InfoSec at Its Worst, OPSEC at Its Best

by NerveGas Jr.

0x00 - Introduction

As I write this, I am on my mother's Mac computer as she and my stepfather play Call of Duty: Advanced Warfare on the PS4.

In order to get on the Wi-Fi for this computer, I had to ask my stepfather to unblock the computer from the Wi-Fi to write the article, which is ironic as you will see.

Years ago in 2012, my mother gave me the password to her Apple account so I could update the apps I had on my iPod.  Years later in the summer of 2015, that password came in handy when I needed access to her computer to contact someone and she wouldn't let me.  As you may have guessed, the computer had the same password on it as her iTunes account.  And it didn't stop there...

0x01 - Genesis, Exodus, Revelation

As previously stated, I needed a password in order to update my apps for my iPod and, since my mother was thousands of miles away from me for a prolonged period of time, I needed her to text me the password to update.  If I didn't, I would soon be cut off from all media, and then from the whole world basically, because that is how our world is now.

She texted me the password, "hexxxx5Got".  I used it to update the apps and for nothing else, but I remembered it because I like to remember things I might be able to use later.  Eventually, my iPod got taken away, but I still remembered the password.

A few years after that, we moved from one state to another and my mother moved to a different one for reasons that will remain unstated.  Over the summers, I got to see her and every summer I got closer to needing her password for the computer.

One summer, the computer was locked with a password because my mother didn't want my other siblings to have access to it, and I got the short end of the stick.

One evening, when my parents were downtown, I decided to have a crack at guessing the password.  I guessed things my mother might have used as the password like her birthday, qwerty, and the like.  After a few guesses, I had a eureka moment and guessed the password she had given to me years earlier back in 2012, hexxxx5Got.  It worked, and after contacting the person I needed to, I decided to have a poke around, because why not?  Maybe I would get caught, but maybe I wouldn't.

Mac OS X has a built-in password-saving application called Keychain, which was where I started.  I had access to an iPad that wasn't yet connected to the Wi-Fi and, if I could only get Wi-Fi on that iPad, I wouldn't need to sneak onto the computer.  It would be more efficient.

So I went into Keychain to acquire the password.  Keychain by default has password protection that most people use to ensure that others can't get into it to get the passwords.  In this pitiful case, the password was "hexxxx5Got", which was my first guess.  I got the Internet password, which surprisingly wasn't the same as the Apple account, computer, and Keychain.  It was a combination of my mother's last name, my brother's name, and some other number.  I quickly memorized that and then got out of the computer.

(After finding the iPad, I turned it on.  I was baffled to see that it then had a password on it - probably to keep my siblings out of that too - but I didn't worry about having the short end of the stick.  The password was unsurprisingly "hexxxx5Got".  I entered the Wi-Fi password and was able to use the iPad for the rest of the summer with no problem.  It was easier to sneak around with and more efficient to use for contacting people and for covering my tracks.

0x02 - One Year Later...

After leaving my mother's to start school, I forgot all about the technical adventure I had and lived my life without any problem.  That is, until I went back for this summer.

My siblings used the computer non-stop since the password was taken off and they love their Minecraft videos and make-up tutorials.  Eventually, my stepfather set up the Wi-Fi (using Linksys Smart Wi-Fi Application) to block the computer from the Wi-Fi during the times when neither of my parents were home.  The only way to unlock the Wi-Fi was to go into the Internet browser and login to the Linksys Smart Wi-Fi Application with an email and password.  The password wasn't the problem because I knew it would be the Internet password, which I could find through Keychain in a minute.  It was amusing that the email address was my problem because everyone always needs the password, but here that just wasn't the case.  Fortunately, they were using Gmail and the Gmail address was saved in the login page.

So I logged into the Linksys Smart Wi-Fi Application and changed the settings so I could go onto the computer in order to do summer homework (high school sucks).

I knew that my stepfather would be able to tell that the computer was connected to the Internet by looking at the status from the app on his phone, but I was able to get the computer incognito so I wouldn't get caught.  I went in, did what I had to do, and then got out and changed the settings back to its previous values to cover my tracks.  To further cover myself, I deleted the history from the previous five minutes on the browser and computer.  Then I poked around in Keychain again.

My mother needs InfoSec training bad.  Her Amazon account details were in there, along with her Social Security Number, LinkedIn, Facebook, Instagram, credit card information, and pretty much every other password she had ever used, at least that she had ever used on that computer.

I didn't need to use any of these, except maybe the credit card information (just kidding, I'm not that rude, and those tracks are harder to cover - as if she would check).

My brother has a tablet which I used for a while, but eventually the Wi-Fi was blocked so my brother couldn't use it, which was no problem for me either.  Basically, I knew every password my mother and stepfather had, along with their socials.  I had another idea as I was trying to crack my mother's phone password so I could amaze her by "guessing" it.

A day earlier, she gave me her account login code for the PS4 so I could play it and, after asking her where she got the seemingly random four-digit combination, she told me plainly, "The last four digits of my Social Security number."  I almost knew that she used her whole Social Security Number for the password since it was nine-digits long, as Social Security Numbers are (I tried to get the password to the phone by shoulder surfing, but she put it in too fast for me).

Surely enough, her password was, and still is, her Social Security Number.  I didn't look though her phone because I was already preoccupied, but maybe later!

0x03 - Conclusion

Only my hacker father knows that I know my mother's and stepfather's passwords and everything else, and he won't tell, well... because he's cool.

Even if he does, I'll probably be able to figure the new passwords out anyway.  In the Keychain, there were variants of the password "hexxxx5Got" such as "jexxxx6Got".  While it's good to use variants for a little more password protection and easy memory, it can be dumb if you have a 15-year-old hacker son.

I didn't use any coding or go through any partitions to get passwords - I simply used my tiny amount of knowledge about my mother's passwords and went from there to get almost all of them.  I deleted my passwords from the Keychain so no one could snoop around my stuff and I covered all of my tracks.

In the end, I wound up using my mother's bad InfoSec practices for my own good InfoSec habits.  I was cautious of covering my tracks the whole time in order to maintain good OPSEC.  Even now while I finish this article, I'm doing that.

If my stepfather or mother walk in here, I can switch to the draft email of my summer homework (again, high school sucks), and go back to this when they decide to play Call of Duty again, which they are still doing.

Cheerio!

Happy hacking!

Return to $2600 Index