Don’t like Dropbox? We’ve got a cross-platform alternative. How does Google Maps find your location without GPS? And can it be spoofed? Random password scripts, bash tips and more this time on Hak5!
Spoofing the W3C Geolocation API
Google Maps “Show My Location” feature uses the W3C Geolocation API.
It’s an application programming interface designed by the World Wide Web Consortium as a standard for retrieving a client’s geographical location. The client will gather geographic information by IP address, WiFi access points, GSM and CDMA cells and GPS. The accuracy depends on the data available. If only IP address is known you’ll likely only narrow the location down to your town. If WiFi data is available you’re more likely to get within a block. GPS should be pretty spot on.
The API has been implemented in modern browsers; Firefox since version 3.5, Opera since 10.6, Internet Explorer since 9 and of course Google Chrome.
Determining a location based on wireless access points is done by referencing a database of known wifi base stations and their characteristics, such as the unique BSSID or MAC address. The technique of collecting these databases is called War Driving and I’m sure you’re familiar with it. Our favorite tools for the job are NetStumbler for Windows, Kismet on Linux and Kismac on OSX.
On such company that collects and maintains WiFi station location databases is Skyhook. They provided the location information for the iPhone until iOS version 3.2, at which point Apple started using their own database.
Another database maintainer is Google, who formerly collected locations from Street View cars and currently using anonymous data captured by Android devices. The former is an opt-in feature of the Android OS.
Of course Skyhook, Apple and Google’s databases are for the most part proprietary. There is however an open database. Wigle.net maintains a huge map and database of wireless access points and cell stations submitted by community members wardrive findings.
With all of this in mind, today we’re attempting to spoof our location with faked access point information using a Faraday Cage and an MDK3 beacon flood.
SpiderOak, is it better than Dropbox?
Are you sick of using lame backup and recovery programs that cost way too much? Perhaps you’re just not a fan of the new terms of service with Dropbox? Well, I found one that might float your boat! SpiderOak is a tool made specifically for backing up, syncing, and recovering your files through Windows, Mac, and Linux. SpiderOak was made by geeks for geeks, especially for the hacker minded. It’s more customizable, storage is cheaper, and the privacy is much better than certain backup programs out there because they take a “”zero knowledge”" approach to all data. With that said, though, you’re screwed if you forget your password!
There are a lot of features to be had:
Storage Redundancy Savings- SpiderOak will detect redundant copies of the same file and the extra copies wont take up any extra space. For example, if you have the same song uploaded to SpiderOak from your home computer and your work computer, the second one won’t take any space.
Multi platform synchronization lets you sync files and data from several different types of computers and mobile devices.
It’ll save historical file versions, just in case you save over something important.
In place of FTP to share and upload files for family and friends, SpiderOak lets you make anything you want public, and you can create a ShareRoom to be accessed via a web URL.
You can retrieve files from any device that’s connected to the internets.
And my favorite, the comprehensive zero knowledge data encryption. Most online storage systems only encrypt your data during transmission, meaning anyone with physical access to the servers your data is stored on (such as the company’s staff) could have access to it. Or, even if your data is encrypted during storage, your password (or set of encryption keys) is often stored along with your data, thus making its easily decoded by anyone with local access to those servers. With SpiderOak, you create a password on you rPC, not a web form. The password is entrypted so even physical access does nothing. This is why if you lost your password, you’re screwed.
Now, pricing isn’t too bad. It’s less than other backup programs out there! 2 GB are free, or you can get 100 GB for $10 a month which increases per every 100 GB thereafter.
On to playing with the program! So there are several versions, including a 64 bit one. Just download the one that corresponds to your computer from the SpiderOak website. ”
I’m going to be playing with SpiderOak in this Ubuntu VM just to see how it works in Linux. I am going to download the 32bit version for Ubuntu and go through the installation process. So, as you can see, the installation process is plain and simple. Just follow the on screen instructions. You’ll find SpiderOak under Applications–>Internet folder. When you first open it, you’ll need to hop over to the website and create a new account. You’ll enter your username and verification code (which gets emailed to you) into the program. Then, from the program, you can create a password.
