Tip: Make Sure Your PC is Safe from Meltdown and Spectre

Tip: Make Sure Your PC is Safe from Meltdown and Spectre

Posted on January 17, 2018

by Paul Thurrott in HardwareWindowsWindows 10

 

https://www.thurrott.com/windows/windows-10/150463/tip-make-sure-pc-safe-meltdown-spectre

 

Tip: Make Sure Your PC is Safe from Meltdown and Spectre

Security expert Steve Gibson has done it again. His latest utility, InSpectre, can check your PC to see whether it is adequately protected from the recent Meltdown and Spectre security vulnerabilities.

You need this. So head on over to Steve’s GRC website and download InSpectre.

Put simply, InSpectre does three things: It determines whether your PC is vulnerable to Meltdown and Spectre. It checks to see what the performance impact is from the fixes you have installed. And it lets you toggle off those fixes, on the fly, if you need the full performance of your PC.

I ran InSpectre on my current desktop PC, an HP EliteOne all-in-one, and found that I was protected against Meltdown but not Spectre. And that my performance was “good,” which makes sense since I’m running the latest OS version on recent Intel hardware.

Steve’s utility noted that my vulnerability to Spectre was due to my BIOS/firmware not being updated.

So I checked with the HP Support Assistant and, sure enough, there was a BIOS update.

So I installed it, rebooted, and checked with InSpectre again. And now my PC is secure.

Get this now. And follow its advice. Seriously.

 

Advertisements
Posted in Hardware, Windows 10 | Tagged , , , , | Leave a comment

Some Basic Rules for Securing Your IoT Stuff

Krebs on Security

1.17.2018

https://krebsonsecurity.com/2018/01/some-basic-rules-for-securing-your-iot-stuff/

Some Basic Rules for Securing Your IoT Stuff

Most readers here have likely heard or read various prognostications about the impending doom from the proliferation of poorly-secured “Internet of Things” or IoT devices. Loosely defined as any gadget or gizmo that connects to the Internet but which most consumers probably wouldn’t begin to know how to secure, IoT encompasses everything from security cameras, routers and digital video recorders to printers, wearable devices and “smart” lightbulbs.

Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here’s a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

-Rule #1: Avoid connecting your devices directly to the Internet — either without a firewall or in front it, by poking holes in your firewall so you can access them remotely. Putting your devices in front of your firewall is generally a bad idea because many IoT products were simply not designed with security in mind and making these things accessible over the public Internet could invite attackers into your network. If you have a router, chances are it also comes with a built-in firewall. Keep your IoT devices behind the firewall as best you can.

-Rule #2: If you can, change the thing’s default credentials to a complex password that only you will know and can remember. And if you do happen to forget the password, it’s not the end of the world: Most devices have a recessed reset switch that can be used to restore to the thing to its factory-default settings (and credentials). Here’s some advice on picking better ones.

I say “if you can,” at the beginning of Rule #2 because very often IoT devices — particularly security cameras and DVRs — are so poorly designed from a security perspective that even changing the default password to the thing’s built-in Web interface does nothing to prevent the things from being reachable and vulnerable once connected to the Internet.

Also, many of these devices are found to have hidden, undocumented “backdoor” accounts that attackers can use to remotely control the devices. That’s why Rule #1 is so important.

-Rule #3: Update the firmware. Hardware vendors sometimes make available security updates for the software that powers their consumer devices (known as “firmware). It’s a good idea to visit the vendor’s Web site and check for any firmware updates before putting your IoT things to use, and to check back periodically for any new updates.

-Rule #4: Check the defaults, and make sure features you may not want or need like UPnP (Universal Plug and Play — which can easily poke holes in your firewall without you knowing it) — are disabled.

Want to know if something has poked a hole in your router’s firewall? Censys has a decent scanner that may give you clues about any cracks in your firewall. Browse to whatismyipaddress.com, then cut and paste the resulting address into the text box at Censys.io, select “IPv4 hosts” from the drop-down menu, and hit “search.”

If that sounds too complicated (or if your ISP’s addresses are on Censys’s blacklist) check out Steve Gibson‘s Shield’s Up page, which features a point-and-click tool that can give you information about which network doorways or “ports” may be open or exposed on your network. A quick Internet search on exposed port number(s) can often yield useful results indicating which of your devices may have poked a hole.

If you run antivirus software on your computer, consider upgrading to a “network security” or “Internet security” version of these products, which ship with more full-featured software firewalls that can make it easier to block traffic going into and out of specific ports.

