Quick n’ dirty loop to check breaches against Have I Been Pwned API

Using Have I Been Pwned to see if your email address has been breached? Most of us have more than one email address which can make plunking each address into the site painful. But, fear not, there’s an API here

There’s a million ways to use it and a crappy little bash script works just fine.

Here’s mine:

File with email addresses

Create a text file with one email address per line. I called mine emailaddys. Something like:

The script

Write a one-liner like this. I called mine check_haveibeepwned.sh:

Loop it all together

Note: The rate limiting is not specified in the API docs, but I found that sleep 2 was necessary to avoid tripping it. A User Agent is also required.

Did it work?

Breaches look like this (that’s 4 separate breaches):

Clean addys return nothing at all.


Machines don’t guess.

It’s hard for many people to understand how account hacking works. “How can someone guess my password that’s comprised of my kids’ names? It would have to be someone who knows me, and I add a number at the end to make it even harder.” Using your kid’s names is sure to create a weak password but if I were to try to guess your password I wouldn’t have much luck so it’s hard to demonstrate that [4]. The basic problem at work here is the “faulty analogy” fallacy. Things that look alike must be alike.

We’ve all seen humans attempt to guess various things in our lives so we know guessing is error prone and inefficient. We therefore assign these difficulties to machine guessing and arrive at the incorrect conclusion that guessing is universally hard and therefore we don’t need strong passwords and we certainly don’t need to bother with having different passwords on different sites.

The specific fallacy here is that machines don’t guess.

Machines don’t need us

The implementation of a user interface (UI) is one of the last things that is done prior to a device shipping to market. The UI is the thing that we humans interact with to use the machine. It is the layer that gives the machine a way to send and receive data from us two-eyed, two-eared, 10-fingered life forms. It’s almost a pity layer. We’re so slow and limited that the eager machine has to add a slow and limited set of buttons put on it for us to interact. Slow and limited we may be, but we’re also the only one with money to buy things, so the machine grudgingly gets over it. Grudgingly, because it doesn’t give up its fast and smart machine layer when the human UI is bolted on. It lurks beneath working non-stop which infers that you can also choose to bypass the UI and communicate with the machine at its own level if you have the skills and desire.

In some sense, that is what hacking is. It’s the ability to subvert the intended interaction method (the UI) to get at the machine below. In the case of account hacking the goal is to copy account usernames and passwords from the machine. Most websites have protections at the UI level to prevent attacks such as repeated attempts to guess passwords. If you were to go to your bank website and input an incorrect set of credentials repeatedly your account would eventually be locked out and your IP address temporarily blocked. If machines had to use that same human UI with all its safeguards in place then they’d have the same problem. It’s much easier for me to try to steal a copy of the user database and download it to my own machine. I then have access to the user database without all those UI constraints and can just hack away at it at my leisure to try to derive all the username and password combinations within.

User database breaches are legendary these days. The Have I Been Pwned website verifies and catalogues these types of breaches and has almost 2 billion accounts listed so far. If you consider that only about 3.5 billion people even have access to the Internet, that’s a lot of data breaches [1]. And most of these breaches are for sale. Multiple times.

That brings us back to your password.
Continue reading “Machines don’t guess.”

Mirai botnets: the vanishing upper limit of DDoS attacks.

There is a lot of blame to go around in the aftermath of the Dyn DDoS attack on Oct 21st. A good chunk of the bots look like Internet of Things (IoT) devices that were recruited by the Mirai botnet code. Mirai has dropped the traditionally high costs of building a botnet to near zero which means we’re seeing progressively larger and more effective DDoS attacks each week.

Sucuri discovered the first IoT botnet using CCTV devices in June. It was not long after that we started to see significantly larger DDoSes occurring and breaking all existing records for DDoS volume to date.

Why is Mirai such a big deal?

