Saturday, July 26, 2014

Skype Voice recording

In order to record important Skype calls with the consent of the other party, go to the website http://voipcallrecording.com/ and download the free MP3 Skype Recorder tool. The file will be downloaded in a .msi file format. 


Once it is downloaded onto your machine you just need to open Skype up and make a call. Once the call is in progress, select the "ON" button. In the lower left hand corner, it will let you know the tool is recording and it will place the recorded file inside the pre-selected folder.

Wednesday, May 21, 2014

Spam

Here is a site you can use to reduce some spam coming into your inbox.


Remember, when dealing with spam:

           ·     Do not click web links inside spam.
           ·     Do not load the images inside spam.

If you do any of the above, then this will notify the spammer that someone is checking emails at that email address and you will get more spam. By default, when you select an email and Outlook opens it in the preview pane it does not load images. You have to click to tell Outlook to load images, do not do this. The preview pane is the pane that shows the email message on the right hand side.

Also, you can select the email and click ignore in the top left. This will ignore additional emails in the future.

         

Here is a website that can provide you with examples of spam.


Spam worldwide tends to advertise a certain range of goods and services irrespective of language and geography. Additionally, spam reflects seasonal changes, with advertisements for Christmas items and car heaters being replaced by air conditioner advertising in the summer.
Spammers constantly extend the range of their offers and are always searching for new ways of attracting unwary users. The list of spam categories is growing. The share of “new” categories in spam traffic is insignificant, though certain trends are quite evident when spam categories are broken down. Nevermore so than in the most widespread types of spam: 
However, when averaged out over the course of the year, 50% of spam fall into the following categories: 
1. Adult content
2. Health
3. IT
4. Personal finance
5. Education and training 
If you see web links in an email, hover over the link, but do not click. If the link inside the email tells you it is going to one site, then when you hover over the link and it has a different website than what you see in the email; this is a clear indicator that it is a malicious link.

        

Sunday, March 2, 2014

Target getting hacked and creating a better password

Dell released a full report on how Target got hacked. They lost around 40 million debit and credit card accounts. Along with this loss, they also lost 70 million Names, home address email addresses and phone numbers. This is a large corporation and because of its size it was targeted by hackers. In order to summarize the report, hackers were able to gain access to Target's internal server by elevating a built-in account on their deployed Point of Sales (PoS) system. Once they gained access they deployed a piece of malware that skimmed memory in the PoS system. Once it skimmed the memory, it could sniff out credit card numbers and drop the data on a server they deployed inside the server. Every once and a while they would dump this credit card data because the server would fill up. It was amazingly fast to how quick it would fill up. They reported that they were dumping the server every few hours or so.

The username and password is as follows: Username: Best1_user  Password: BackupU$r. Pretty simple, right? It has uppercase, symbols and numbers. Although, the problem is that the password is so simple and the password even contains part of the username. As you all may know, a good password contains letters, numbers, symbols and is longer than 8 characters. The problem here is that you aren't supposed to use the username anywhere in the password. Replacing letters like S with $ still counts as using the username within the password. The password should have been a passphrase instead of a pass"word". Something of the nature like "This1IsTheBest_user" would have sufficed.

You can also take things a step further by using letters, symbols, numbers, longer than 8 characters and don't use ANY words from the dictionary. So used made up words from merging different words together. Say you own a Jeep and a Caterpillar tractor, you could use the password "JeCaterepPiller1970!". Lets say 1970 is the year the tractor was made. Now you have a password that meets all of these criteria:

  • Longer than 8 characters
  • Capital Letters
  • Numbers
  • Symbols
  • Not consisting of all dictionary words

Don't forget that you can include periods in the middle between words, which would help you satisfy your symbol requirements. So we can use "Jeep.Caterpiller1970!" and this will suffice as well. Some may argue that you should not use numbers in sequence because most people use their birthyear, which makes the number portion guessable. Some may also use the year they got the dog or the year their Jeep is. (also tractor) Try to avoid this obviousness and use numbers that don't relate to anything you own. Some may even try "Jeep.Caterpiller70!", but this doesn't solve the problem. A hacker can easily figure out your birthyear is 1970 and try 70 at the end of your password.

If you are having issues trying to determine a good password and want to know how well it stands up against a hacking tool, try this website out: http://www.passwordmeter.com/.

If you will notice, this website's password checker is also under the GNU license, so you can download it and use it in your business for free!

