Categories
Uncategorized

Hacking, ethics, inner conflict: Are we on the brink of a Hacktivism revival?

The whole JBS Meatworks ransomware attack caused some inner conflict for me.

Firstly I’m an ethical hacker and I don’t believe that ransomware attacks are ethical. I’ve spent a lot of my time defending organisations against these types of attacks. Secondly I’m a vegan who is against slaughtering animals for human consumption.

What happens when ransomware halts animals from being killed for human consumption? How do I feel about that? ¯\_(ツ)_/¯

I won’t lie, my initial gut reaction to the news of the JBS Meatworks ransomware attack was joy. It warms my heart that the power of hacking can yield an individual the ability to cause significant positive change in the world, especially disrupting an operation that slaughters tens of thousands of animals every single day.

Reading further, I wasn’t so happy about it. Legality aside, this was not an ethical attack. It was clearly financially motivated, many of the employees of JBS Meatworks did not get paid on time, there were probably casual staff who lost income and the animal slaughter will probably continue in a week or so anyway.

This got me thinking though… what if the attack’s sole purpose was to halt the slaughter of animals, not to make money? Would I consider that to be ethical? Or to abstract it further, and eliminate my own personal beliefs:

Is it ethical to utilise illegal hacking techniques to disrupt the operations of an organisation that profits primarily from something which is unethical?

It’s a tough question, right? Firstly the word “ethical” is purely subjective. Secondly, there are varying degrees of ethicalness. So while this question is good to think about, there is no definitive answer.

What really matters is people’s opinions on these topics, because those beliefs are what end up being translated into actions in the real world. So how do we measure people’s opinions?

Getting some answers

If you want to gather opinions, Twitter polls are a terrible idea. But that’s exactly where I turned. I love Twitter polls, but they’re not exactly the epitome of scholarly research. Most of the Twitter polls I’m about to show you only allow binary answers. Due to this, they don’t allow the opportunity to fully explore the complexities of the topics. Regardless, the results are super interesting and they do give an insight into the initial gut instinct of my Twitter followers (who are primarily hackers).

First of all, I asked if it is ethical to launch a ransomware attack against an organisation that primarily makes money from something unethical. I was surprised to see that 56% of voters said yes.

Next, I asked a very similar question, but this time I changed it to a DDoS attack instead of a ransomware attack. The main difference is that the attacker would gain nothing from a DDoS attack. It is an attack designed to purely disrupt operations, unlike a ransomware attack which is more likely to be financially motivated. About 61% of voters feel that this type of attack is ethical, provided that the organisation they are attacking is (subjectively) unethical.

Relating this back to the JBS Meatworks attack, I asked my followers whether killing thousands of animals per day for human consumption is ethical:

About 53% of respondents said that it is ethical, leaving 47% of respondents believing that killing animals for human consumption is unethical.

Then I asked whether the respondent would actively attack an organisation that consistently partakes in actions that they feel are unethical.

In this poll, I also added a “see results” button, because I only wanted people to respond if they had a particularly strong opinion one way or the other. The results are staggering.

31% of respondents felt strongly enough about this question to respond “yes”. In other words, almost one third of respondents would actively attack an organisation that consistently partakes in actions that they feel are unethical.

When you combine these two outcomes…

  • ~31% or more of the respondents would personally, actively attack an organisation that they feel is unethical
  • ~47% of the respondents feel that killing animals for human consumption is unethical

It is easy to see that organisations who supply meat are likely to be attacked because there is quite a large cross-section of hackers who would be willing to disrupt resources of these plants, whether there is money to be gained or not.

This doesn’t stop at animal agriculture though, nearly a third of these hackers are willing to attack any organisation that they deem to be unethical. That’s a pretty crazy thought, and it begs the question:

If there was no financial motivation to attack JBS Meatworks, would it still have happened eventually, simply because their primary business is something that many feel is unethical?

And the answer is…. maybe? The polls seem to suggest that this is the case, but It’s hard to say. There’s a big difference between answering a couple of polls on Twitter and actually attacking an organisation. And just to make things even more grey – JBS meats recently released a plant-based meat alternative range, and also bought Vivera, a company that sells plant-based protein. So yeah… I dunno… *confused stare* It’s interesting to think about though.