If you’ve already created your account you can choose Existing User and just enter your UN and PW. It may take a few seconds to completely let you log in because during this process your information is being decrypted.
Next you’ll be able to install a new device (which means you’ll name it, like mine is called Linux VM).
When you first log in, you’ll get this nice listing that basically divides all of your files into categories. I prefer advanced mode, so I can choose exactly what I want to back up… My photo can be found on the desktop, so I’ll choose it, then click save. Now, if I go to status I can watch the progress of the back up. Under the view tab, you can view all youre backups as well as view ongoing downloads with the downloads manager tool. The Sync tab will let you synchronize filetypes of your choice across various folders. This would be a good thing to use if you have a photo folder on your Linux computer and your Windows machine, and want to sync up both of the folderes to match so you don’t have to go from one comp to the other.
Last is the share option. First create a name for your new share folder. Then choose ‘New’ to create the Shared link. Go through the on screen instruction and you’ll see a link to the left side. This can be emailed, copied, and forwarded to other recipiants.
So you can tell that SpiderOak is generally a very easy to use program but it’s still packed with all the goodies that you’d need when uploading and syncing files.
Faraday Cages and Wireless Cards!
If you’re not familiar with a Faraday Cage it’s basically a metal or mesh box that blocks, among other things, radio waves. It was invented back in the 1836 by the English scientist Michael Faraday.
My little faraday cage here is built from an IKEA picture frame and before we get any further: Stand Down HAM Radio Operators!
MDK3 is a tool that exploits weaknesses in 802.11 protocols. It was created by ASPj with the help of the aircrack-ng team and libraries. MDK3 can be found at Pedro Larig’s homepage and is built in to the latest version of BackTrack from backtrack-linux.org
Using the MDK3 beacon flood attack mode and information gathered from the Wigle.net database for the old HakHouse in Williamsburg, VA we’ll attempt to spoof our location.
If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!
Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more
And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at firstname.lastname@example.org.
Being in IT and not using the right tools to get the best results for your clients Ã± Is like a surgeon not using the best, most reliable medical equipmentÃ–How can you expect your clients to work with you?
ThatÃs why I use GoToAssist Express by Citrix Ã± the BEST remote support tool available. GoToAssist Express is designed with speed and usability in mind which makes it easy to get in, diagnose and resolve the problem Ã± fast!
And with Unlimited Use Ã± you can support all you want for one flat fee! Hak5 viewers can try GoToAssist Express FREE for 30 Days. For this special offer visit GoToAssist.com/Hak5.
If you want to build a video site or if your website has a play button, I recommend getting a dot TV domain. A dot TV website lets you showcase your original content and create a unique site, not just another YouTube channel.
Just go to domain.com and search for the perfect dot TV domain for your new idea. Then use coupon code Hak5 at checkout to save an extra 15%.
If you need to host your dot TV website, donÃt forget about Domain.comÃs web hosting plans. TheyÃre less than six bucks a month and have everything you need to build, maintain, and promote your site.
Remember Ã± when you think domain names, think domain.com.
Got a great idea? It all starts with a great domain. domain.com
Only suckers pay full price. If you love alternative apparel brands like Kidrobot, Hurley, and Stussy but hate wasting all your cash on them, listen up! You can score these premium brands at UP TO 80% OFF every day.
There’s a new invite-only shopping club just for guys called JackThreads, serving up street, skate, and surfwear brands at prices that will melt your brain. There’s a wait-list to join, but if you head to jackthreads.com/hak5 you’ll get instant access to all the killer hook-ups. GO NOW Oh, and did we mention that it’s free to join? Hit up JackThreads.com/hak5 and you’ll instantly start saving without having to leave the house.