Cléber Zavadniak Website

Going Red Team

STATUS: DRAFT

This weekend I decided I want to venture myself into “red team” territory and play around with some ideas – far from thinking about commiting crimes but specially for research purposes, since I still entertain this possibility of becoming a Information Security professional.

Thus, I’d like to disclaim that you should not commit crimes. It’s bad, it’s wrong, it’s criminal (obviously) and I’m sharing this information solely for benefit of security researchers that know what they are doing and have a clear and honest purpose.

Do not put other people in danger or steal their money. It doesn’t matter if “they are so dumb”: it’s wrong. Don’t do it!

Do not jeopardize other people property. It doesn’t matter if you hate some company: the wrath of man works not the righteousness of God (James 1:20).

In short, please, be excellent to each other.

(Besides, what constitutes a crime in certain countries are things like downloading a Bible or expressing your true opinion about the local government… so take it cum grano salis…)


It may be research, but public opinion still counts

And people don’t know shit about Information Security. It doesn´t matter your intentions: if they feel fooled they will call the police and drag you to the court. Newspapers will put “researcher” on quotes when talking about you, pointy-haired CEOs will write articles about how dangerous the unregulated internet can be and government agencies will step in to offer “a solution”, all capitalizing over your case because they are not only stupid but also want more power.

And all that because you guessed a very badly chosen password.

So, at least be prepared. Someone, sometime, is going to misunderstand things…

It only takes a single mistake on your part

If you are planning to go unnoticed, be aware that it only takes one mistake to, well, notice you. Do not rush into action before proper planning. Understand your threat models. Do not depend on third parties. Be always in control.

Lie all the time

Do not call your Linux machine “linux machine”. Change your Web browser User Agent to “Android”. Make your hostname be "cdn2.facebook.com.

No personal information at all

If you’re going to assume some identity and it’s raining outside, you say it’s a beautiful sunny day. But it’s much better if you don’t say anything at all.

Resist the temptation to brag

Keep it all to yourself. Do no seek for fame or glory.

Resist the temptation to “make a statement”

Keep it all to yourself. Do no seek for fame or glory.

Create a good case

First the news, then (maybe) the court. Be creative. Make yourself look like a poor victim, not a “hacker”. They will abuse the quotes – it goes like ‘“security researcher” says he’s a “victim” in VICIOUS online security breach case’.

Use a dedicated machine

It’s waaay better to keep things into separate machines.

Turn off devices on BIOS

Specially the camera and probably the microphone. Put a tape over the camera. Plug a dumb jack into the microphone plug.

No direct connection to the internet

User another machine as a firewall so that nothing you don’t really want will leak into the open internet (for instance: DNS requests).

Encrypt everything

Explore the limits of deniability. Use your right to remain silent.

Data

Not only your /home, but the whole system – specially the logs!

Make their lives difficult

Use looooooooooooooooooooooooooooooooooooooong passwords for everything.

Connections

Tor is the bare minimum. Take extra care of dVPNs as they may expose you to the open when disconnected. Do not trust other’s systems, always make sure you’re in control.

Mind the DNS!

Look for “safe” DNS providers but never trust them. Avoid DNS-over-HTTPS, too: new implementations are always born with more surveillance…

Understand your threat model

Mine is 70% about physical access, so I lock the screen every 60 seconds.


Again, if you think about that as an excercise, you’ll start thinking about how to breach into your own system. That’s why it’s so interesting to make this kind of experiment.

Also, take a look in what is an Ethical Hacker.


Back to index