Hak5 910 – OpenWRT and WiFi Pineapple mods, Gmail 2-step verification, zScreen screencaptures, Image burning and MD5 hashes
This time on the show, the Gmail 2-step verification, the easiest screen shot utility in the world, Image burning, MD5 integrity verification and the auto-rickrolling pineapple of doom!
Sony and George Hotz have called a truce. Settling outside court famed PS3 hacker GeoHot agreed not to be “engaging in any unauthorized access to any SONY PRODUCT under the law” etc… Following the settlement Hotz donated $10k to the Electronic Frontier Foundation, money left over from his donated legal defense fund.
Skype made a boo-boo. Android Police found this little vulnerability in the Skype app for Android, where it seems that the SQLite3 databases where all your chat logs and info is stored was never protected. Skype forgot to encrypt the databases. That means a rogue app could potentially steal data out of your Skype app and send it back to the bad guy. Android Police created this app called Skypwned just to show how the breached can effect you. Oops!
Revealed at the Where 2.0 conference this week, security researchers published details on how iPhones and 3G iPads have been periodically logging your location. Since iOS 4.0 the file consolidated.db has been storing timestamps with latitude-longitude coordinates. The researchers published an open source tool, dubbed iPhone Tracker, which maps your devices stored locations.
Looks like Skype isn’t the only one with trouble brewing. WordPress.com’s servers were hacked pretty deep, root-access level deep. They say a bunch of customer’s source codes were accessible, so they’re having the vulnerable site change their passwords and API’s. The breach was on Automattic.com’s servers to be exact, the software company behind the WordPress platform. Obviously, a lot of information was viewable, but hopefully all the customer’s have already fixed any problems on their sites.
Mad Scientists Photonicinduction bring happyness to the world with a video demonstrating how to erase the data off a CD by spinning between it between two high voltage transformers.
Want to capture print screens and share them, but don’t want to go through the hassle of saving, uploading, and all that jazz? Try zScreen.
zScreen will automatically capture screenshots, text, or files from your computer clipboard and upload them to a destination of your choice, as well as have the link to it automatically copied to your computer when it’s completed.
Simply download zScreen from code.google.com and install. Once installed, choose your destination for images, files, and text, and the type of URL shortener you would like to use. Under destinations, you can authenticate and authorize zScreen to upload to your FTP, ImageShack, Flickr, even Twitter page, and tons of others. For myself, I’m going to upload to my Flickr page. zScreen uses OAuth, so all it requires is your username, not your password. It’ll authenticate through your Flickr site. You can even choose settings such as what window you want the print screen to copy, you can add a watermark, and tons of other options. Once you’ve gotten your settings squared away, hit your favorite HotKey and watch as your image gets uploaded to your account automatically.
So I hit PrtSc, and my full size image gets uploaded to my Flickr just like that. After it’s uploaded I can easily copy the image link from my clipboard. The link is also saved in zScreen.
It’s a great time saver, and perfect for easily taking notes on your screen and sharing them with others. Thanks to Patrick F for sending this in to us. Do you have a time saver or something cool to share? Email [email protected] and we’ll share them.
OpenWRT / WiFi Pineapple mod: Auto-Rickroll
“John Bebo’s Auto-Rickroll payload for the WiFi Pineapple is an excellent example of using Dnsmasq to forward targets to a hosted site. While this site could be malicious, perhaps hosing the Browser Exploitation Framework, Bebo’s payload is a safe and simple prank. Any web site a victim attempts to browse to brings them to a WiFi Pineapple hosted page containing Rick Astley ASCII Art and looping audio. It uses a similar technique employed by Captive Portals â€“ something we’ll explore in more detail soon â€“ except a lot more annoying.
Thanks to great documentation from Bebo and Hak5 forum member Psychosis setting up your own Auto-rickrolling WiFi Pineapple is super simple. In fact, this will work on just about any OpenWRT based wireless access point â€“ but we’ll be focusing on the WiFi Pineapple specifically for its Jasager abilities.