Alternatively, Glasswire is a useful tool that offers a full-featured firewall as well as the ability to tell which of your applications and devices are using the most bandwidth on your network. Glasswire recently came in handy to help me determine which application was using gigabytes worth of bandwidth each day (it turned out to be a version of Amazon Music’s software client that had a glitchy updater).

-Rule #5: Avoid IoT devices that advertise Peer-to-Peer (P2P) capabilities built-in. P2P IoT devices are notoriously difficult to secure, and research has repeatedly shown that they can be reachable even through a firewall remotely over the Internet because they’re configured to continuously find ways to connect to a global, shared network so that people can access them remotely. For examples of this, see previous stories here, including This is Why People Fear the Internet of Things, and Researchers Find Fresh Fodder for IoT Attack Cannons.

-Rule #6: Consider the cost. Bear in mind that when it comes to IoT devices, cheaper usually is not better. There is no direct correlation between price and security, but history has shown the devices that tend to be toward the lower end of the price ranges for their class tend to have the most vulnerabilities and backdoors, with the least amount of vendor upkeep or support.

In the wake of last month’s guilty pleas by several individuals who created Mirai — one of the biggest IoT malware threats ever — the U.S. Justice Department released a series of tips on securing IoT devices.

One final note: I realize that the people who probably need to be reading these tips the most likely won’t ever know they need to care enough to act on them. But at least by taking proactive steps, you can reduce the likelihood that your IoT things will contribute to the global IoT security problem.

Tags: , , , , , , , , ,

Posted in Blogs, Education, Hardware, Security | Tagged , , , , , , , , , | Leave a comment

Twitter just got more serious about two-factor authentication. Here’s how to better protect your account

If you still haven’t properly secured your Twitter account with two-factor authentication then you have one less excuse today.

Twitter has announced that you can now use third-party apps (such as Google Authenticator, Authy, or 1Password) to verify yourself at login.

Which is great news, because previously – unlike many other online services – Twitter required you to either be capable of receiving SMS verification codes sent to your mobile phone, or to use their own smartphone app to verify a login.

Using SMS-based two-factor authentication has been frowned upon for some time, as criminals are able to exploit known weaknesses in the SS7 cellphone network to intercept text messages. In addition, there are countless malicious Android apps that are capable of capturing SMS codes as they are sent to devices, and then passing them on to account hackers.

Concerns grew so large in 2016 that NIST (the National Institute of Standards and Technology) announced it was no longer recommending two-factor authentication via SMS.

So, hopefully you’re convinced that it makes really good sense to enable two-factor authentication for your Twitter account, and even better to do it in a way that doesn’t involve you relying upon vulnerable SMS messages.

Here’s how to enable the feature (known as Login Verification in Twitter parlance):

1. Log into Twitter at http://www.twitter.com from your desktop’s browser.

2. In the top right-hand corner, click on your avatar to bring up a drop-down menu. Click on Settings and privacy.

3. Under Account, choose Set up login verification

If you have not previously configured 2FA for Twitter, you will still need to initially set up the service with a mobile phone number and SMS. Twitter will walk you through that process. Once that’s in place, you’ll be able to Twitter to using an authentication app like Google Authenticator instead. Yes, this is a bit dumb…

Assuming you’ve been through the rigmarole of initially setting up Twitter’s 2FA with SMS, here’s what
you do next.

4. Click on Get backup code. This will generate an emergency backup code that you can use, if for any reason, you lose access to the device running your authenticator app.

Make a note of your backup code and keep it safe and secure. You definitely don’t want this falling into the wrong hands. For obvious reasons I’ve obscured my backup code in the screenshot below.

5. Click on Review your login verification methods. It’s time to setup a mobile authentication app. In the Mobile security app section click on Set up.

6. Scan the displayed barcode into your preferred authentication app.

Your app should now be able to generate the codes you require to login. Twitter will ask you to enter a code to check that everything is working properly.

7. Think you’re done? Not quite. You need to make sure that Twitter won’t still try to send you its six-digit login codes via SMS.

Go to Text Message and click on Edit.

8. Under Text message choose Off, and click Save changes.

Congratulations! You’ve done it.

From now on, whenever you try to login to your Twitter account you will be asked for the six-digit login verification code from your authenticator app after you have entered your username and password. Even if your password is compromised in future, hackers are going to find it considerably more difficult to access your account.

 

Posted in Blogs, Privacy, Social Networks, Twitter | Tagged , , | Leave a comment

GPS is off so you can’t be tracked, right? Wrong

GPS is off so you can’t be tracked, right? Wrong

 

Sophos

Don’t want anybody tracking you through your smartphone? Just turn off “location services” or whatever your device calls your GPS, and you will vanish from the online radar screen, right?

