InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Krebs on Security – Brian Krebs’ blog is a top resource for in-depth investigative reporting on cybersecurity news, data breaches, and the latest threats.
Schneier on Security – Bruce Schneier is a renowned cybersecurity expert, and his blog offers a deep dive into the latest industry developments, policy issues, and encryption technologies.
Dark Reading – This is a top online news source for cybersecurity professionals, covering a wide range of topics such as threat intelligence, vulnerability management, and cybersecurity trends.
The Hacker News – A leading cybersecurity news website that delivers breaking news and analysis on hacking, cybercrime, and cybersecurity issues.
Threatpost – Another popular cybersecurity news and analysis website that covers a broad range of topics, including malware, phishing, data breaches, and more.
SecurityWeek – This website offers the latest information on cybersecurity news, analysis, and research, with a focus on enterprise security, vulnerability management, and threat intelligence.
Graham Cluley – Graham Cluley is a well-known cybersecurity expert who shares his insights and opinions on his blog, covering everything from security news to privacy concerns and cybersecurity culture.
Naked Security by Sophos – This blog by the Sophos cybersecurity company covers a wide range of cybersecurity topics, including malware, phishing, social engineering, and other cyber threats.
SANS Institute – SANS is a trusted cybersecurity training organization, and their blog covers a wide range of cybersecurity topics, including threat intelligence, incident response, and security awareness.
InfoSec Resources – A popular cybersecurity blog that covers a wide range of topics, including cybersecurity news, best practices, and career development.
A large number of e-commerce payment platforms use effective payment gateway tools and effectively integrate them with an acceptable payment strategy. Todayās e-commerce websites need to integrate anti-fraud tools, renew bank cards, integrate multiple gateways, and manage alternative payment methods.
It is important to get these complex integrations right and bring them together into one functioning system; choosing the right tokenization partner is the key to success in these processes.
What is the tokenization process and why is it needed?
Tokenization is an important process of replacing sensitive data, such as credit card numbers, with unique identifying information while preserving all important data information; a tokenization solution is a form of using a unique security key to provide an appropriate level of security to important confidential data.
Think of tokenization as a secret code that uses a key to retrieve an encrypted message. Some versions of the credit card number store the last four digits; however, the remaining digits of the credit number are random.
In this case, you can safely store the token in the database. Anyone with access to this token cannot use it to compromise your credit card account. For these tokens to be used to process credit card transactions, they must be re-linked to the original credit card numbers. Typically, this mapping is performed by a secure third party. All this is done to ensure full security.
Blockchain technology is a technology that most people associate only with cryptocurrencies. This attribution is not entirely incorrect, as the blockchain was created for the Bitcoin cryptocurrency. However, much has changed since 2009 (the year Bitcoin appeared), and the scope of blockchain technology continues to actively expand.
One of the key applications of this technology today is tokenization, a secure form of digitization based on the blockchain technology mentioned above. The process of tokenization consists of assigning a specific value to a symbol, which can exist materially or immaterially, and is a digital ātokenā that stores data. With this efficient solution, you can securely buy and sell your assets online.
Examples of this use of tokens include the value of the stock market. Most of us associate stocks and bonds with paper-based notices of ownership of those assets, but tokenization allows us to replace those paper notices with digital versions. The implementation of traditional solutions in the digital world simplifies and optimizes a large number of important processes, making them significantly more efficient.
The terms ātokenā and ācryptocurrencyā are often confused and used interchangeably; not surprisingly, both concepts are closely related to blockchain technology. The key difference between cryptocurrencies and tokens is that cryptocurrencies are a means of payment, whereas tokens cannot; they can be compared to a kind of chip.
A token is created using smart contracts on a specific blockchain network and can perform various key functions. Each blockchain network can contain an unlimited number of tokens.
On the other hand, a smart contract is a kind of computer program embedded in a certain blockchain network that automatically enforces the terms contained in it. Both tokens and cryptocurrencies can be transferred on the blockchain network; however, token transaction fees depend on the cryptocurrency.
What information must be provided for tokenization?
Tokenization is commonly used to protect credit card numbers, a process mandated by the Payment Card Industry Council (PCI). However, there are many different use cases, tokenization terminology allows you to learn a variety of effective tools that provide active growth in the field of security for business organizations for which it is important to reliably protect confidential data.