Hacker Mirai botnetAs I eluded to in the introduction, the cost of building a botnet used to be high. All those spam and phishing emails we’ve become numb to over the years were part of that effort. Hackers had to painstakingly trick each of us to click a malicious link which installed their malware on our (usually Windows) PC. It would take thousands of emails to get one or two suckers to click the link. It often took months to build a really powerful botnet with hundreds or thousands of zombie computers. And once it was built, it had to be carefully guarded to ensure it did not get dismantled by anti-virus software and other measures.

The reason this was so hard is because it was a person-against-person attack. Hacker guy had an agenda to trick you into clicking the link and you had a very good reason to not do that. That is why it took so many attempts to net one or two clicks. These IoT botnets are a different beast altogether. It’s smart humans against painfully dumb machines that have no way to even know what is happening to them, much less any sentient desire to protect themselves. The most significant contributing factor is the sheer number of these devices that are deployed with the factory username and password which means they may as well have no authentication system at all.

Mirai makes composing a botnet of 10s of thousands of devices even easier by automating the process. Mirai will even find the devices out on the Internet. So, now we have a situation where millions of dumb devices can be successfully exploited en masse within a short time frame. It’s the perfect storm.

Why was the Dyn DDoS attack significant?

Continue reading “Mirai botnets: the vanishing upper limit of DDoS attacks.”

The problem with the Internet of Things is the things

1The “Internet of Things”, or IoT, refers to the ever expanding offerings of traditionally non-Internet connected things that can now be connected to the Internet. The array of things you can connect to your home wifi network is staggering and, to be honest, pretty dumb. Internet connected toasters, light bulbs and even hot tubs are all available to lurk on your home network and send god only knows what data about you to god only knows where.

Your home network should be a safe place where only trusted devices have access. Traditionally, this has meant your own computers, your own smartphones and perhaps a few other devices such as gaming consoles. The problem with attaching a new device to your trusted network is two-fold: does it make attacking my network easier and what is it doing with the data it collects?

The attack vectors

Any device attached to your network can see all the other devices and, potentially, have access to them. If you’re sharing your budget and medical documents with your wife’s computer that’s fine. But is it possible to really keep track of a large number of often innocuous Internet connected devices that you’ve introduced to your network over time?

Additionally, each device connected to your network that talks to the outside world introduces a new attack vector and heightens the vulnerability of your safe network to some degree. Most of us run anti-virus, ad-blockers, and possibly ever firewalls on our PCs to keep bad guys out, but what does that toaster come with? Does it have any security software installed to prevent itself from becoming the weakest link in your network?

IoT devices are built by device manufacturers. This may seem like a self-evident statement and perhaps it is, but the point is that light bulb people build light bulbs and hot tub people build hot tubs. Their area of expertise is in the thing, not in the Internet which means their ability to build and maintain the Internet part of their device is a secondary concern. Internet connected CCTV networks, printers, and even cars have been hacked over the Internet largely because manufacturers do not have the Internet mindset that is born and flourishes under a healthy paranoia level 11.

Continue reading “The problem with the Internet of Things is the things”

Defeating keyless entry front door locks.

I’m the least mathey person I know. My bio will attest to that – my skills are terrible but my curiousity is high. There’s a certain magic to numbers that I get a glimpse of every now again when I manage to win a struggle with them and it’s compelling to me. Math is a representation of data and while me and Math don’t along very well, me and Data are best bros. I spend my days mucking about in log files on other people’s systems looking for reasons, root causes, and footprints. The trails become clear once you tame the data and turn thousands of unruly log lines into succint sorted output. These same techniques are used by good guys and bad guys alike and from them we learn that some things are truly hard. We also learn that some things only look hard, but really aren’t.

Four digit numbers crop up repeatedly in our society. In the late 1990’s I had a TD bank account and my bank card had a 6-digit PIN. That did not last long because the international consortium of bankey people standardized on 4-digits for PINS which is too bad because that exponentially decreased the security of my PIN. Overnight the odds of guessing my PIN plummeted from 1 in 1,000,000 to 1 in 10,000. But, hey, the bankey heads know what they’re doing, right? But I digress…

I’m not sure how we landed on 4 digits, but that frequency turns up all over the place. My bank card PIN is 4-digits, my credit card PINs are 4 digits, even my front door lock is 4 digits. That begs the question: how long would it take to guess the code to open my front door? Let’s ask math.