Hacktivism revival?

For a while now – the whole “hacktivism” scene seems to have been pretty stagnant. The “Anonymous” movement has mostly fizzled out, although it did pop its head up briefly in support of the BLM movement. Other than that, there really has not been much going on.

The responses to these polls tell me that there is still an underlying thirst within hackers to drive (subjectively) positive change in the world, and they certainly have the power to do so. It seems that it is only a matter of time before a new group of vigilante hackers join forces again to wreak havoc against organisations that they feel are unethical.

In these cases, the behaviour of the attackers is far less predictable than your run-of-the-mill ransomware attack because the motivation runs deeper than money, and is far more complex.

Whether you’re for or against it – it’s something worth thinking about, especially if you are involved with an organisation that partakes in activities that are ethically questionable.

Categories
Uncategorized

List of Cybersecurity Subreddits

For all you redditors out there, I’ve compiled a list of Cybersecurity subreddits, enjoy!

https://www.reddit.com/r/redteamsec
https://www.reddit.com/r/exploitdev
https://www.reddit.com/r/reverseengineering
https://www.reddit.com/r/regames
https://www.reddit.com/r/AccessCyber/
https://www.reddit.com/r/datarecovery/
https://www.reddit.com/r/Aggregat0r/
https://www.reddit.com/r/ISO27001/
https://www.reddit.com/r/fulldisclosure/
https://www.reddit.com/r/infosecurity/
https://www.reddit.com/r/BadApps/
https://www.reddit.com/r/hackersec/
https://www.reddit.com/r/websecurity/
https://www.reddit.com/r/techsnap/
https://www.reddit.com/r/NetworkSecurity/
https://www.reddit.com/r/CyberSecurityJobs/
https://www.reddit.com/r/ethicalhacking/
https://www.reddit.com/r/Infosec/
https://www.reddit.com/r/Information_Security/
https://www.reddit.com/r/i2p/
https://www.reddit.com/r/HackBloc/
https://www.reddit.com/r/ComputerSecurity/
https://www.reddit.com/r/securityCTF/
https://www.reddit.com/r/pwned/
https://www.reddit.com/r/computerforensics/
https://www.reddit.com/r/Malware/
https://www.reddit.com/r/blackhat/
https://www.reddit.com/r/netsecstudents/
https://www.reddit.com/r/CompTIA/
https://www.reddit.com/r/Hacking_Tutorials/
https://www.reddit.com/r/AskNetsec/
https://www.reddit.com/r/security/
https://www.reddit.com/r/opendirectories/
https://www.reddit.com/r/cybersecurity/
https://www.reddit.com/r/HowToHack/
https://www.reddit.com/r/netsec/
https://www.reddit.com/r/hacking/

Categories
Uncategorized

How to hack your ex-girlfriend’s Facebook account

Don’t.

Categories
Uncategorized

Why I Quit My Job at Bugcrowd

Watch the video, or read the blog, or both! They say roughly the same thing.

Yep! I did it. I resigned from Bugcrowd.

Something about titling the blog “Why I Quit My Job at Bugcrowd” might have you thinking that I’m about to explode into a dramatic display of anger and resentment towards Bugcrowd, scaaaalding them with mighty words.

I’m not.

In fact, I absolutely loved working there. I’d recommend it to anyone. It’s a great organisation. My pay was great, the people were great and I got to work on a lot of purposeful projects. This isn’t so much a blog about why I left Bugcrowd as it is about leaving a job in general. Many would say I am crazy for leaving. Maybe I am! At this stage, I’m not even sure I have made the right decision myself. In this blog I want to explain why I left, and what I’m doing next.

Reasons for leaving

Wealth 💰

For me, true wealth is the ability to earn enough money to live comfortably without having to work. I don’t want to achieve this when I’m 65, I want to achieve it as soon as possible.

Why do I want wealth?

