Fedora 23 Security Lab card for Raspberry Pi 2

$29.95, shipping in the US $6.45

fedora_infinity_140x140



Note: Shipping rate is valid only in the USA. Contact us for overseas shipping rates.


The choices of OS for Raspberry Pies haven’t been many, especially since the fading of the Pidora distribution. Raspbian has stayed the top choice, among some smaller players, as well as the Debian-based Kali ARM distro.

Kali is a great tool, but learning the basics of security testing with Kali is like going to the shooting range with a bazooka. If you’re not aware of the many (many) interactions, dependencies and moving parts, it can be dangerous.

The people at Fedora both produce an up-to-the-minute ARM kernel for Pi and other ARM computers, and they also sponsor “spins,” which are specially-configured versions of Fedora for a large number of uses – including security testing. You can find some basic information at https://labs.fedoraproject.org/de/security/.

We’ve taken the trouble out of setting up the boot scripts, installing Fedora 23, setting up the Security Lab, VNC Server so you can use VNC remote desktop access, the sshd so you can SSH in immediately, and much more. The 8GB Class 10 card has room for your files and is the highest speed category.

This OS and card are for the Raspberry Pi 2.

How to Set Up Our Raspberry Pi microSD Card

You are about to have so much fun.

We assume you have a Raspberry Pi and know how to put it together. Simply place our Fedora Security Spin (FSS) microSD card into your Pi and power it up.

You’ll be prompted for a user name and password, of course. Your user name is hacker and your password is hack2live. Do not leave this password unchanged! Open a terminal and type:

passwd

and then enter a good, stout password. Twice, to prove you can. Don’t forget it; this is for-real Unix and won’t make things easy for you if your do.

Be sharp about installing updates as they become available; Fedora will let you know about these.

Notes on Fedora on Raspberry Pi

This isn’t an installer. This is a ready-to-go pre-installed FSS environment designed for hacking students and security testers.

Our Pi card ships with VNC Server already set up and running. Once you know the IP address of your Pi (an nmap scan is a nice way) you can use any VNC client and connect on port 5910.

The sshd daemon is running too, so you can ssh to your Pi’s IP address using the default credentials.

The screen saver is disabled for two reasons. First, if your Pi goes into standby, it shuts down the wifi adapter and is notoriously bad at bringing it back up. Second, because you Pi doesn’t have a BIOS/CMOS, it doesn’t know what time it is at boot until it syncs to a time server, so as soon as you log in, the screen saver will lock you out, forcing you to log in again. If the screen saver is important to you the configuration can be set up in the GUI desktop tool.

This installation uses the default Fedora ARM kernel. There are other distros available that use an out-of-tree kernel, usually based on Ada’s work, to enable things like tiny touch screens. Compatibility with some of the testing tools is problematic, my kernel developer tells me, so for the sake of a good hacking experience we’ve stuck to the mainstream kernel. This is cool. As new kernels come out you’ll get them (or refuse the update if you want, but you don’t, usually).

Have you ever imagined of security is needed everywhere?

Security Everywhere

Nowadays, we theoretically call it the age of technology. But then, what is technology? People see computers, websites, networks, programs once you say technology. In fact, the word “technology” touches future more. Computer – it calculates the numerous calculations as rapidly as time passed. Website – used to search information – can be sized as scientists started this for their sake of information exchanges. Networking – for the information exchanges, of course, we need a better method to connect hops, devices and computers. Program – can be interpreted that “procedure”, – designed in advance to process the procedures of what will be followed up after an event, if a consequence of an event would be scored by a specific declaration which event will follow up or else the other event will be started functioning etc.
So, we need to consider, of course, the technology. What were computers, networks, websites and programs created for and why? Of course, we become need to build and use the better solutions, according to the difficulties and necessities of minute-to-minute, with every single eyes closed evolving.
Let’s consider the idea of a computer – A writer grandpa keeps using his old conquest-typewriter asked his grandson min mg mg “are there any different of your computer–you called it— against my typewriter? It apparently looks like, even copied my conquest’s typing-map, doesn’t it?” So what do you think of that, if the grandson was you? I don’t believe you would be answering that “Oh, the difference is my computer is a typewriter, associated with a TV”. Yeah? Just figure of speech. The grandson answered “computers are associated with computing programs. You will never need to calculate in your mind or on a paper then write it down and save the documents in folders and in iron cabinets. And you don’t need to have all day long to look for the documents, you want among the saved documents. You can do the typing and calculating at the same time and you can save these on a computer, this sound like you don’t need any geographical space to save the documents. And if you want to search what you want among your documents, so cool, there are search engine programs. At least, grandpa, you don’t need to replace carbon, occasionally. And the fundamental security process will be designed even on your own, easily, for instance copy data at other storage to cover the lost data. We called it backup.” Now, grandpa starts thinking to use a computer.
But, grandpa has something to be considerate “did you say backup?” he asked to his grandson. “Why backup? The computer – you called it – is not as safe as my iron cabinet?” Whew, min mg mg was facing a hard time.
But he weathered the storm instantly; “Grandpa, that’s about security. Let’s be considerate of iron cabinet – you called it. Even though you locked up your manuscripts in your iron cabinet with a gigantic iron lock, what will you say if your competitor tried to get rid of your iron lock and stole or rubbished your manuscripts by your target date? At this time I dare say that you would be so appreciate to have an idea of if you already have a copy of your manuscripts, while you will be sitting helplessly, hopelessly by your iron cabinet.”
That’s, the environment we are facing every day is the evolving. Every fact of what we want to protect, what we don’t want to lose, what don’t want to start from the beginning again, what we have to value the time passed for these sets the word “security” obviously in our thoughts.
If you believe that the security is not the necessary for yourself or no one wants to find out the weakness of a man like you, you have better be considerate of why every day do you wear clothes, why do you lock your desk’s drawers when you are out of office, why do you lock up your home when you are not at home, why do you wear shoes or slippers while going outside, why are you being under an umbrella in the rain or in the sunray, even if you are hitting a beach, why do you wear sunblock and sunglasses, when black exhaust smoke left behind of a car passed through, why do you block your nose and mouth?
Have you ever been curious of what is your neighborhood’s first thought while he sees your broadcasted wifi-hostpot around him?