Of course not. That’s never been entirely true – since your phone continues connecting with cell towers even with GPS turned off, anyone with access to that data can come reasonably close to locking in on your location.

Recall, as Naked Security’s Lisa Vaas reported just a few weeks ago, that lawyers for Timothy Ivory Carpenter, convicted in 2014 of a string of robberies in the Midwest, are arguing that the convictions should be thrown out because prosecutors relied in part on cell tower data for which law enforcement didn’t obtain a warrant. Legal arguments aside, the point here is that, as Vaas noted, whether he had his GPS turned on or not was irrelevant:

The cellphone records… revealed that over a five-month span in 2010 and 2011, his cellphone connected with cell towers in the vicinity of the robberies.

But adding yet more evidence to the bulging “privacy-is-even-more-dead-than-that” folder are several researchers from the Electrical Engineering Department at Princeton University who created an app they call “PinMe” to show that, with just a couple thousand lines of added code (plenty of games and apps have hundreds of thousands of lines of code), smartphone users can be tracked just as precisely as their GPS, even when it’s turned off.

The researchers – Arsalan Mosenia, Xiaoliang Dai, Prateek Mittal and Niraj Jha – in a 15-page paper published on the IEEE (Institute of Electrical and Electronics Engineers) website (paywall), describe how their app collects data from sensors in the device that don’t require special permission to access.

As they put it, in tests using an iPhone 6, iPhone 6S and Galaxy S4 i9500:

We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment’s air pressure and device’s timezone, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user’s location when all location services, e.g., GPS are turned off.

This does come with a caveat. Mosenia, a post-doctoral research scientist at Princeton’s EDGE and INSPIRE labs, acknowledged to Naked Security that he and his colleagues had no way to verify if commercial apps are doing this kind of data collection and tracking, “since their codes are not publicly available and we cannot modify/examine their codes.”

But through their “proof of concept,” they have demonstrated that it is possible. Which is more than creepy enough, if not outright dangerous to those for whom privacy can be a life and death matter.

As they say, both iOS and Android are designed to run with third-party apps, of which there are hundreds of thousands on the market. And while smartphone operating systems are also designed to protect most personal information, “several types of non-sensory/sensory data, which are stored on the smartphone, are either loosely protected or not protected at all.”

Those include a gyroscope, accelerometer, barometer and magnetometer. According to the researchers, measurements from those sensors:

…are accessible by an application installed on the smartphone without requiring user’s approval. As a result, a malicious application that is installed on the smartphone and runs in the background can continuously capture such data without arousing suspicion.

Using what they describe as “presumably non-critical data” from those sensors, the app first determines what the user is doing – walking, driving a car, riding in a train or an airplane. As Christopher Loren put it, writing on Android Authority:

Moving at a slow pace in one direction indicates walking. Going a little bit quicker but turning at 90-degree angles means driving. Faster yet, we’re in train or airplane territory. Those are easy to figure out based on speed and air pressure.

And then, the sensors also tell the app your speed, your relation to true north and how far above sea level you are. It takes four algorithms to narrow down the location of somebody on a plane. It is even simpler if you’re in a car:

The app knows the time zone you’re in based on the information your phone has provided to it. It then accesses information from your barometer and magnetometer and compares it to information from publicly available maps and weather reports. After that, it keeps track of the turns you make. With each turn, the possible locations whittle down until it pinpoints exactly where you are.

During a test run in Philadelphia, the researchers said it took only 12 turns for the app to know exactly where the car was.

Cryptography and privacy researcher Bruce Schneier, CTO at IBM Resilient, linked to the research on his blog, adding the observation that:

This is a good example of how powerful synthesizing information from disparate data sources can be. We spend too much time worried about individual data collection systems, and not enough about analysis techniques of those systems.

That is the concern of other privacy experts as well. “It’s pretty alarming and definitely creepy,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology (CDT).

Location data is extremely sensitive personal information, especially when it is collected over a long time, with high frequency and in real-time. It can be dangerous for victims of domestic violence or stalking, and for people with very sensitive roles in society, like law enforcement, judges, politicians, etc.

And Rebecca Herold, CEO of The Privacy Professor, said commercial apps are not only, “collecting, storing, and sharing all the data possible from the devices upon which they are loaded,” but are combining that data with other datasets about users, including their locations.

They may be correct in saying they are not collecting explicitly named data from you specifically, but they almost always are combining what they do collect with other datasets, to then establish very detailed insights into your life, activities, locations, likes and dislikes, and a wide range of views into your private life.

What, if anything, can you as an individual do about that? Not all that much, other than to practice basic “security hygiene.” One of the most obvious, Herold says, is to remove all apps you’re no longer using. Stay away from sketchy apps – get them from “stores” that have done some vetting. Do a bit of homework on the companies that develop and sell them.

