security wifi_pineapple, network

One of the online shows I enjoy is Hak5.org’s podcast (http://hak5.org). Hak5 also manufactures tools for penetration testers. WiFi Pineapple (https://wifipineapple.com/) is one of the devices they manufacture. It is a “hotspot honeypot” and its most powerful feature is something called a Karma attack.

What is Karma Attack?

Simply put when our wireless devices keep sending out probe requests searching for the networks they “know” to re-associate. Normally all APs that don not have the SSID that’s probed for simply ignore these packets. But not WiFi Pineapple! It runs a modified firmware and replies to all probe requests claiming that it is the network our device is looking for. The modified firmware is called Jasager (yes-man in German) which explains a lot I think.

Build or Buy One

Base WiFi Pineapple costs $99. You can buy one from here: http://hakshop.myshopify.com/collections/gadgets/products/wifi-pineapple

Wi-Fi Pineapple

If you like getting your hands dirty to dig deeper you can build one on your own. The firmware is a free download. The router inside WiFi Pineapple is an Alfa AP121U which costs around £40 or you can go with the bare board which costs around £20 (here on Amazon) Also you need to flash it via serial port and you need a USB TTL cable (here on Amazon) They have a great step-by-step tutorial (see References down below). After following the instructions you can have your own homemade WiFi Pineapple within 20 minutes.

So what is the risk?

If you have a habit of using unsecured wireless networks than you are under risk. As by default most devices try to connect to previous networks automatically, there is a chance to connect to attacker’s AP as it is faking to be your old friendly network that you used to be connected. Good news is that pineapple doesn’t support Karma attack for protected networks. So if you manage to stay away from open networks then you are off the hook. But still it doesn’t hurt to be careful and watch out closely to where you are connecting.

Resources

sysops cloud_computing, system_administration, owncloud

Evernote has been recently hacked. Dropbox has been hacked many times. Who knows what’s going in the other services we are using. So I decided to phase out my cloud service providers and create my own cloud. There are bunch of ways of running this tool. For instance, you can just download a VM image with everything installed. I decided to start from scratch and perform a manual installation on a new Ubuntu server. It’s very easy. First we need to install dependencies:

apt-get install apache2 php5 php5-gd php-xml-parser php5-intl
apt-get install php5-sqlite php5-mysql smbclient curl libcurl3 php5-curl

Then extract the downladed compressed file:

tar -xjf path/to/downloaded/owncloud-x.x.x.tar.bz2
cp -r owncloud /path/to/your/webserver

Set the directory permissions:

chown -R www-data:www-data /path/to/your/owncloud/

Enable .htaccess by settings AllowOverride to “All” in /var/www directory in Apache config which is in /etc/apache2/sites-enabled/000-default on Ubuntu Finally run mod_rewrite:

a2enmod rewrite
a2enmod headers

I got these instructions from Admin Manual which can be found here: ownCloud Admin Manual It’s quite straighforward. Then all we have to do is navigate to login page, create an admin account and start uploading files:

Own Cloud

My favourite features are:

  • Ability to share password protected links with specific users
  • Ability to set expiry date to shared files
  • Ability to sync mulitple local folders (it doesn’t have to mimic the directory structure of server, you can select and map separate folders)
  • Supports plugins. A simple note taking plugin is quite helpful to take and sync notes. Also I installed YubiAuth plugin which supposedly enables using my Yubikey with it. But couldn’t make it work yet. My only negative observation about it is SMTP settings didn’t work. When I tried to send someone a link of shared file I got a bizarre error. On their forums I saw other people having similar problems. To me it’s not a crucial issue (as a single user, who am I going to mail anyway) but for an organization it may quickly become an annoying issue.

devhobby neurosky, mindwave

To me a technology that enables you to collect data about your brain activity sounds fascinating. It always felt like Sci-Fi and unreachable. So when I heard about the affordable MindWave I immediately ordered it.

MindWave Mobile

This gizmo is manufactured by a company called NeuroSky focusing on brainwave technologies. I bought the MindWave mobile version as it has support to mobile devices which increases the possibilities of creating something cool. The best thing about it is that it comes with an SDK and you can develop your own applications on the platform. To get more info about the SDK visit http://developer.neurosky.com They even have an app store that you can sell your applications. But the developer program costs $1500 so I don’t think I will sign up for that quite a while.

How does it work

The gadget communicates via Bluetooth. It supports lots of platforms and comes with an API ported to different languages. I prefered .NET and it worked without any problems. The real power of the device comes from the ThinkGear chipset. The API lets the developer to get results from the ThinkGear chipset. When you install the software bundled with the device, it installs ThinkGear connector and a bunch of games. First thing to do is pair the headset with your PC or iOS/Android device. Frankly, I didn’t quite like the applications that come with it. But it is not that important. After all I bought this thing to write my own programs against it.

NeuroSky

The tutorial application, on the other hand, is very useful for testing the device and connection status.

Developing with MindWave

The starting point is definitely here: http://developer.neurosky.com/

The site steers the user very well so that you can select your goals and start developing right away. Actually the API is quite easy to use. After you connect you start receiving values from the sensor. In .NET wrapper the values are encapsulated in a class called ThinkGearState, which looks like this (I got this from its metadata):

public class ThinkGearState
{
    public float Alpha1;
    public float Alpha2;
    public float Attention;
    public float Battery;
    public float Beta1;
    public float Beta2;
    public float BlinkStrength;
    public float Delta;
    public bool Error;
    public float Gamma1;
    public float Gamma2;
    public float Meditation;
    public int PacketsRead;
    public float PoorSignal;
    public float Raw;
    public float Theta;
    public int Version;

    public ThinkGearState();

    public override string ToString();
}

The key fields for me are Attention and Meditation. BlinkStrength is also interesting. If you blink intentionally and strongly, the value wanders around 150 – 200. For normal blinks that we do quite often, it is around 50 – 60. So it is easy to differentiate if someone blinks. I wondered if this could be used as a communication method for Hector Salamanca in Breaking Bad. Instead of ringing a bell he could just blink. Admittedly it wouldn’t provide any extra functionality but it would look much cooler.

Breaking Bad Hector Salamanca

I don’t know how the Attention and Meditation values are calculated. The device also returns values for the various brain waves such as alpha, beta, theta, gamma and delta. I had no clue what these meant so here’s what I’ve learned from here and here.

  • Alpha: Increases in the state of physical and mental relaxation
  • Beta: Increases when we are consciously alert, or we feel agitated, tense, afraid
  • Theta: Shows the state of reduced consciousness
  • Delta: Increases when there is unconsciousness, deep sleep or catalepsy
  • Gamma: These waves are associated with peak concentration and extremely high levels of cognitive functioning

I don’t know why Alpha, Beta and Gamma waves return 2 values whereas Delta and Theta have only 1. As my knowledge on this subject is almost zero, I’ll just concentrate on the already-calculated Attention and Meditation values. I’ll try to develop a project using this gizmo and post it when it’ is ready. I think it is a very cool thing to have the ability to measure brain waves and write programs using those values. I guess the only problem for me is that I already constantly wear a wireless headset so it’s a bit hard to have them both on my head!

Resources