I have attached the Dell report from Krebsonsecurity's blog. I would recommend taking a glance/read through his stuff, too.

http://krebsonsecurity.com/wp-content/uploads/2014/01/Inside-a-Targeted-Point-of-Sale-Data-Breach.pdf

Thursday, February 27, 2014

DropBox's Terms of Service (ToS) change


A little while ago, DropBox changed their terms of service to update it with a few things. One of them being government taps. Lots of companies and consumers are concerned with the NSA sniffing data they shouldn't be snooping in on. As apart of this concern, DropBox has released a new agreement for their users. They have sent emails to their current users that is as follows as below (part of it):



If you click the link "Government Data Request Principles", then you will notice near the bottom it states the below image:


        "Governments should never install backdoors into online services or compromise infrastructure to                   obtain user data". 

This is great news because this means the NSA cannot install backdoor taps into DropBox in order to clamp down on people who may be using DropBox for legit reasons. If you upload just normal documents, they COULD sniff it and just read what it contains. This isn't right because people have a sense of privacy when they do this and by installing backdoors and reading this content it breaks that sense of privacy.

Of course this doesn't apply to people who use DropBox for illegal reasons. The government can still file a government subpoena and gain access to your data. DropBox has to provide them with the data because of the subpoena. 

Monday, February 24, 2014

Information gathering

A lot of people think that Hacking or Cracking is the only way to get digital data that is sensitive, but in reality there are many other methods. Social engineering, Dumpster diving, etc. are many other ways to get information the public was never meant to see.

Social engineering is simply making a phone call, knowing the right points of contacts and making sure you know what information you want. Kevin Mitnick was the famous hacker who used this method to gain usernames and passwords from people. http://en.wikipedia.org/wiki/Kevin_Mitnick

An example is as follows, a local IT member gets a call for a password reset from a person who is posing to work with the corporation. Now, because the company is so large, this IT person does not know everyone and cannot recognize their voice. Let's say this hacker starts a casual conversation with the IT person and starts talking about politics or the game that happened the night before. They could, also, say they need access to their account, immediately, for an important meeting. Once the IT person resets their password and lets them know it, then you have successfully gained access to an account you weren't supposed to have access to. Let's say they just reset it and never gave you the password, but you know through research that when they reset passwords it usually consists of some facets of their email address and something else you already know, which makes it easy to gain access to their password and account.

Many companies simply throw out information such as Health information or Military information in the trash. They don't shred this information or do anything to destroy this sensitive information. Some may even just dump it out back after they empty the office's trash cans. This leaves the data open and vulnerable to prying eyes walking around on the street. One can simply, jump in the dumpster and start searching for this data and presto, you have sensitive information in hand.

So there you have it, some simple ideas and alternatives that you can use to find out sensitive information.

Please remember that performing ANY of these tasks could force you to face legal action from the company you are attempting to gain physical access to the dumpster or calling to find out information. So please do not perform these actions, unless you have permission. I am not responsible for any legal repercussions you may face for your actions.

Sunday, February 23, 2014

Apple iOS 7.0.6's patch and the security flaw that prompted the patch

Let's consider a scenario where you need to connect to your bank via a website. How can you ensure that the communication link between you and your bank is secure?

Secure Sockets Layer (SSL) or the newer version of SSL: Transport Layer Security (TLS) is two encryption protocols that can be used to make sure that no third party is listening in on your conversation with your bank. When a communication between two entities IS intercepted, then we consider this a Man in the Middle Attack or MitM.

A MitM attack is where the Victim is communicating with the Web Server via an SSL connection. The attacker listens in on this communication and grabs all the sensitive data being transferred between the two connections. The Victim will have no idea that this is occurring.


The issue with iOS before 7.0.6 was that this SSL connection was not verified before the connection was created. So this created issues with MitM attacks. If you have an iPhone, then you should update as soon as possible. Currently, OS X does not have a patch for this, yet.

You can see the security flaw advisement posted on Apple's website here: http://support.apple.com/kb/HT6147

The description mentions:

iOS 7.0.6

  • Data Security 
  • Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later 
  • Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS 
  • Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps. 
  • CVE-ID 
  • CVE-2014-1266

Privileged network means that if you and the attacker are sitting at Barnes and Nobles together, then he/she can start sniffing your secure connections, which in the case of banking or any sensitive information is concerned, you don't want that.