Beyond that, “users also need to periodically shut down and clear out cache, memory, and delete unnecessary files,” she said. “These are also valuable sources of data for apps.”

But that, of course, takes time, and most users are much more interested in the features of an app than in its security or what it collects.

So, for years, advocates have been lobbying for legislation to require apps that want to use the sensors to request access. This might get as much (very little) attention as Terms of Service and Privacy Policies, but at least it would raise awareness of what apps are collecting, and give users a chance to opt out.

The researchers offer some recommendations for the industry. Among them:

  • Require sensors to decrease their sampling rate when they are inactive. That would make it harder for malicious apps to get the data they need.
  • Add hardware switches to phones, allowing users to deactivate the sensors when they aren’t in use.

And Hall says it’s long past time for Congress to pass, “general data protection legislation that steps away from the silo-ed, sector-specific manner we legislate privacy protections now.” He said for years, CDT has pointed out that only the US and Turkey lacked such general privacy regulations.

But Turkey actually passed such a law recently, making the USA the lone hold out… we’re an opt-out country living in an opt-in world; something has got to give.


Posted in Blogs, Hardware, Privacy, Security | Tagged , , , , | Leave a comment

Buyers Beware of Tampered Gift Cards

KrebsonSecurity

Buyers Beware of Tampered Gift Cards

Krebs On security December 19 2017

https://krebsonsecurity.com/2017/12/buyers-beware-of-tampered-gift-cards/

Prepaid gift cards make popular presents and no-brainer stocking stuffers, but before you purchase one be on the lookout for signs that someone may have tampered with it. A perennial scam that picks up around the holidays involves thieves who pull back and then replace the decals that obscure the card’s redemption code, allowing them to redeem or transfer the card’s balance online after the card is purchased by an unwitting customer.

Last week KrebsOnSecurity heard from Colorado reader Flint Gatrell, who reached out after finding that a bunch of Sam’s Club gift cards he pulled off the display rack at Wal-Mart showed signs of compromise. The redemption code was obscured by a watermarked sticker that is supposed to make it obvious if it has been tampered with, and many of the cards he looked at clearly had stickers that had been peeled back and then replaced.

“I just identified five fraudulent gift cards on display at my local Wal-Mart,” Gatrell said. “They each had their stickers covering their codes peeled back and replaced. I can only guess that the thieves call the service number to monitor the balances, and try to consume them before the victims can.  I’m just glad I thought to check!”

In the picture below, Gatrell is holding up three of the Sam’s Club cards. The top two showed signs of tampering, but the one on the bottom appeared to be intact.

Kevin Morrison, a senior analyst on the retail banking and payments team at market analysis firm Aite Group, said the gift card scheme is not new but that it does tend to increase in frequency around the holidays, when demand for the cards is far higher.

“Store employees are instructed to look for abnormalities at the [register] but this happens [more] around the holiday season as attention spans tend to shorten,” he said. “While gift card packaging has improved and some safe-guards put in place, fraudsters look for the weakest link and hit hard when they find one.”

Gift cards make great last-minute gifts, but don’t let your guard down in your haste to wrap up your holiday shopping. There are so many variations on the above-described scheme that many stores have taken to keeping gift cards at or behind the register, where cashiers can more easily spot customers trying to tamper with the cards. As a result, stores that take this basic precaution may be the safest place to purchase gift cards.

Posted in Privacy, Security, Shopping | Tagged , , , , , | Leave a comment

Watch out – fake support scams are alive and well this Christmas

Watch out – fake support scams are alive and well this Christmas

A few years ago, fake support call scams were one of the most likely cybercrimes that would reach out and touch you at home.

And, boy, how those guys used to reach out.

Boiler rooms full scammers would make cold call after cold call, ploughing day and night through lists of phone numbers to scare victims into paying up for technical support they didn’t need for malware infections they didn’t have.

Here’s how we summarised the MO of these scummy scammers back in 2014:

The crooks call up and say they’re from “Microsoft” or “Windows”; tell you they’re following up reports of malware activity coming from your computer; convince you that you are infected; and charge you a fee of about $300 to sort you out.

All a pack of lies.

They’re not legitimate IT support technicians; they have no idea whether there is malware on your computer or not; the “evidence” they come up with is harmless and could be found on an uninfected computer; and the $300’s worth of fiddling around they do is simply $300’s worth of fiddling around.

You could achieve the same technical outcome for yourself by doing nothing at all – LITERALLY nothing.

If you didn’t hang up right away – or even if you did – then the crooks would often come back, sometimes calling again and again, ramping up the pressure, the fear and the threats in the hope that you’d eventually cave in.

