encompasses several acts of wrongful takeover of a domain name. While domain name thefts that interrupt services will probably be immediately noticed by the legitimate domain name holders, those that do not lead to changes in the DNS configuration may remain unnoticed for a long period of time.

At present, the people/organizations whose domains were stolen may rely mainly on the dispute resolution procedures established by ICANN and on the use of litigation. The UDRP and TDRP procedures are relatively quick and cheap (compared to litigation). However, it should be noted that many victims of a domain name theft may not be able to pay the dispute resolution fees. This is especially true for people in developing countries for which a dispute resolution fee of $2,000 could be equal to their annual salary.

In order to prevent thefts of domain names, companies and individuals may take the following four preventive measures. First, they should not use Hotmail, Gmail, or other free email services as the contact email on the domains. Because free email services have many security vulnerabilities, thieves often hack them and authorize a transfer. Second, companies and individuals need to create as secure a password as possible at their registrar. The use of a completely random password containing upper and lower-case letters and numbers is desirable. Third, in order to ensure the best protection of their domain name, companies and individuals are advised to use a trusted registrar. The well-known registrars provide adequate security precautions. Lastly, when selling domain names, it is advisable to use escrow services. Using an escrow service is a good way to prevent fraud schemes.

Daniel Dimov is a security researcher for InfoSec Institute. InfoSec Institute is a security certification company that has trained over 15,000 people including popular CEH and CCNA certification courses.

Eight Handy Security Tools For a Novice

Here is a compilation of a few tools that we need to be aware of. The power, the performance and the capabilities of these tools are limited only to the creativity of the attacker. Let’s dig into the list.

1. Maltego:

Following the well-defined hacker cycle, let’s start off with reconnaissance tools. Maltego is a very well-known tool for information gathering. The tool comes with personal reconnaissance and infrastructure reconnaissance. With personal reconnaissance, a person is able to obtain another person’s profile from the email address, name, or phone number using the search engines. The Maltego framework comes in two versions – a commercial version and a community edition. Registration is mandatory for using this tool. Only the commercial version allows saving the output from the reconnaissance. With infrastructure reconnaissance a person can get information related to subdomains and servers of a network. This information is gathered using what we call transformations in Maltego. Various transformations give results depending on the way the results are manipulated, grepped, and translated into new search queries.

2. Metasploit:

Following this, we move on to the exploitation tools. The most used exploit development framework is the Metasploit framework by Rapid 7. Initially developed as a game, it has evolved into one of the most powerful exploit development frameworks. It allows using custom exploits by using something called “porting of exploits”.

Porting exploits involves taking a proof of concept exploit which just delivers some particular shellcode, commonly a calc.exe launcher or notepad launcher, and weaponizing it to be used in the framework with features. These features include things like custom payloads, encoders, and other benefits.

The Metasploit framework is not just an exploit delivery vehicle. It also contains some tools for exploit development.

It can also be used for generating offsets, writing exploits, and exploitation of different operating systems and architectures. It has various modules and exploits.

A third party extension that provides a GUI is Armitage. The commercial has its own GUI, which is not included in the community edition.

Backdooring executables can be carried out by a module named as msfpayload.

3. GHDB

GHDB stands for Google Hacking DataBase. Google is the most powerful tool for a user to perform attacks. Specially crafted words given as input to Google are named as Dorks or Google dorks. These dorks can be used to reveal vulnerable servers on the Internet. They can be used to use to gather sensitive data, files that are uploaded, sub domains, and more. GHDB can make it easier to find the right Google dorks for your needs.

Offensive Security maintains a collection of Google dorks under a section called GHDB.

4. Social Engineering Toolkit:

This tool is built into Backtrack. It presents the social engineering attacks in an automated fashion. Is it encoding of scripts, binding Trojans to legitimate files, creating fake pages, harvesting credentials? This tool is a one stop shop for all these requirements. It has the ability to use Metasploit based payloads in the attack, making the framework all the more lethal with all professional exploits from the Metasploit framework.

5. HULK – A web server DoS Tool

Brainchild of Barry Steinman, this tool distinguishes itself from many of the other tools out in the wild. According to its creator, the tool was the result of his conclusion that most tools out there produce repeated patterns which can easily be mitigated. The principle behind HULK is to introduce randomness to the requests to defeat cache-ing and host identification technologies. This is to increase the load on the servers as well as evade the IDS/IPS systems.

6. Fear The FOCA

The FOCA is a metadata harvesting tool. It can analyze meta data from various files like doc, pdf, ppt etc. From this data it can enumerate users, folders, emails, software used, operating system, and more. There are customization options available in the tool too. The crawl option allows you to search the related domain website for additional information. The meta data can be extracted from a single file or from multiple files. Thus FOCA is a great tool in the reconnaissance phase to extract information from the meta data.

7. W3af – Web application attack and audit framework

This project is a web application attack framework sponsored by the same company that makes Metasploit. W3af is used to exploit web applications. It presents information regarding the vulnerabilities and supports in the penetration testing process. It is mainly divided into two parts: core and plugins. Currently it’s partnered with Rapid7, the team that maintains the Metasploit framework. There is a plugin for saving reports to disk for later reference. The plugins can be custom written. Communication between plugins can be automated.

