This time on the show I’m reviewing my top five Security Extensions for my favorite browser, Google Chrome.

Download HD Download MP4 Download WMV

5. PasswordFail. This extension for Chrome warns you to back away whenever you start to log into a site that sends your password as clear text. A lot of sites don’t encrypt or hash your text and just send your password to a database completely open and ready for hackers or curious folk. PasswordFail will call these sites OUT on their crappy security and hopefully help you from losing sensitive data.

4. KB SSL Enforcer. Some sites offer HTTPS or Secure Sockets Layer logins. This extension will force those sites to automatically go to HTTPS instead of HTTP so you have more security and encryption in case you forget to check.

3. View Thru. A lot of times on twitter and whatnot, people post tiny.url’s or bit.ly’s and I have no clue what they are. But, I’m a curious cat, and I always click the link anyways even though I don’t know what kind of site I’m going to stumble onto. View Thru pops up a little blurb that shows you the page you’re about to visit when you hover on a tiny URL address. When testing this on my twitter feed, not only does it work, but it’s also not annoyingly overdramatic.

2. LastPass. LastPass gives you an easy way to fill out forms (with autofill) and remember passwords. Passwords are stored locally, so even the LastPass team cant access your passwords. Using lastpass gives you a vault where only a master password will unlock your data. For more info on LastPass, check out HakTip number 20.

1. Web of Trust (or WOT). This small extension gives you a small icon in the top right corner of your browser that shines either Red, Yellow, or Green. Red means bad and green means good. The cool thing about Web of Trust is all the sites ratings are submitted by user feedback, not a virus detector or a corporate affiliation. You can add your own feedback by left clicking on the icon, and choosing the color you think the site deserves. Hak5 gets green all the way!

Ok, so I want to hear your feedback. What Chrome extensions for security and / or privacy are your favorite? Let me know what you think or what extensions to check out by emailing me — tips@hak5.org or send me a note in the comments below.

And be sure to check out our sister show, Hak5 for more great stuff just like this.

Don’t like Dropbox? We’ve got a cross-platform alternative. How does Google Maps find your location without GPS? And can it be spoofed? Random password scripts, bash tips and more this time on Hak5!

Download HD Download MP4 Download WMV

Spoofing the W3C Geolocation API

Google Maps “Show My Location” feature uses the W3C Geolocation API.

It’s an application programming interface designed by the World Wide Web Consortium as a standard for retrieving a client’s geographical location. The client will gather geographic information by IP address, WiFi access points, GSM and CDMA cells and GPS. The accuracy depends on the data available. If only IP address is known you’ll likely only narrow the location down to your town. If WiFi data is available you’re more likely to get within a block. GPS should be pretty spot on.

The API has been implemented in modern browsers; Firefox since version 3.5, Opera since 10.6, Internet Explorer since 9 and of course Google Chrome.

We can test the API with either some example javascript or the Google Maps feature “”Show My Location”"

Determining a location based on wireless access points is done by referencing a database of known wifi base stations and their characteristics, such as the unique BSSID or MAC address. The technique of collecting these databases is called War Driving and I’m sure you’re familiar with it. Our favorite tools for the job are NetStumbler for Windows, Kismet on Linux and Kismac on OSX.

On such company that collects and maintains WiFi station location databases is Skyhook. They provided the location information for the iPhone until iOS version 3.2, at which point Apple started using their own database.

Another database maintainer is Google, who formerly collected locations from Street View cars and currently using anonymous data captured by Android devices. The former is an opt-in feature of the Android OS.

Of course Skyhook, Apple and Google’s databases are for the most part proprietary. There is however an open database. Wigle.net maintains a huge map and database of wireless access points and cell stations submitted by community members wardrive findings.

With all of this in mind, today we’re attempting to spoof our location with faked access point information using a Faraday Cage and an MDK3 beacon flood.

SpiderOak, is it better than Dropbox?

Are you sick of using lame backup and recovery programs that cost way too much? Perhaps you’re just not a fan of the new terms of service with Dropbox? Well, I found one that might float your boat! SpiderOak is a tool made specifically for backing up, syncing, and recovering your files through Windows, Mac, and Linux. SpiderOak was made by geeks for geeks, especially for the hacker minded. It’s more customizable, storage is cheaper, and the privacy is much better than certain backup programs out there because they take a “”zero knowledge”" approach to all data. With that said, though, you’re screwed if you forget your password!

There are a lot of features to be had:

Storage Redundancy Savings- SpiderOak will detect redundant copies of the same file and the extra copies wont take up any extra space. For example, if you have the same song uploaded to SpiderOak from your home computer and your work computer, the second one won’t take any space.
Multi platform synchronization lets you sync files and data from several different types of computers and mobile devices.
It’ll save historical file versions, just in case you save over something important.

In place of FTP to share and upload files for family and friends, SpiderOak lets you make anything you want public, and you can create a ShareRoom to be accessed via a web URL.

