I feel like this may break the rule about not interrupting her daily life.
Since the other easy password documented in the article wasn't her current one, it is at least possible that she had chosen a more difficult password as her current one. Downgrading from her current password back to the old easy one makes her vulnerable to other attackers-- especially if she did not quickly reset it to something other than qwerty1.
If it sounds like I'm nitpicking, just imagine that the game was "try to hack my old bitcoin and send it around and back." The moment the hacker sends to the "qwerty1" address it's going to get immediately eaten by some automated script by one of a thousand other hackers.
Sweet hesus, installing a keylogger on your own system to steal passwords from friends who are trying to help you?
And the content doesn't show any awareness of the issue. Perhaps it'd be more clear to that poster if one of those friends would've used the keyboard access to type "format c:<enter>".
We'd do similar tricks but only between a small group who all knew what they'd signed up for. It definitely helped to make you more aware of people trying to get into your accounts. To the point where someone would have to add a long list of disclaimers on sending an innocent link to their holiday pictures if they expected you to view them. And there are still some people who can't get me to click any link they send me (fool me once, etc).
Even so to do it to unsuspecting people isn't nice at all and essentially a breach of trust, especially using a keylogger. Even today I'm not going to use someone else's device to do anything requiring a login so some of the paranoia lingers, but leave your device out of sight for long enough and it might as well be somebody else's.
Samy's little tools always impress me, he gets a ton of mileage out of this stuff and it is a really good warning to read his posts every now and then to get an idea of what a talented individual can achieve.
I don't see any mention of keylogging in the blog post, did I miss it? Or might you be referring to a comment on another HN submission of the same post? https://news.ycombinator.com/item?id=14921120
Perhaps in the world where you (the red-teamer) sets up their phone and/or laptop as an unencrypted/open wifi hotspot access point and then follow them (the blue-teamer) to their favorite coffee spot / burger bar / etc?
If I recall correctly even current phones will connect to open wi-fi spots preferentially and/or automatically. Bingo, job MITM done! Bonus points for having a tool on the red-teamers' laptop that can send wi-fi de-auth packets :)
That would be the first thing I would look in to to see if it is still do-able today if the problem was 'hmmmmm. Given the parameters, how could I MITM the blue-teamer?'
I'm sure that others can come up with even wilder ideas involving can-tennas or bird-dogging the blue-teamer into a elevator with a 'running useful and interesting stuff' laptop in a backpack and wait for the blue-teamers' cell phone to start reaching out desperately for a way to remain connected (cell tower, wifi, 2G cell signal etc) either of which might work
With HTTPS a lot of this doesn't work anymore. You generally need to install a MITM certificate on the target device so that it doesn't say "HEY EVERY WEBSITE YOU VISIT HAS A CERTIFICATE ISSUE!" and fail to load unless you find an esoteric button/link/series of clicks that lets you load the insecure page.
You can capture netntlm hashes if you control the network, but you’d still have to crack them. HSTS and secure cookie flags help a lot with sslstrip type attacks though.
presumably part of the challenge was to do it without using already known information, as he probably already had her email and phone number but still looked for them
I just typed catb.org (random website I know only serves HTTP) into Chrome's address bar and it landed me on the HTTP version, no warnings or anything. I assume Firefox works the same, but I can't be bothered to disable HTTPS-only mode.
sslstrip will still work today on any website that doesn't use HSTS. It will work for the first ever visit (by that browser) of a website that uses HSTS if they aren't on the preload list. A surprising number of websites have neither.
That's assuming the average internet user types a url into their address bar instead of using their browser's "new tab page" with recent sites (all probably HTTPS) and finding non-history pages through a search engine that will be HTTPS by default and point mostly to HTTPS endpoints.
So yes, you can catch a subset of users who type new urls into their address bar, but that's a minority of people a minority of the time.
No. Always remember that just by being on this website you are likely to be in the top 5% for computer literacy and ability. 2FA is non existant to the general population barring systems that enforce it.
Passwords feel more like extra usernames these days with 2FA.
Why bother changing them when hashes will be leaked immediately by the incompetent idiots at <insert this week's big company that had data stolen yet again>.
I don't think those work with today's code generators, since nothing is ever sent to the user. SMS and other types of 2FA should hopefully be obsolete soon.
Ha, not if they won't let you make an account without one in the first place. Looking at you, OpenAI asshats.
The only ones I've seen still use SMS confirmation are banks, not so much because of advertising because they already have just about every shred of info that's possible to get about you without sequencing your DNA, but because they're too cheap to overhaul their systems.
No. You have clearly an infinite battery on your phone, money on your account, guaranteed world-wide service, absence of thieves, monkeys and gravity. And travels. And trains, toilets, ... hammers? Nothing can go wrong with your phone, right?
Skipping through kilobytes of humor, a voice start speaking in my head. Imperial voice. From TES Oblivion: "That's... a bit excessive, don't you think?"
Ok, I HAVE to add. The whole story revolves around a really bad password. Yet, the takeaway is "GO FOR 2FA", which is utter bullshit. Strong unique passwords (and a good password manager, if you can't remember) will suffice and won't lock you away if you ever lose your cell service.
I feel like this may break the rule about not interrupting her daily life.
Since the other easy password documented in the article wasn't her current one, it is at least possible that she had chosen a more difficult password as her current one. Downgrading from her current password back to the old easy one makes her vulnerable to other attackers-- especially if she did not quickly reset it to something other than qwerty1.
If it sounds like I'm nitpicking, just imagine that the game was "try to hack my old bitcoin and send it around and back." The moment the hacker sends to the "qwerty1" address it's going to get immediately eaten by some automated script by one of a thousand other hackers.