rez0

Bugbounty alert automation tips

I have always loved automation. Being a computer science student in college, as well as getting really into Instagram around 2011 (back when people would follow you if you liked their photo or left a single comment on it) led me to try and automate gathering Instagram followers.

My first RCE: a tale of good ideas and good friends

TLDR: Through the help of two friends, some bash tricks, the use of Tomnomnom’s tool meg, and a service vulnerable to ImageTragick, I found my first RCE (and my first critical!) within the first two months of bug bounty hunting.

My Favorite Podcasts

I love podcasts. I’ve listened to a bunch in the last few years. Here’s my favorites for a few categories:

Passwords are keys. Don't use 1 key for everything.

Passwords are keys. Would you use the same key for your house, car, mailbox, and vault where you keep all your money? No way. Would you keep using the same key after you know someone has a copy? Absolutely not, but this is what you might be doing. Almost everyone has had their login information stolen. Go ahead and check your email and usernames on this website: https://haveibeenpwned.com. There have been so many breaches that a huge number of accounts have been compromised. 

How to fix it

There’s a lot of bad and complicated information out there about passwords. I’m going to make it easy with three simple rules. Make them different, long, and easy to remember.

1. Make them different. Reusing passwords is like using the same key for two things. If a person gets access to one, they can access everything else that uses the same key/password.
2. Make them long. The difficulty of guessing or cracking your password goes up exponentially with length. The longer the better (at least 12 characters). 
3. Make them easy to remember. This is partially dependent on your choice of password management (which we will discuss below), but you’re going to have to remember at least one password. Make it easy to remember.

Sentences work well for these rules. Example of good passwords:

• I went to Keeneland in 2015.
• Pizza is the #1 food!
• My 2nd child’s name is Ashley.

These are long, easy to remember, and they satisfy the requirements that most websites have (a number, lowercase letter, uppercase letter, and special character).

Password Management

Having a different password for everything is a lot to remember. I don’t think it’s reasonable to expect yourself to remember them all, and keeping them saved in your phone or computer isn’t safe either. So there are two methods of password management that I would recommend: using a password manager and having a hard copy (on paper).

Password manager

Definitely the best of the two options. Password managers are programs that keep all your passwords saved in them. You will use a master password to access them.

Pros:

• You only have to remember a single master password (make sure it’s long, at least 20 characters).
• Convenient ones have browser plug-ins that make it extremely easy to access any website. You don’t even have to type in your password--it does it for you.
• They include password generators that can generate strong passwords for you.

Cons:

• If someone is able to get your master password, they have access to your other passwords. For this reason, I don’t recommend putting your email or bank password in there. See the additional information heading below for why.

The two password managers I would recommend (due to ease of use) are LastPass and OnePassword. Here’s a guide to LastPass. Here’s a startup guide to OnePassword.

Hard copy

Password managers can be confusing for some people. If that’s the case for you, you still need to use different passwords. Since that’s a lot to remember, just write them down. Many people have been taught not to write down your passwords. This is generally good advice, but if it encourages you to use the same password (because you can’t remember all your passwords, and you don’t think you’re allowed to write them down) then it’s better to just write them down. Almost all cyber attacks take place remotely, from another computer. Having your passwords on a piece of paper beside your computer isn’t very high risk.

Additional information

Your email password is probably your most important password (except for your bank account password). This is because every website allows users to reset their password via an option labeled Forgot your password? This option sends the reset link to your email. If someone gets access to your email, they can usually get access to all your other accounts. Therefore, make your email password one of the strongest and consider not writing it down or putting it in your password manager. One way to prevent the reset problem, at least for websites that support it, is by using two-factor authentication. 

How thousands of dollars were stolen from me and why security is important.

Privacy and security are important. In 2015, my wife and I had thousands of dollars stolen by tax fraud. We weren’t the only ones. “As of December 31, 2015, the IRS reported that it identified 835,183 tax returns claiming approximately $4.3 billion in potentially fraudulent tax refunds.”[1] Hackers take private information (names, social security numbers, addresses, etc.) from previous attacks and file tax returns to be sent to them instead. “The 2017 Identity Fraud Study, released by Javelin Strategy & Research, found that $16 billion was stolen from 15.4 million U.S. consumers in 2016.”[2]

Security: past and present

Until the last decade, most people have had the luxury of not needing to worry about cybersecurity. Hackers were an abstract idea or a concern for government entities. Today, however, you can’t find someone who hasn’t received an email from a “Nigerian Prince” who wants to give them a million dollars or a call from a company wanting to give them a “free” cruise.