Sometime around late 2019 my wife and I were looking to buy our first home. It quickly became apparent that we would not be able to afford the house of our dreams. At this point I realised that I needed to start paying more attention to money. I’d been working for a decade, why couldn’t I buy the house that I wanted?

How can one obtain wealth?

I started reading books about how to become wealthy. I devoured all the classics, “Rich Dad Poor Dad”, “Think and Grow Rich”, “Secrets of the Millionaire Mind”, etc. They all basically say the same thing. Don’t trade time for money.

Robert Kiyosaki puts it well in his books, he segments income types into four different categories that he calls the “cashflow quadrant”. The four main types of income are:

  • Employee – you are employed by someone else and paid for your time.
  • Self employed – you are employed by yourself, but still paid for your time.
  • Business Owner – you own a system that makes you money.
  • Investor – your money makes you money.

In order to be “wealthy”, Robert Kiyosaki says that you should prioritise earning money from income streams as far down that list as possible. Notice that the further down the list you go the more scalable the income streams become and the more opportunity you have to free up your time.

The plan…

At Bugcrowd, I was 100% employee. My plan is to get further down that list by starting a business. I found it hard to do this when I spent the better part of my time/brainpower working as an employee. Now I’ll be refocusing all of that brainpower and time into generating income as a business owner. Most money that I earn above my living expenses will be invested.

Freedom 🦅

The other reason that I quit my job is for personal freedom.

What is freedom? 🤷‍♀️

Personal freedom comes in many forms.

To name a few:

  • Freedom of time
  • Freedom of location
  • Financial freedom
  • Freedom of expression
  • Freedom of choice

The disconnect between freedom and employment 💔

No matter how good the culture at your company is or how much you love your job, you will still be required to forgo some amount of freedom when you are an employee. That’s why you get paid.

For example:

  • You must work during specific times (sacrifice time freedom).
  • You can’t say anything on social media that would negatively affect your employer (freedom of expression).
  • If your boss asks you to do something, you have to do it (freedom of choice).
  • If an employer decides that they don’t want to pay you money anymore, they can sack you (financial freedom).

This isn’t a dig at any company, it’s just how employment works. Employees get paid to forgo their freedom. This thought has been eating away at me for a long time, and it has contributed greatly to my decision to take this risk.

The alternative

I am trying to reconfigure my life to look more like this:

  • I decide when I work.
  • I decide how hard I work.
  • I decide what I work on.
  • I decide where I work from.
  • I decide who I work with.
  • I express myself freely.

What am I doing next? 🚀

There are a few ways that I’m planning to make money.

Starting My Own Cybersecurity Consultancy 👨‍💼

I’ve started my own cybersecurity consultancy, Haksec. This is my first public mention of it! Haksec provides virtual CISO (vCISO) and penetration testing services. I want to focus more on the vCISO side of things, because my experience as a penetration tester has taught me that a lot of businesses need general guidance more than a pentest.

If you know anyone who may be interested please send them my way, it would mean the world.

Bug Bounties 👾

I cut back on bug bounty hunting a lot since I started at Bugcrowd back in March 2020. I just haven’t felt overly motivated to do it because after a full day working full-time at Bugcrowd I was all bugged out. I am really looking forward to having more time to sink into this again – I can feel my motivation bubbling back already and I’ve landed a few good bugs in the last couple of weeks!

Content Creation 👨‍🎨

I’m going to be creating a lot more content.

Firstly, I’ll be creating content on my personal channels (YouTube, Twitter, Instagram, TikTok and my blog). I will be fully transparent about my bug bounty hunting journey including what bugs I find and how much I’m earning. I also want to make general life videos.

I will also be creating cyber-security related content on behalf of other organisations. I’ve already started doing a bit more of this. If you want any type of cybersecurity-related content created for you, feel free to get in touch.

I am scared 😬

This is one of the biggest decisions I’ve ever made and it’s a huge risk. Even more so with a family to provide for. The truth is, I don’t know if it will work out and if it doesn’t I hope that I will come back to the workforce in 6+ months with a whole new appreciation for the safety and security of employment.