For better or worse, technical support scams don’t make the headlines as much as they did.

Firstly, other, more directly pernicious threats such as ransomware have understandably grabbed our attention instead; secondly, this fake tech support “business” has become slightly more sophisticated.

We presume that more and more people have become less and less tolerant of cold calls, thus reducing the hit-rate of scammers who rely on contacting you first.

In recent years, support scams usually start from a website that’s poisoned with dubious advertising.

You’ll often get a pop-up a warning urging you to phone the crooks (typically via an in-country tollfree number to add legitimacy), so you end up pre-selecting yourself as a potential victim.

Well, don’t get fooled this Christmas, because the scammers are still hard at it.

Here’s one we saw over the weekend, while reading a legitimate news site, albeit not a mainstream one.

We clicked on one of those “you’ll never believe what happened next” stories (for research purposes only, of course!), and then mis-clicked (honestly!) on an ad simply by tapping the trackpad by mistake just short of our intended on-screen destination:

 

The crooks haven’t lined things up perfectly, as you’ll probably realise, especially if you’re a native speaker of English who currently lives in the UK.

For example:

  • The automatic text-to-speech conversion has messed up the pronunciation of some of the words. Pornography comes out as poor and/or graphic. The word logins is spoken with a soft -g-.
  • The phone number is written US-style, wrongly assuming a three-digit area code. The dialling code for this number would be grouped as four digits, like this: +44-1273-XXX-YYY.
  • The number isn’t toll free, as claimed. Numbers starting +44-1237 are paid calls to the Brighton area on the South coast of England.
  • The password request is superfluous, and so it should stand out as suspicious. Also, this is not an HTTPS page, so if you put in your password, not only will the crooks get it, but anyone else on the same network will be able to see it, too.

But these are details that are easy to overlook; the crooks often get the details right, anyway; and plenty of legitimate websites make similar mistakes.

What to do?

We haven’t called the number shown above; we don’t intend to; and we recommend that you don’t, either, no matter how much fun you think you can have messing with the criminals.

They’re crooks – why engage at all, especially when you might accidentally give something away about yourself in the process?

This festive season, even if trying new websites, buying from new vendors, contacting people you haven’t heard from in ages, and otherwise living a larger life online that you have all year…

…don’t let anyone, especially someone you don’t know, and whom you didn’t ask for help, pressurise you into doing, saying, posting, calling, texting, clicking or buying anything.

If you’re worried, ask someone whom you know and trust for help, face-to-face.

If you’re one of those “askees” who end up stuck with friends-and-family technical support over the holidays, please try to do it with good grace, to keep your loved ones out of the clutches of fake support sleazebags like the ones shown here.

If in doubt, STOP.THINK. And only then CONNECT.


Posted in DataLoss, Education, Privacy, Security | Tagged , , | Leave a comment

How a Wi-Fi Pineapple Can Steal Your Data (And How to Protect Yourself From It)

How a Wi-Fi Pineapple Can Steal Your Data (And How to Protect Yourself From It)

Daniel Oberhaus

The Wi-Fi Pineapple enables anyone to steal data on public Wi-Fi networks. Here’s how it facilitates two sophisticated network attacks and how to protect yourself against them.

This article is part of How Hacking Works, Motherboard’s guide to demystifying information security.


In popular media, hackers are often portrayed as an elite cabal of ski mask aficionados and computer experts that can keyboard mash their way into any digital device. But what if I told you that you can also pwn almost any internet connected device around you, even if you can’t tell an SSL from an SSID?

Advertisement

Yes, my friend, the device you are looking for is a Wi-Fi Pineapple, which can turn anyone from hack to hacker for the low, low price of $99. Since it is so cheap and easy to use, it’s important to understand how the Pineapple works in order to protect yourself against its attacks.

The Pineapple is a nifty little device first released in 2008 by Hak5, a company that develops tools for penetration testers, or “pentesters.” Pentesters are usually hired by organizations to attack their own networks in order to expose vulnerabilities before they are discovered by some bad actors. The Pineapple allows pentesters to easily execute sophisticated attacks on public Wi-Fi networks to see how the attacks work and how to protect the network from those attacks.

Pineapples aren’t much different than the normal Wi-Fi access points you use to get internet at home or in the office, just more powerful. They use multiple radios rather than just a single radio found in most routers. This means a Pineapple is able to interface with hundreds of devices at a time, rather than just a few dozen. Moreover, the Pineapple’s web interface is optimized to execute complicated network attacks.