8. EXIF Data viewers

Smartphones and digital cameras use a standard to specify additional meta data for images and sounds that are recorded using them. This standard is called Exchangeable Image File Format. Various EXIF data viewers are available. The data recorded can include details about type of camera. More importantly, they can contain the geo-location information within them. In fact, by default all smartphones have the GPS setting switched ON. This can potentially leak your location when the image was taken. The accuracy is such that the latitude and longitude will be provided when extracting the EXIF data, thus leaking possibly private information.

Conclusion

These are a few handy tools that a beginner in info-sec needs to be aware of. Other tools and their capabilities will be followed in the continuing articles.

Shathabheesha is a security researcher for InfoSec Institute. InfoSec Institute is a security certification company that has trained over 15,000 people.

Battle of the cloud storage providers

With the recent show and tell of Google’s GDrive cloud storage solution its now painfully obvious that other cloud storage providers in that arena is scrambling for fear of lost of business.  As we all know Google has a track record of coming out with solutions to rivals the competitors and usually end up being the victor. This market is getting very popular over the last few years and statically it has been proven that users that started off as a free users will eventually become paying customers so the key is to get as much free users as possible.

For the last year or so the words “free cloud storage” was almost synonymous with “Dropbox”, even on the mobile platform their application was widely accepted now with Google finally in the arena its going to be interesting to see how others will start to change their business model. I have recently received some form of communication form the following providers of (Skydrive, Box, Dropbox, Ubuntu One) and wanted to give a brief summary of them and see how the might stack-up  to GDrive.

Lets start with GDrive, they are offering a 5 GB free for new users,  has a mobile application (Android devices), GDocsDrive desktop client, allows all of the average features (upload, share, collaborate),  and as of now it appears they have a 10GB file size upload limitation. The other interesting thing about this is the fact that to upgrade to 25 GB a month it will only cost you $2.50, or 100GB for just $4.99/mo. The one reason that I believe the might capture a large piece of market share is simply based on their name and the fact that they have a solid infrastructure and should be able to handle larger traffic than the average provider in this sphere.

Next is Dropboxwhich is a free service that lets you bring all your photos, docs, and videos anywhere. This means that any file you save to your Dropbox will automatically save to all your computers, phones and even the Dropbox website. The start off with 2GB free and additional 500 MB per referral, now the paid model starts with 50 GB for $10/mo, and has a file size upload limit of 2GB however if you upload files via the website you have a 300 MB cap.

Skydrive, who has been trying to gain popularity for a while and at one point offered you 25GB free storage recently restructured and is only offering 7GB free for all new users, you had the option to keep your  25GB if you were a old users but you had to log in and claim it before April 22 which has already passed. If you require more space and you love Skydrive you can get 20GB/$10yr or 100GB for $50/yr. As of now Skydrive offer the most free space and the most value for your money per space annually.

Box is another competitor who tried recently to gain new users by offering mobile users 50GB free for life if the signed up from their mobile device. If you don’t use this option you can always get 25GB for $10/mo or 50GB for $20/mo. They have a few downfalls, the have  a 200MB file upload cap, and of course the only offer a desktop client solution business/enterprise users only.

Last on my list is Ubuntu One who currently offer your standard 5GB for free users and you can get an additional 20GB for $3/mo or $30/yr. The good thing about this is you are getting a good value for your money however I don’t think the do a good job marking this product and as such I believe the might fade into the background amidst all the other big names out there.

For a great overview of some of the services mentioned above you can take a glance at this  comparison image I found over at PCWorld

What services are you using?

SendAs from a distribution group Exchange 2010

I received a request today from one of our users who wanted to send and email from their departmental distribution group. Now this task can be easily performed if a user wanted to do a send as from a public folder however with Exchange 2010 you are unable to grant a user the correct access via the EMC.

In order to grant a user this access you have to do it via the Exchange management shell “EMS” aka PowerShell. My first question was did the user really meant to say Public folder or was it an actual DG? To answer this question I ran the following command:

get-recipient -results unlimited | where {$_.emailaddresses -match “accounting@domain.com”} | select name,emailaddresses,recipienttype

Once I realized that I was working with a distribution group I then ran  this command to grant the user “send as ” permission:

Get-DistributionGroup “accounting” | Add-ADPermission -ExtendedRights Send-As -User “Jane Doe” -AccessRights ExtendedRight | fl

And just like that I had another satisfied user :). If you know of another way to accomplish this task do share in the comments.

Podcast Appearance “Attack of the Android”

Hello all, I hope your year is going well so far; I just wanted to drop a line and mention that a few weeks ago I appeared on “Attack of the Androids” podcast esp 16. A little background about the podcast, the are a weekly audio podcast focused on the Google Android operating system and community.

You can find them on Google + or follow them on twitter @aotaradio    kool cast check them out!