You can retrieve files from any device that’s connected to the internets.
And my favorite, the comprehensive zero knowledge data encryption. Most online storage systems only encrypt your data during transmission, meaning anyone with physical access to the servers your data is stored on (such as the company’s staff) could have access to it. Or, even if your data is encrypted during storage, your password (or set of encryption keys) is often stored along with your data, thus making its easily decoded by anyone with local access to those servers. With SpiderOak, you create a password on you rPC, not a web form. The password is entrypted so even physical access does nothing. This is why if you lost your password, you’re screwed.

Now, pricing isn’t too bad. It’s less than other backup programs out there! 2 GB are free, or you can get 100 GB for $10 a month which increases per every 100 GB thereafter.

On to playing with the program! So there are several versions, including a 64 bit one. Just download the one that corresponds to your computer from the SpiderOak website. ”

I’m going to be playing with SpiderOak in this Ubuntu VM just to see how it works in Linux. I am going to download the 32bit version for Ubuntu and go through the installation process. So, as you can see, the installation process is plain and simple. Just follow the on screen instructions. You’ll find SpiderOak under Applications–>Internet folder. When you first open it, you’ll need to hop over to the website and create a new account. You’ll enter your username and verification code (which gets emailed to you) into the program. Then, from the program, you can create a password.

If you’ve already created your account you can choose Existing User and just enter your UN and PW. It may take a few seconds to completely let you log in because during this process your information is being decrypted.
Next you’ll be able to install a new device (which means you’ll name it, like mine is called Linux VM).

When you first log in, you’ll get this nice listing that basically divides all of your files into categories. I prefer advanced mode, so I can choose exactly what I want to back up… My photo can be found on the desktop, so I’ll choose it, then click save. Now, if I go to status I can watch the progress of the back up. Under the view tab, you can view all youre backups as well as view ongoing downloads with the downloads manager tool. The Sync tab will let you synchronize filetypes of your choice across various folders. This would be a good thing to use if you have a photo folder on your Linux computer and your Windows machine, and want to sync up both of the folderes to match so you don’t have to go from one comp to the other.

Last is the share option. First create a name for your new share folder. Then choose ‘New’ to create the Shared link. Go through the on screen instruction and you’ll see a link to the left side. This can be emailed, copied, and forwarded to other recipiants.
So you can tell that SpiderOak is generally a very easy to use program but it’s still packed with all the goodies that you’d need when uploading and syncing files.

Faraday Cages and Wireless Cards!

If you’re not familiar with a Faraday Cage it’s basically a metal or mesh box that blocks, among other things, radio waves. It was invented back in the 1836 by the English scientist Michael Faraday.

My little faraday cage here is built from an IKEA picture frame and before we get any further: Stand Down HAM Radio Operators!

MDK3 is a tool that exploits weaknesses in 802.11 protocols. It was created by ASPj with the help of the aircrack-ng team and libraries. MDK3 can be found at Pedro Larig’s homepage and is built in to the latest version of BackTrack from backtrack-linux.org

Using the MDK3 beacon flood attack mode and information gathered from the Wigle.net database for the old HakHouse in Williamsburg, VA we’ll attempt to spoof our location.

If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

Being in IT and not using the right tools to get the best results for your clients ñ Is like a surgeon not using the best, most reliable medical equipmentÖHow can you expect your clients to work with you?
Thatís why I use GoToAssist Express by Citrix ñ the BEST remote support tool available. GoToAssist Express is designed with speed and usability in mind which makes it easy to get in, diagnose and resolve the problem ñ fast!
And with Unlimited Use ñ you can support all you want for one flat fee! Hak5 viewers can try GoToAssist Express FREE for 30 Days. For this special offer visit GoToAssist.com/Hak5.

If you want to build a video site or if your website has a play button, I recommend getting a dot TV domain. A dot TV website lets you showcase your original content and create a unique site, not just another YouTube channel.
Just go to domain.com and search for the perfect dot TV domain for your new idea. Then use coupon code Hak5 at checkout to save an extra 15%.
If you need to host your dot TV website, donít forget about Domain.comís web hosting plans. Theyíre less than six bucks a month and have everything you need to build, maintain, and promote your site.
Remember ñ when you think domain names, think domain.com.
Got a great idea? It all starts with a great domain. domain.com

Only suckers pay full price. If you love alternative apparel brands like Kidrobot, Hurley, and Stussy but hate wasting all your cash on them, listen up! You can score these premium brands at UP TO 80% OFF every day.
There’s a new invite-only shopping club just for guys called JackThreads, serving up street, skate, and surfwear brands at prices that will melt your brain. There’s a wait-list to join, but if you head to jackthreads.com/hak5 you’ll get instant access to all the killer hook-ups. GO NOW Oh, and did we mention that it’s free to join? Hit up JackThreads.com/hak5 and you’ll instantly start saving without having to leave the house.