Read More:The Motherboard e-Glossary of Cyber Terms and Hacking Lingo

“When I invented the Wi-Fi Pineapple, I saw that Wi-Fi had inherent flaws that made it vulnerable to spoofing attacks,” Darren Kitchen, the founder of Hak5, told me in an email. A spoofing attack is when a hacker impersonates a service or device in order to gain access to a victim’s data.

Advertisement

“A lot of nefarious types had already taken advantage of these weaknesses, but the majority of people weren’t aware of the problem,” Kitchen added. “I figured if information security people had access to a device that could easily exploit these flaws, it would raise awareness and get things fixed.”

Although the Pineapple has always had a cult following within hacker circles, it recently rose to prominence after it was featured as a major plot point in the shows Silicon Valley and Mr. Robot.

In these shows the device was used to spoof a website and to execute a man-in-the-middle attack to hack the FBI, respectively. According to Kitchen, who served as a technical advisor on the Silicon Valley episode, the fictional depiction of the Pineapple in these shows isn’t so far from the truth.

The Pineapple is an invaluable tool for pentesters, but its popularity is also due to the fact that it can be used for more nefarious purposes. Hackers can easily wield the device to collect sensitive personal information from unsuspecting users on public Wi-Fi networks.

It’s important to keep in mind that just because you can pwn all the things with a Pineapple, doesn’t mean it’s legal or that you should. Owning a Pineapple is legal, but taking money out of someone’s bank account by stealing their unencrypted password is not. The Pineapple just makes grabbing unencrypted passwords sent over Wi-Fi easier. I am not a lawyer, but in general, if you do not have explicit permission to use the Pineapple on a network that you own as well as from anyone who could reasonably connect to that network, you are treading in dangerous territory.

Advertisement

Again: Executing a Pineapple’s exploits on a network you don’t own if you’re not a pentester working in a professional setting can quickly put you into illegal territory. Even if you don’t get caught, you’re still an asshole for doing it, so just…don’t.

Read More:The Motherboard Guide to Not Getting Hacked

This guide is meant to be an informational glimpse into the world of network pentesting, as well as a reminder about the importance of personal information security. After showing you just a few of the ways a Pineapple can be used to pwn you, I’ll also walk you through some simple steps you can take to make sure you’re never on the wrong end of a malicious Pineapple attack.

Hak5 makes a few different versions of the Pineapple, but while putting together this article I used its cheapest model, which I bought at the DEF CON hacking conference for the purposes of this article: the Pineapple Nano. I configured it on a Windows computer, although it’s also compatible with iOS and Linux systems.

The Pineapple Nano. Image: Hak5

The initial setup is a piece of cake. All you need to do is plug it into the USB port on your computer, navigate to the Pineapple’s IP address and it’ll take care of the rest. After you’ve updated your login information for the Pineapple, you’re ready to try some exploits.

EXPLOIT #1: WALL OF SHEEP

Every year at DEF CON, one of the largest hacking conferences in the world, the Packet Hacking Village hosts the Wall of Sheep. This is essentially a running list of devices that have connected to an insecure network at DEF CON. The list is usually displayed on a large projector screen at the Packet Hacking village, where anyone can see not only the device’s ID, but also the websites it was trying to access and any relevant credentials.

Advertisement

It’s a light-hearted way of shaming people into better information security, and you can easily create your own Wall of Sheep using a Pineapple.

Read More:72 Hours of Pwnage: A Paranoid N00b Goes to DEF CON

All of the exploits for the Pineapple are freely available as downloadable modules on the Pineapple’s dashboard and usually only take a single-click to download and install on the device. Once the Wall of Sheep module (called ‘DWall’) is installed on a Pineapple, any device that connects to it will basically be broadcasting their browsing traffic to the owner of the Pineapple.

The exception to this, of course, is if the would-be victim is using a Virtual Private Network (VPN) to encrypt their web traffic or only visiting pages secured by Secure Hypertext Transfer Protocol (HTTPS). This protocol encrypts the data being routed between the website’s server and your device and effectively prevents eavesdroppers from seeing which websites you’re visiting. HTTPS also helps protect your web habits from your internet service provider, which can only see the top level domain habits of its users (for instance, that you visited Motherboard, but not that you clicked on this article).

Although over half the web has switched to HTTPS from its insecure predecessor, HTTP, a 2017 Google audit found that nearly 80 percent of the top 100 websites don’t deploy HTTPS by default. This means that anyone who inadvertently connects to a Pineapple and then browses to an HTTP version of the site is basically exposing all of their activity on that site, from pages visited to search terms, to the person wielding a Pineapple.

Advertisement

Many websites have both an HTTP version and an HTTPS version, which as we’ll see in the exploit, is a security vulnerability that can be exploited by a Pineapple.