Follow the step-by-step article with pictures and video at hak5.wpengine.com/hack/auto-rickrolling-wifi-pineapple
scp * pineapple
mv *. /etc/config
mv * /www/
echo address=/#/192.168.1.1 > /etc/dnsmasq.conf
add to start()
wlanconfig ath0 create wlandev wifi0 wlanmode master 2>&1 > /dev/null
iwpriv ath0 karma 1
brctl addif br-lan ath0
ifconfig eth0 up
#comment out iptables
Our last trivia question was: What is the name of this prominent computer club that was founded in Berlin in 1981? And the answer was: Chaos Computer Club
This week’s trivia question is: What is the name of this virus, considered the first known use of polymorphic code?
Answer at hak5.wpengine.com/trivia for a chance to win some swag!
2 Step Verification in Gmail
Although I know all of you out there protect your online accounts like crazy, there is always a way to get more protection. Maybe you don’t like using an encryption program or you use the same password for all of your sites. Although this is really bad, I think all of us have done that once or twice in the past. So perhaps you want to try something new.
I just discovered Gmail 2 Step Verification process for my google mail account. I’ve been a little paranoid lately with all the cyber attacks going on, so I decided to up my security, especially because my email is the one site I really don’t want hacked.
2 Step Verification can help prevent unauthorized access that someone might have with just a stolen password. Now, when I sign in to gmail, I’ll not only need my password, but also a code that generates on my phone.
You might be thinking, ‘Well, what if your phone gets stolen?’. I set up a passcode on my phone, a series of random numbers that only I remember, and I set it so if I try brute forcing the passcode, after 10 wrong codes, it’ll wipe my phone.
Back to Gmail. When setting this up, first you’ll need your phone. If you won’t have a secure phone nearby when you sign in to Gmail, perhaps this isn’t the tool for you.
Click on “”Set Up 2 Step Verification”” and choose your phone. Androids, Blackberries, and Iphones have a special Google Authenticator app that will generate your random codes.
The first time you open the app, it’ll ask you to scan a QR code with your phone’s camera. This QR code generates your first series of random digits, and it ties you, the phone holder, to your gmail account. If you don’t have a usable camera or can’t read the QR code, choose to create a time-based key instead, and type your secret key into your phone.
Click next after taking your photo and verify your generated code. Gmail will then ask you to set up a backup in case your phone is lost or stolen. Next you will need a printer or a safe place to save your backup codes. I had a printer installed so I printed my backup codes. Each of these codes will let you sign in once to your gmail.
After printed, click next and choose a backup phone. This can be a home phone, a spouses phone, etc. Type in the phone number and you can then test it if you want. I set up my personal number to my home phone, and when I tested it, it called me and left me a message with a new generated code. When you hit next, confirm your account, and turn on 2 Step Verification.
When you first log in, you’ll type in your account name, password, then your verification code off your phone. You can also choose if you want the code remembered for 30 days or if you want it to ask you for a new code every time you log in.
You’ll notice after you turn on 2 Step Verification that all your devices tied to your gmail account are logged out. Things like gmail for iphone, the mail app, etc, don’t have a place to type in a verification code. To help your security, you’ll need to set up application specific passwords. To do this, under the 2 Step Verification main page, choose application specific passwords.
Choose a name of your device, for example, mine will be “”Shannon’s Iphone””. Click next and you’ll see a series of letters and numbers that you’ll have to type in to your Iphone. So I type in my username, and under the password box I type in this generated password and click next. I only have to do this one time, ever. So I won’t need to memorize this code.
But what happens if someone gets ahold of Shannon’s Iphone? Luckily, under the code, you can see my Iphone. If I choose ‘Revoke’, all access to my mail will be logged out on my Iphone until I authorize it again.
If at any time I need new printed codes, or I need to change my phones, I can go under account settings, 2 Step Verification and edit anything I need. I can even turn off 2 Step Verification if needed.
I LOVE 2 Step Verification. It makes me feel a lot more secure about my mail and personal information. Questions? Comments? Have another program for me? Email [email protected].
Emails: CD Burning and nomnomfish
Max S writes: I have been watching your show since season 6. Since then you mentioned a program named Konboot few times.
I was curious and tried getting it. But I have a problem, I successfully download it, and extract it using winrar but when I burn it to a blank CD it doesnâ€™t work.
Am I missing something or does konboot not function anymore?
Keep up with the latest on Hak5 by follow us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic
for ask a question feel free to hit up [email protected].