Support 💪

If you’d like to support me on my journey, there are a bunch of things you can do:

  • Refer people to Haksec if they are looking for cybersecurity services or advice.
  • Sponsor me on GitHub
  • Sponsor my upcoming content (get in touch via any of my socials)
  • Hire me to create content for your organisation
  • Share my content 🙂
Categories
bugbountytip hacking-tools tutorials

Introducing Haktrails: A Small CLI Tool Harnessing the Power of SecurityTrails

Yes, I made a logo for my tool. It’s a wolf with a moon on it’s head. It has nothing to do with the tool but if you like wolves then you will probably enjoy it. I am quite talented at graphic design, I changed the text to “haktrails” all by myself. The wolf bit was a free Canva template.

Quick Ad Break

Full disclosure – SecurityTrails has sponsored me to write this tool and create some content because they’re running Bug Bounty Hunting Month. As part of that, they’ve released a plan that is catered directly to bug bounty hunters. If you’re a bug bounty hunter, you should buy this. I know it doesn’t quite mean as much when I’m being sponsored, but I would legitimately recommend this product even if I wasn’t. They’re offering the plan for $50 per month. If you sign up after April 15th you’ll be paying double that. I’ve used the features included in this plan for ages, but I paid a lot more for them! If you actively use it, even at $99 per month, the ROI is insanely good, and now you’ll have the perfect companion tool to make full use of it! Click here to check out the details.

Okay I’ll stop harassing you now.

Why Haktrails

Building a huge distributed recon system is great and all but at some point it becomes more cost/time effective to just pay for access to recon data that someone else has gathered. Working with APIs can be a bit awkward though. Wouldn’t it be lovely if there was a nifty little tool that did all of the API calls for you, and integrated nicely with your existing tools? 🤔

Yes. Yes it would! That’s exactly what haktrails does.

Features

  • Stdin input for easy tool chaining
  • “JSON” or “list” output options for easy tool chaining
  • Subdomain discovery
  • Associated root domain discovery
  • Associated IP discovery
  • Historical DNS data
  • Historical whois data
  • Company discovery (discover the owner of a domain)
  • Whois (returns json whois data for a given domain)
  • Ping (check that your current SecurityTrails configuration/key is working)
  • Usage (check your current SecurityTrails usage)

How to Use It

Setting Up the Config File

Before you do anything, you need to create a config file. The default location for the config file is:

~/.config/haktools/haktrails-config.yml 

The config file should look like this:

securitytrails:
  key: <your api key>

You are all hackers so I know I don’t need to say this, but make sure you replace “<your api key>” with your actual SecurityTrails API key.

Installing the Tool

First, install golang on your computer, then run the following command:

go get github.com/hakluke/haktrails

You should now have the haktrails binary at ~/go/bin/haktrails. If you haven’t already, I’d recommend adding ~/go/bin/ to your $PATH so that you can just type haktrails instead of ~/go/bin/haktrails.

Using the Tool

Note

Note: In these examples, domains.txt is a list of root domains that you wish to gather data on. For example:

hakluke.com
bugcrowd.com
tesla.com
yahoo.com

Flags

  • The output type can be specified with -o json or -o list. List is the default. List is only compatiable with subdomains, associated domains and associated ips. All the other endpoints will return json regardless.
  • The number of threads can be set using -t <number>. This will determine how many domains can be processed at the same time. It’s worth noting that the API has rate-limiting, so setting a really high thread count here will actually slow you down.
  • The config file location can be set with -c <file path>. The default location is ~/.config/haktools/haktrails-config.yml. A sample config file can be seen below.
  • The lookup type for historical DNS lookups can be set with -type <type>, available options are a,aaaa,mx,txt,ns,soa.

Warning

Warning: With this tool, it’s very easy to burn through a lot of API credits. For example, if you have 10,000 domains in domains.txt, running cat domains.txt | haktrails subdomains will use 10,000 credits. It’s also worth noting that some functions (such as associated domains) will use multiple API requests, for example, echo "yahoo.com" | haktrails associateddomains would use about 20 API requests, because the data is paginated and yahoo.com has a lot of associated domains.