How Not to Scam the IT Guy

scamIT

Introduction

My name is Min Mg Mg, I’m studying cyber security. I’m studying by “googling” and the main source of my studying is Hacker Highschool (www.hackerhighschool.org). They are a non-profit organization that helps teens learn hacking as a method to figure out how things work, and to keep from getting scammed online. And for people like us, who can’t afford to pay much to learn technologies, we can learn free lessons there. Video trainings will be available soon and they are even starting ISECOM academy. Let me mention their motto of them and definition for hacking: Their motto is “Hack everything but harm none,” and their definition: “hacking is a method of problem-solving and learning.” And very soon, I’m going to study at the new org that’s being built by HHS’s project manager, called School for Hackers (www.schoolforhackers.org) where tutorials and videos are being developed as well.

One security vulnerability all organizations face is that they have to rely on IT consultants. They can gouge you, or give you a great deal, and it’s hard to know which. In this case, doing some investigation proved the consultant was ripping us off. Instead of a sneaky and exorbitant profit, he got nothing, and our company learned a valuable lesson.

Let’s get our hands dirty

The investigator was good but his eyes popped when he heard the price quote for “what, for point to point wireless installation only costs about US$3000?” he asked. Then, “what’s the distance, what are the devices they used and is there some blockage between the points?”

“The distance is 5.6 km by car, but it is only about 4 km as the crow flies. I don’t know the devices used exactly” someone answered. Our investigator decided to get his hands dirty based on experience with his previous company. He made an immediate call to the secretary of the ABC company. (Obviously the names are changed.) She’s already a friend, which makes her a pore, or a place where a trust is being given. Because she trusts our investigator, she’s not trustworthy to her employer when he uses social engineering.

Conversations

Investigator: Hello, Ms. Secretary, it has been so long. And is everyone good?

Secretary: Of course, everyone is doing well. And you and what are you doing there?

Investigator: I’m well too, and now I’m getting busy to find some providers to set up a point to point wireless connection but the lines are busy and I can’t get this done. And my boss is breathing down my neck. I’ve heard that at your company the wireless connection was installed recently. Could you help me with some information on this? I need to get my boss some kind of numbers or I’m in trouble.

Secretary: Of course, I could give you a hand but don’t quote me. I’ll send you an email with the price list our IT Manager applied for approval.

Investigator: Oh thank goodness!

Very soon after the conversation, the price list and the device information were sent from secretary@abc.com, and the investigator looked at them and seemed puzzled. “Umm, all of these devices are for point to point connection?” And the letter head seemed sketchy, less than professional.

Y Company
Att: IT Manager (ABC Company)
Subject: point to point wireless installation cost

# Item # Description Qty per Item Total
1 AM-5G20-90 4.9-5.9GHz airMAX Base Station, 1 850 850
Cisco Air 20dBi, 90 deg w/ rocket kit
2 ROCKETM5 5GHz Rocket MIMO, airMAX 1 350 350
3 PBM5 5GHz PowerBridge MIMO, airMAX 1 650 650
4 TC-Carrier TOUGH Cable, Level 2 1 100 100
6 IL-SRV2 Complete Setup Installation 1 1000 1000
TOTAL US$ 2950

“This lesser looks like a bad photocopy after someone modified the contents. And, the number one AM-5G20-90 at the top of the list is surely a Ubiquiti model but what actually is a Cisco Air ? And why is this size TC-Carrier being used? That’s so interesting.” And he decided to call the supplier company and try to know something real.