Consider personal or personally identifiable information. HIPPA, General Data Protection Regulation (GDPR) requires confidential processing, anonymization, and secure storage of personal data. Organizations and various business environments should use tokenization capabilities when the business needs to securely store confidential information, such as:
ID number;
Date of birth;
Gender or race;
Driverās license;
Credit card number;
Valid phone number;
Bank account number;
Social insurance number;
Current residential address of clients;
Due to the universality of tokens, they are divided into several types that perform different functions. One of the key differences is between mutual tokens and non-splitting tokens. For example, payment tokens are used to make payments. Their function is mainly to ensure the safety of investors. Issued security tokens are protected by law and represent specific stocks, bonds, or other assets of genuine interest.
Are my tokens safe?
Undoubtedly, there are many advantages to using tokens, but is it safe to store data? Security is considered one of the most important benefits of tokenization. Stability, irreversibility of transactions, and elimination of intermediaries are just some of the characteristics that affect security when using blockchain technology.
In addition, the security of tokenization is provided by smart contracts that allow parties to trade directly. For example, selling real estate in the form of tokens does not require a notary or a real estate agent. Everything is done quickly and directly.
Note that each contracting party must ensure that personal tokens are properly stored and protected from loss to properly act as guarantors of successful transactions. Tokenization is a form of business digitization based on blockchain technology.
The potential of tokenization is huge and has yet to be fully explored. Tokens are divided into different types. The most common use of tokens is to digitize different types of assets, such as physical assets, digital assets, projects, company shares, shares, or loans.
What are the different types of tokenization processes?
When it comes to PCI tokens, there are three key types of tokenization: gateway tokenization, end-to-end tokenization, and payment service tokenization. Gateway tokenization. When you do e-commerce, you most likely get paid through a payment gateway.
Most gateways have technology that allows you to securely store your credit card in the system, then issue a refund and delete your card data. The downside is that each gateway provides its token scheme. This means that you cannot use this gateway. Changing gateways is often a time-consuming and expensive process of moving customer data to a new gateway for secure processing.
In some cases, the gateway may not allow these actions. End-to-end tokenization. Some independent tokenization providers have their technology that sits between your e-commerce site and the gateway. These end-to-end token providers allow you to use your existing gateway integration code.
One of the key advantages of this type of tokenization is that it uses existing technology and can be adapted at a very fast pace. It also has the advantage of modularity. Unlike gateway tokenization, modularity can be actively used for more than just credit card payments. You can use the tokenization model to connect to most APIs and tokenize data other than credit card data.
End-to-end tokenization is an evolution of gateway tokenization. This gives payment solutions the freedom to route transactions to different gateways in real-time, avoiding costly and time-consuming transfers of card data between different payment platforms.
Tokenization processes of various important payment services
A key tokenization strategy is the payment service model. This model offers a single API that, when integrated, can route payments to multiple gateways. The payment service model is best suited for companies with more complex payment needs.
This model works well when a company needs to pay in several regions or several different currencies or through several gateways. A disadvantage of the payment service model is that existing gateway embed code cannot be reused.
In addition to reduced PCI coverage and increased security, the tokenized payment service model has unique key benefits from its active use. The payment services model not only simplifies your embed code but also takes control of your tokens away from the payment gateway. Unlike gateway tokenization, tokens provided by third parties can be actively used with supported gateways.
Tokens issued by payment gateways cannot be used against competing alternative gateways. Security and compliance alone are reasons enough to implement a popular solution like the tokenization of various assets that are important to you, your company, and your customers.
The truth is that key security requirements for online payments are difficult to implement on your own. In particular, startups often choose to sacrifice security for time to market. Accepting online payments makes your business a target for cybercriminals. Hiring security experts and implementing effective tokenization processes can save your business environment valuable time and money in the long run.
Keep these practical tips in mind. Choose a reliable tokenization partner, test the tokenization, what level of protection you can achieve by working on the integration, and find a vendor that can integrate multiple gateways, methods, and services into a single integration. One of the key technologies needed to connect all payment solutions is tokenization.
A trusted provider fully controls tokens, provides redundancy, reduces PCI coverage, and improves the security standards in place in your business environment.
What can be tokenized?
The use cases for tokenization can grow endlessly. Since anything can be digitized, tokenization is often used in professional life. These are various business projects that can demonstrate the most practical examples of using tokenization.
Digitization of the company involves the creation of tokens that are closely related to a specific project. Tokenization techniques that add value to tokens can be used as an indispensable tool for automating processes in companies and as a means of financing them. Real estate tokenization is becoming more and more popular worldwide due to the following features: transaction speed, lack of intermediaries, and security.
The process of property tokenization involves issuing tokens on the blockchain network and linking them to certain properties. Thus, the investor becomes a co-owner or owner of a certain asset, the shares of which can be represented in tokens.
Using blockchain technology and a specially designed platform, it is also possible to assign unique numbers to gems and certain forms of ore to determine their authenticity.