Continue reading “Defeating keyless entry front door locks.”

The fruit decision: how low should your website hang?

Probably the most significant decision people will make when building their website is the decision about what software to use. A lot of people choose existing CMS or ecommerce apps like WordPress or Magento which makes for a quick setup and reasonable support. Others choose to build their site from scratch or use one of many lesser deployed apps like the Ghost blogging platform or x-commerce. It’s nice to think that everyone evaluates the features of each offering and chooses the one that best fits their needs, but that is not what happens.

Most websites are owned by non-technical people without IT support so the software they end up using is whatever has the lowest cost of entry. That means whatever is in their control panel that can be installed with one click is what gets used.

Please use the back door sign

This situation is what leads to lopsided software deployment statistics such as massive WordPress footprints and, to step away from the Internet for a second, the global market share of Windows. The web software that is best at getting into one-click installers like Scriptaculous or pre-installed on desktop computers become the most popular. These large deployments of identical software provide a good selection of attack vectors for bad actors. If a vulnerability is exposed in WordPress, for example, a bad guy has literally millions upon millions of WordPress websites to attack using that exploit.

Continue reading “The fruit decision: how low should your website hang?”

Defeating poor port knocking configurations

I was thinking about port knocking the other day (yep, that’s how I roll) and while I consider it to be a valid security layer, it occurred to me that it would be pretty easy to set up a poor implementation of it that was susceptible to being gamed. Here’s how that thought process went.

Caveat: This is a proof of concept and has many points against it which I outline at the end of this post.

For the uninitiated, port knocking is a process whereby some port on a server can be fire-walled off until some pre-determined set of ports are ‘knocked’ on, and then the firewall can be reconfigured to open some other port. A practical example is a server where you need SSH access, but you don’t want to leave the SSH daemon running wide open to the world all the time. You can use a port knocking daemon like knockd, coupled with an IPTables firewall to protect that port. The normal configuration would be to have the SSH daemon running on some arbitrary port and have the firewall dropping connections to that port until a valid set of ports are knocked on, and then the IPTables would be rewritten, usually temporarily, to allow connections to the SSH port.

Continue reading “Defeating poor port knocking configurations”

Fun with Curl

Curl is one of those quintessential *nix tools that adheres beautifully to the “one tool, one task” philosophy. curl exists to give us the ability to issue requests against web servers. As sysadmins we’re usually concerned with how the web server responds to requests rather than how the actual page renders so a CLI tool like curl is quick and easy. It also lets us spoof things like user agents and referers in case we want to see how the web site responds to different browsers or different referers.

Let’s look at this site:

$ curl http://slumpedoverkeyboarddead.com | head

Continue reading “Fun with Curl”

What does brute force SSH hacking look like?

Brute force hacking is the easiest, least effective, and messiest method of all the ways to attempt to gain access to a system. It leaves a really obvious trail, and it’s fairly easy to stop unless you’ve become the target of large organization that really is out to get you.

By definition, brute force hack attempts are simply some variation of just trying to guess a proper username and password combination. I will look at attempts to break in to a Linux box via SSH, but the principals are the same regardless of the attack target.

Continue reading “What does brute force SSH hacking look like?”

Looking for hacking activity in Apache Logs

This is my first post with Ghost and since it contains code snippets and command line goodies I thought it would be a good test for Ghost’s markdown language. Let’s see how it goes.

The sheer number of bad people on the planet mean that there’s a really good chance your website has at least been probed to see if it is a good attack platform. It may also mean that your website has already been compromised and is doing bad things for some other person as we speak. Some people I talk to say things like “well, if I get hacked, I’ll deal with it then”. But that’s dumb. It’s dumb because when someone compromises your website, they’re not going to put a big banner on it letting you know. It may be days, weeks or months before you notice.

Continue reading “Looking for hacking activity in Apache Logs”