Investigation followed by social engineering

Investigator: Hello, is this Y Company?

Y Company: Yes, May I help you?

Investigator: I’m the consultant at the IT section of the ABC Company. Recently our company purchased a wireless service from your company. Now, I have to ask a favor, could you email me a copy of the receipt for the point to point service? Send it to our manager’s mail and I’ll bring it up at our budget meeting with the director. I just asked the favor because our IT Manager is travelling and we couldn’t contact him yet. Would that be ok?

Y Company: We’ll contact you back after the confirmation with our sales manager, sir.

Investigator:Iif I may, I’ll hang on the line because all including our director is waiting in the meeting room and I’m getting to a dead end. Or, just tell me the total amount of the cost, please?

Y Company: Hang on a moment, I’ll inform him and put you through.

Sales Manager at Y Company: We can help you with this, sir. The total amount of the cost was US$1601. But I’ll only send the softcopy of it to the address of your management’s email.

Investigator: You are so kind, our management’s email address is secretary@abc.com and it goes directly to director office.

While investigator was sitting at his computer with a cup of coffee, the secretary of ABC Company gave a ring. And “I’m calling you because now I just have received an email from the Y Company. They sent it to us but the subject says your name: per Mr. Investigator’s request,” she said.

“Yes, I asked them to send it to the secretary of ABC Company. That’s the real receipt of the real cost from Y Company so that you can confirm the price,” Investigator said.

The real weakness of the Mr. Scammer was: his deception required victims who were less technologically aware than he was..

So, let’s take a look at the real price list of the Y Company:

Y Company
Att: IT Manager (abc company)
Subject: point to point wireless installation cost
# Item # Description Qty per Item Total
1 AM-5G20-90 4.9-5.9GHz airMAX Base Station, 1 164 164
20dBi, 90 deg w/ rocket kit
2 ROCKETM5 5GHz Rocket MIMO, airMAX 1 98 98
3 PBM5 5GHz PowerBridge MIMO, airMAX 1 297 297
4 TC-Carrier TOUGH Cable, Level 2 70 M 0.6 42
6 IL-SRV2 Complete Setup Installation 1 1000 1000
TOTAL US$1601

We will close a curtain on the scene that followed.

We all have been scammed in areas we don’t understand, both with and without our knowledge. But there will be someone who can help us, frequently we think. Sometime, even the very one who is trustworthy to us might scam us. Let’s assume ourselves as the closest enemy of our own according to the one of the speeches of General Aung San; “get rid of the closest enemy, the first question we should ask ourselves is ‘Is it possible?’ And firstly we have better get rid of credulousness. And think about an insider. In this case, even if he’s a company’s IT staff why he was too bold to scam that amount? Does our management team need to be educated in technology related issues, or were some of them partners of the Mr. Scammer?

A company that’s using a lot of technology is like a house with many windows and entrances. Securing only some of the windows and doors doesn’t secure the house. That’s why we deeply need to engage an ethical hacker, and design tight computer and network security policies. Social Engineering can be called psychological manipulation, in short, a legitimate lie, but yelling “Fire!” in a crowded movie theater is unlawful. The issues here are not simple, and some experience and training is mandatory. That means we need to bring up more young security professionals, which is exactly what we are working to do at Hacker Highschool and School for Hackers.

Written By

Htet Aung @ Starry Sky
Translator at Hacker Highschool
Security Professional and IT Officer

Hacking to Live

Gosper's Glider Gun

Hackers are clever techies.

The word “hacker” actually has nothing to do with crime: a brilliant engineer would hack out a smart solution to the problem at hand, and consider it a compliment to be called a hacker. There’s a whole culture built on this idea: see https://en.wikipedia.org/wiki/Hacker_culture.

We are a community dedicated to learning and teaching. We don’t think knowledge should be deep, dark and secret – far from it. Everyone with the interest should be free to pursue hacking. Sure, if you want to, you can learn Linux and bash and networking. But you don’t have to do all those things, or any of those things, to be a hacker.

Consider how we do higher education: you are expected to take out loans and spend years living in poverty to get a college degree that may not fit anything in the job market, or even worse, might be passed by while you’re getting it. Who makes money on this arrangement? Hint: It is not designed for your benefit. You can be a brilliant hacker by learning skills that give you power – power because you are in demand. Hack the whole system by getting someone else to pay for your education!

We don’t restrict our discussion of hacking to just Linux, programming and networking, though we do talk about those things a lot. Feel welcome to bring us food hacks, lifestyle hacks, hacks of any and every system. Because that’s what we do: hack it to learn it, and hack it to teach it.