The original Pineapple released in 2008. Image: Darren Kitchen/Hak5

EXPLOIT #2: MAN-IN-THE-MIDDLE + EVIL PORTAL

Pineapple man-in-the-middle (MITM) attacks are really the main reason pentesters get this device.

MITM attacks are a way of eavesdropping on a user by inserting a Pineapple between the user’s device and legitimate Wi-Fi access points (in terms of how data is routed through the network, not necessarily literally between them in meatspace). The Pineapple then pretends to be the legitimate Wi-Fi access point so it can snoop on all the information as it relays data from the device to the access point.

Another way of thinking about MITM attacks is that they are kind of like if someone dropped a letter in their mailbox and then a stranger opened up their mailbox, read the letter and then put it back in the mailbox to be sent.

Read More: Turning Off Wi-Fi and Bluetooth in iOS 11 Doesn’t Actually Turn Off Wi-Fi or Bluetooth

So how does a Pineapple trick your device into think it is a legitimate access point? There is a native feature on the Pineapple that scans for service set identifiers (SSID)—the names of Wi-Fi networks—that are being broadcast from devices in its vicinity.

Any time you connect to a Wi-Fi network on your phone or computer, your device saves that Wi-Fi network’s SSID in case you ever need to connect to that Wi-Fi network in the future. But this convenience comes with a major cost.

Advertisement

Let’s say you connected to the Wi-Fi at your favorite local coffee spot, and its network is called “Human_Bean_wifi”. After you’ve left the coffee shop, your phone or laptop will start broadcasting a signal that is basically asking if Wi-Fi access points around the device are “Human_Bean_wifi.” It does this for any network you’ve connected to in the past.

“A quick reality check is usually all it takes to see if you’ve been duped by a Wi-Fi Pineapple.”

Pineapples are able to take advantage of this feature by scanning for all the SSIDs being broadcast by devices in its vicinity. It then rebroadcasts these SSIDs so that it can trick devices into thinking it is an access point that has been connected to in the past. So to use the above example, the Pineapple will see that your phone is asking, “Is this network ‘Human_Bean_wifi’?” and then start broadcasting its own signal that says “Yes, I am ‘Human_Bean_wifi’, connect to me.”

Put another way, this would basically be like walking around with a set of keys to your house and asking every stranger you meet if they are your roommate. In most cases, those strangers will say “no,” but you also run the risk of running into an ill-intentioned stranger who will lie to you and say “yes, of course I am your roommate. Please let me in,” and then proceed to steal all your stuff.

Read More: The Motherboard Guide to VPNs

But getting devices to connect to a Pineapple is only half of executing a MITM exploit. An attacker also must be able to read the data being routed from the device through the Pineapple. There are a couple of ways to do this.

Advertisement

A Pineapple can be used to create an “Evil Portal,” which basically creates fake versions of websites to capture usernames and passwords, credit card information or other sensitive data.

These work by creating a local server on the attacker’s computer to host a web page that looks like a regular login page for a well trafficked service like Gmail or Facebook. These pages can easily be duplicated using free online services.

Then the attacker configures their Pineapple so that when any devices that are connected to it try to browse to a website like Twitter or Facebook, they will actually be redirected to the fake webpage being served by the attacker’s computer. If the victim enters their information on this page, their username and password will be revealed to the attacker without the user ever knowing they’ve been pwned.

Another way of gathering information about someone’s browsing habits with a MITM attack is to use modules built for the Pineapple that block forced HTTPS encryption and read the data that would otherwise have been secure.

For example, consider a website like Motherboard, which is secured with HTTPS. If you simply type in “motherboard.vice.com” in your URL search bar and press enter, you will be submitting an HTTP request to Vice’s servers. Vice’s servers will then field this request and respond to your device by directing it to a secure HTTPS version of the site. (This is the same for many major websites, such as Twitter).

Advertisement

Forcing users to an HTTPS version is a great way to beef up a website’s security, but it’s the user’s HTTP request in the beginning that can be exploited with a Pineapple. A module called SSLSplit is able to monitor HTTP requests from a user’s device when it is connected to the Pineapple. It will then route this request along to the appropriate server, but when the server responds with the secure HTTPS link, the Pineapple will “strip” away the secure layer and serve an HTTP version of the site back to the user.

At this point, the user will effectively be browsing an insecure version of the site, which will appear almost exactly the same. The only difference will be that a little lock icon will have disappeared from the upper left corner of the screen.

Always check for this lock icon in the upper left of your internet browser.

This attack clearly demonstrates the importance of encrypted communication protocols such as HTTPS. Without them, all the data being routed between the device and the access point can be easily read by anyone with a Pineapple.