This time on the show, Shannon demonstrates a novel password management technique. Darren’s explains Time Memory Trade-off and Rainbow Tables. Jason gets started programming for Windows Azure and it’s Linux in your web browser time! A PC Emulator in Javascript.

Download HD Download MP4 Download WMV

A novel approach to password management

I have about a million websites that I have to log onto day-to-day. Seriously. And with all the hype about website infiltration and stolen data, it makes me worry a bit about my own usernames and passwords. I have recently upgraded my Google Mail account to use 2-step verification, which I explained a few weeks ago in a Snubs Report, but what about my facebook? Twitter? My online banking?

These sites all say things like, ‘Password must be so-and-so characters long with at least one letter and number’, but some aren’t so secure. How will I know what sites will have a data breach? I don’t. So I use somewhat different passwords for all sites. But honestly, if someone had the balls and the time to figure out my pattern, they could probably do it. But I don’t want to download a password protection program to use on my home computer because I use several different computers and may not have access to the software or my saved encrypted passwords when I’m using a public PC.

Well, there are other options out there if you don’t want to use more software, you could use something a little less technical.

This is PasswordCard from passwordcard.org. It’s a card the size of a credit card that I can stick in my wallet and carry with me. What makes this unique is the series of random digits and letters that are included on it. The rows are different colors and the columns have a different symbol at the top. You can use this card to think up a very strong and tough password and use the colors and symbols to remember it.

Better yet, each code card is randomly generated and there are Android and iPhone apps.

So here is an example of how to use this tool:

First off, go to the website and print out your unique card. I have a laser black and white printer, but if you have a color printer I’d suggest printing in color to give you more options for remembering passwords.

You can then cut out your card and laminate it if needed. Keep the rest of the page, because it has your unique card number on it. More on that in just a bit.

Then you can choose your password. Choose a symbol and a color or row number and use the letters and numbers that are seen in that row or column.

All you have to do after that is go to your website and change your password. If you lost your PasswordCard, you can go back to the website, type in your unique card number and hit print, or pull it up on your mobile phone.
So for example, I printed out my card and I’m going to choose something I would remember. I’ll go with the music note, and number 7. So my password would be HAg8kgntQUG.

This tool is super simple to use and completely free. The website can be visited safely via HTTPS and the algorithm used to create the codes is available in case the website goes down and you need to reprint your card.

If you don’t feel safe printing a card, just download the free app off the Android Marketplace or the Apple App Store. This app will let you generate a random card or pull up your own card. It’ll also let you generate your own personal PasswordCard based on a series of random hexidecimal digits. For example, I can hit enter number, and type in a number that I have memorized. That number will always pull up my card for me to use.

If you’re worried that someone can get ahold of your unique card number, not to worry! They still wouldn’t have your actual passwords because those were created from the numbers and letters found on the card, and they could be thousands of different password combinations.

I think this is a pretty cool idea, and it’s easy enough that I could probably show my mom how to use this. So, enough of using crappy passwords!

This is just one of the tools available out there for password generation. Do you have one? Email it to me: feedback@hak5.org. Now for the haktip.”

Start programming in Windows Azure

Jason. begins a three-part mini-series on programming for Windows Azure. In this part Jason demonstrates how to get started. In coming parts Jason will develop an cloud-based application that maps Kismet KML data to a Bing map.

If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

The Hack Across America series continues in week 3 with a phenomenal episode featuring an exclusive interview with Pronobozo. Then mubix joins us for Metasploit 101 part 2, pwning a domain controller via SQL injection an token passing on a fully patched enterprise network. Plus Shannon has a tool that will save tons of time on your next PC build in this week’s Snubs Report. Get comfortable, you won’t wanna miss this.

Download HD Download MP4 Download XviD Download WMV

Exclusive Pronobozo Interview

We’re excited to be the first to publish a video interview with the infamous Pronobozo

Trivia

Originally running on the PDP-11 and incorporating elements from BSD, this closed source version of Unix was licensed to manufacturers by Microsoft, *yes, Microsoft* in 1980.

Enter for your chance to win a super sweet new Hak5 sticker pack set by submitting your answer at hak5.org/trivia

Domain.com
Domain.com offers easy and affordable web hosting plans with a free website builder and unlimited pages. Get a hosting account for only $5.75/month or opt for the Deluxe web hosting plan for $8.75/month that features unlimited traffic. Also get one click installation of all the popular open source programs like WordPress, Joomla, Drupal, and more! Thanks to Hak5 fans, Domain.com is one of the fastest growing domain and hosting companies in the world. Remember, don’t forget to use coupon code HAK5 at checkout to get 15% off your order. Got a great idea? It all starts with a great domain. Domain.com

Metasploit 101 part 2

This week Rob Fuller, aka Mubix brings us a follow-up to his Metasploit 101 series where he guides you through the process of pwning the domain administrator on a fully patched enterprise network.