You can see the function (highlighted below) where the issue occurs.

static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
                                 uint8_t *signature, UInt16 signatureLen)
{
    OSStatus        err;
    SSLBuffer       hashOut, hashCtx, clientRandom, serverRandom;
    uint8_t         hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN];
    SSLBuffer       signedHashes;
    uint8_t   *dataToSign;
 size_t   dataToSignLen;

 signedHashes.data = 0;
    hashCtx.data = 0;

    clientRandom.data = ctx->clientRandom;
    clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
    serverRandom.data = ctx->serverRandom;
    serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;


 if(isRsa) {
  /* skip this if signing with DSA */
  dataToSign = hashes;
  dataToSignLen = SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN;
  hashOut.data = hashes;
  hashOut.length = SSL_MD5_DIGEST_LEN;
  
  if ((err = ReadyHash(&SSLHashMD5, &hashCtx)) != 0)
   goto fail;
  if ((err = SSLHashMD5.update(&hashCtx, &clientRandom)) != 0)
   goto fail;
  if ((err = SSLHashMD5.update(&hashCtx, &serverRandom)) != 0)
   goto fail;
  if ((err = SSLHashMD5.update(&hashCtx, &signedParams)) != 0)
   goto fail;
  if ((err = SSLHashMD5.final(&hashCtx, &hashOut)) != 0)
   goto fail;
 }
 else {
  /* DSA, ECDSA - just use the SHA1 hash */
  dataToSign = &hashes[SSL_MD5_DIGEST_LEN];
  dataToSignLen = SSL_SHA1_DIGEST_LEN;
 }

 hashOut.data = hashes + SSL_MD5_DIGEST_LEN;
    hashOut.length = SSL_SHA1_DIGEST_LEN;
    if ((err = SSLFreeBuffer(&hashCtx)) != 0)
        goto fail;

    if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
        goto fail;
        goto fail;
    if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
        goto fail;

 err = sslRawVerify(ctx,
                       ctx->peerPubKey,
                       dataToSign,    /* plaintext */
                       dataToSignLen,   /* plaintext length */
                       signature,
                       signatureLen);
 if(err) {
  sslErrorLog("SSLDecodeSignedServerKeyExchange: sslRawVerify "
                    "returned %d\n", (int)err);
  goto fail;
 }

fail:
    SSLFreeBuffer(&signedHashes);
    SSLFreeBuffer(&hashCtx);
    return err;
}


SOURCE: http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c?txt

Having an extra "goto fail;" outside of an IF statement basically makes the rest of the code null and invalid. The code will execute all the way up to the IF statement, then execute the "go to fail;" statement and never makes it to the rest of the code. Apple argues that this code still takes care of MOST SSL connections, but when we are talking about sensitive information, you dont want something that works MOST of the time. You want something that works ALL the time.

Saturday, February 22, 2014

Wireshark at a glance

Wireshark or as it was formally known, Ethereal, is a tool that network administrators can use to sniff packets going across the wire. You can view many things from this perspective, such as login credentials going across the wire via clear text. You can also diagnose issues that may be occurring in your application your PC is running.

Wireshark gets installed in Promiscuous mode and this mode will allow you to sniff packets going across the network to and from any computer. (All traffic.)

In order for a network admin to stop this from happening is creating VLANs or Virtual Local Area Networks. By doing this, they can segment the network into many sub groups and separate them by routers. If this process is completed or exists in a network, then you can only sniff the traffic in your VLAN.

Go to the following link: http://www.wireshark.org/download.html in order to download Wireshark.

The installation screen will give you the below options.


In order for Wireshark to work, you will need to install WinPcap. Allow it to do so, when prompted.


When Wireshark opens, you will see the below screen. You will need to select an interface to listen for traffic on. This option will be under the "Capture" section. Once you select an interface, you can click "Start" and you will start to see traffic.



This is what the next screen will look like. You will of course see many updates happening, which is all the traffic occurring on your network/PC. You can stop the capture by clicking the square red button. This will NOT clear the screen for you, but will allow you to analyze the data easier.


If you cannot figure out which interface is active, you can click the button under "File" and it will bring up a window that will help you determine which one is active.


In order to take Wireshark out of promiscuous mode, you can go to "Capture" and select "Options". This will bring up the below window and the circled area is the checkbox you can uncheck or verify that this mode is active.



Now you are ready to start sniffing traffic on your network!

Do not sniff traffic in public places you do not have permission to be sniffing data in. I am not responsible for ANY legal repercussions you can face for the misuse of this blog or product. This information is for educational purposes ONLY.