HOW TO PROTECT YOURSELF FROM MALICIOUS PINEAPPLE USERS

The hacks discussed above are just the tip of the iceberg. Fortunately, there are a number of simple steps you can take to protect yourself from getting pwned by some asshole with a Pineapple.

BE WARY OF PUBLIC WI-FI NETWORKS

The easiest thing you can do is only connect to Wi-Fi networks you know and trust. Your home network, for instance, is almost certainly safe from a Pineapple attack. This is because a Pineapple must also have access to the network it is trying to monitor traffic on, so unless the attacker has access to your home Wi-Fi credentials, they won’t be able to pwn you with a Pineapple.

Advertisement

Same goes for your office Wi-Fi—unless, of course, your office has hired a pentester to audit its network. The real danger of a Pineapple attack is on public networks—places like your local coffee shop or the airport are all prime places for an attack. Most people don’t stop to check whether the “free_airport_wifi” access point is legit and connect without thinking.

When it comes to networking infosec, vigilance is key. The most secure option is to never use public Wi-Fi networks at all. That is a major pain in the ass, however, and will almost certainly drive up your cell phone bills for data use. (For what it’s worth, your cell phone isn’t safe from IMSI catchers either, but I digress).

VIRTUAL PRIVATE NETWORKS

If you must get on public Wi-Fi, your best bet is to get a VPN. VPNs are a secure way of surfing the net by first connecting to a VPN server before venturing onto the World Wide Web. The VPN server encrypts your data before routing it to its destination, essentially creating a protective shell for your data that makes it unintelligible to prying eyes. So even though an attacker may be able to see that your device has connected to their Pineapple, if you’re using a VPN they won’t be able to see the data they are routing.

“Using a VPN is still the best advice,” Kitchen said. “When you use a VPN, anyone peering into your traffic is only going to see an encrypted mess. That goes for any eavesdropper—be it a Wi-Fi Pineapple, your ISP, an employer or even our wonderful government.”

Advertisement

Choosing the right VPN can be a really tough challenge. Here’s a simple guide with some suggestions.

HTTPS ONLY

Another good rule of thumb is to only visit websites secured with HTTPS (like Motherboard!) These days, most websites you’re likely to visit on a day-to-day basis that have sensitive information on them have switched over to this security standard from HTTP, thanks to a concerted industry effort to push HTTPS, including Google’s algorithms privileging sites with security over those that aren’t encrypted. Still, Pineapple modules are able to force a connected device onto an insecure (HTTP) version of a site if the visitor didn’t explicitly type https:// before the domain name.

Read More: Wikipedia’s Switch to HTTPS Successfully Fought Government Censorship

“Unfortunately too many websites don’t use HTTPS, and many that do are still susceptible to downgrade attacks,” Kitchen told me. “If you’re venturing anywhere off the beaten path, I’d advise against using this as your only line of defense. It’s still important to stay vigilant and check for HTTPS, but pack a VPN too.”

In short, always make sure to check the URLs of the websites you visit to make sure they’re using HTTPS. Browsers like Chrome, Firefox, and Opera make checking website security easy with a small padlock icon that says “Secure” on the left hand side of the address bar and warning users before they visit an insecure site.

Advertisement

ALWAYS FORGET

Finally, it’s important that whenever you are done connecting to a public Wi-Fi network that you configure your phone or computer to ‘forget’ that network. This way your device won’t be constantly broadcasting the SSIDs of networks it has connected to in the past, which can be spoofed by an attacker with a Pineapple. Unfortunately there is no easy way to do this on an Android or an iPhone, and each network must be forgotten manually in the “Manage Networks” tab of the phone’s settings.

Another simple solution is to turn off your Wi-Fi functionality when you’re not using it—though that isn’t as easy to do on some devices anymore—and don’t allow your device to connect to automatically connect to open Wi-Fi networks.

Read More: WiFi Signals Can ID Individuals by Body Shape

While it’s easy to get paranoid and wonder if there’s a Pineapple waiting to pwn you any time you get a Wi-Fi connection, most Pineapple exploits can be easily avoided by simply staying vigilant about your network settings and internet experience. For all their prowess at manipulating electronics, hackers are still very much dependent on human error for their craft.

“The Wi-Fi Pineapple is really good at mimicking Wi-Fi networks you’ve connected to in the past,” Kitchen said. “If you’re at a park and your device says it’s connected to an airplane’s Wi-Fi, something is amiss. A quick reality check is usually all it takes to see if you’ve been duped by a Wi-Fi Pineapple.”

Posted in Hardware, Privacy, Security, Tips-n-Tricks | Tagged , , , , | Leave a comment