Gathering subdomains

This will gather all subdomains of all the domains listed within domains.txt.

cat domains.txt | haktrails subdomains

Of course, a single domain can also be specified like this:

echo "yahoo.com" | haktrails subdomains

Gathering associated domains

“Associated domains” is a loose term, but it is generally just domains that are owned by the same company. This will gather all associated domains for every domain in domains.txt

cat domains.txt | haktrails associateddomains

Gathering associated IPs

Again, associated IPs is a loose term, but it generally refers to IP addresses that are owned by the same organisation.

cat domains.txt | haktrails associatedips

Getting historical DNS data

Returns historical DNS data for a domain.

cat domains.txt | haktrails historicaldns

Getting historical whois data

Returns historical whois data for a domain.

cat domains.txt | haktrails historicalwhois

Getting company details

Returns the company that is associated with the provided domain(s).

cat domains.txt | haktrails company

Getting domain details

Returns all details of a domain including DNS records, alexa ranking and last seen time.

cat domains.txt | haktrails details

Getting whois data

Returns whois data in JSON format.

cat domains.txt | haktrails whois

Getting domain tags

Returns “tags” of a specific domain.

cat domains.txt | haktrails tags

Getting API Usage Data

Returns data about API usage on your SecurityTrails account.

haktrails usage

Checking Your API Key

Pings SecurityTrails to check if your API key is working properly.

haktrails ping

Showing Some Average ASCII Art

~$ haktrails banner

	 _       _   _           _ _
	| |_ ___| |_| |_ ___ ___|_| |___
	|   | .'| '_|  _|  _| .'| | |_ -|
	|_|_|__,|_,_|_| |_| |__,|_|_|___|

	    Made with <3 by hakluke
	  Sponsored by SecurityTrails
	         hakluke.com

Getting More Info

For more information and up to date usage instructions, checkout the Haktrails Github repository.

You Made it This Far…

I lovingly craft artisanal hacking tools with my bare hands, I also write blogs about infosec, bug bounties and life. If that sounds good to you, follow me on socials and pop your email in here:

Categories
inspiration videos

Perspective is Everything

Every time I watch space documentaries or look up at the stars at night, or think about things on a universal scale, my troubles melt away. Perspective is a very powerful tool for overcoming the stresses of everyday life.
In this video, I aim to put everything into perspective by pondering the scale of the universe, and the stuff you’re made of.

Categories
inspiration videos

Watch This if You Feel Directionless

Everyone feels directionless at some point in their life. Here are some things that have helped me through these phases, and helped me to find direction.

Categories
bugbountytip entrepreneurship inspiration videos

An Interview With STÖK: Bug Bounties, Hacking, Content Creation, Veganism and Entrepreneurship

@stokfredrik (STÖK) is an inspirational, motivational hacker, bug bounty hunter, entrepreneur, vegan and content creator. In this interview we chat about mental health, hacking, content creation, sunglasses, haircare, COVID19, veganism and entrepreneurship!

Book Recommendation: Untethered Soul https://www.amazon.com.au/Untethered-…

Hair maintenance: Razul Clay

STÖK’s manifesto:

Hackers gonna hack.

Creators gonna create.

Good vibes only.

Categories
bugbountytip videos

10 Tips For Crushing Bug Bounties in the First 12 Months

10 actionable tips for bug bounty beginners to boost their success in the first 12 months of hacking. Don’t forget to subscribe for more!

Categories
entrepreneurship inspiration videos

Casey John Ellis Interview

Casey is an A-Grade distruptor, a successful entrepreneur, a pioneer in crowd-sourced security, the founder and CTO or Bugcrowd, a hacker, musician, family man, and all-round great human. In this interview we chat about his childhood, inspiration, motivation, previous businesses, views on life, productivity hacks, work/life balance, entrepreneurship, cyber security, and the power of surrounding yourself with good people. If you’re curious, I tracked down some of his music on Soundcloud: https://soundcloud.com/caseyjohnellis I’m fairly sure that this is the TV show that he hosted, although I can’t find any videos of him actually hosting – let me know if you can! https://www.youtube.com/user/crewtvaus