Raw materials registered with digital numbers can then be identified by verifying their origin, properties, and associated processes. NFT tokens have the unique potential to revolutionize both the physical and digital art markets. Each NFT token has a unique, non-tradable value that allows you to express your interest in the rights to a work of art, making investing in art an easy and fast process.
Welcome to our February 2023 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.
This month, we look at a UK government warning about a resurgence in Russian cyber attacks and concerns that the much-discussed AI programme ChatGPT could be used for fraud.
UK government warns of Russian-sponsored phishing campaign
The UK government has issued a warning amid an increase in phishing attacks stemming from Russia and Iran.
In an advisory statement, the NCSC (National Cyber Security Centre) shared details about the campaign, which appears to have been sponsored by the fraudstersā national governments.
The researchers are most concerned about spear phishing, which is a sophisticated form of fraud. Scammers target specific individuals by researching them online ā often using Facebook, LinkedIn or the website of the targetās employer.
Although spear phishing emails often contain the same clues as regular phishing scams, they have a much higher success rate. This suggests that people are more likely to assume that a message is genuine if it contains a few specific details about them, such as their name or their place of work.
The NCSCās advisory highlights ongoing scams that were conducted throughout last year by the Russia-based group SEABORGIUM and the Iran-based group TA453, also known at APT42.
Their attacks target specific sectors within the UK, including academia, defence, governmental organisations, NGOs and thinktanks, as well as politicians, journalists and activists.
Commenting on the findings, NCSC Director of Operations Paul Chichester said: āThe UK is committed to exposing malicious cyber activity alongside our industry partners and this advisory raises awareness of the persistent threat posed by spear-phishing attacks.
āThese campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.
āWe strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online.ā
Experts concerned that ChatGPT could be used for scams
ChatGPT has taken the Internet by storm, with the AI-backed tool helping writers and hobbyists create content almost instantly.
The programās advanced language model has been championed by people looking to quickly produce quotes, articles and think pieces. However, cyber security experts are warning that another group ā scammers ā could also embrace the technology.
As Chester Wisniewski, the principal research scientist as Sophos, explained, ChatGPT can instantly produce grammatically correct and natural-looking writing, which would resolve one the biggest challenges that scammers face when creating their baits.
āThe first thing I do whenever you give me something is figuring out how to break it. As soon as I saw the latest ChatGPT release, I was like, āOK, how can I use this for bad things?ā Iām going to play to see what bad things I can do with it,ā Wisnieski told TechTarget.
One of those ābad thingsā that he considered was the ability for ChatGPT to create phishing scams.
āIf you start looking at ChatGPT and start asking it to write these kinds of emails, itās significantly better at writing phishing lures than real humans are, or at least the humans who are writing them,ā he said.
āMost humans who are writing phishing attacks donāt have a high level of English skills, and so because of that, theyāre not as successful at compromising people.
āMy concerns are really how the social aspect of ChatGPT could be leveraged by people who are attacking us. The one way weāre detecting them right now is we can tell that theyāre not a professional business.
āChatGPT makes it very easy for them to impersonate a legitimate business without even having any of the language skills or other things necessary to write a well-crafted attack.ā
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or sector, so itās essential to understand how you might be targeted and what you can do to prevent a breach.
This 45-minute course uses real-world examples like the ones weāve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
Today, the specialists of the Cyber Security 360 course of the International Institute of Cyber Security (IICS) will show us in detail the use of Fuzz Faster U Fool (ffuf), a free and easy-to-use fuzzing tool, using the command line method for configuration on web servers.
Created by Twitter user @joohoi, cybersecurity professionals around the world have praised ffuf for its advanced capabilities, versatility, and ease of use, making it one of the top choices in fuzzing.
Before keep going, as usual, we remind you that this article was prepared for informational purposes only and does not represent a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.
INSTALLATION
According to the experts of the Cyber Security 360 course, ffuf runs on a Linux terminal or Windows command prompt. Upgrading from the source code is no more difficult than compiling, except for the inclusion of ā-uā.
1
go get-ugithub.com/ffuf/ffuf
For this example Kali Linux was used, so you will find ffuf in the apt repositories, which will allow you to install it by running a simple command.
1
apt install ffuf
After installing this program, you can use the ā-hā option to invoke the help menu.
1
ffuf āh
ENTRY OPTIONS
These are parameters that help us provide the data needed for a web search of a URL using word lists.
NORMAL ATTACK
For a normal attack, use the parameters ā-uā for the target URL and ā-wā to load the word list.
1
ffuf-uhttp://testphp.vulnweb.com/FUZZ/-wdict.txt
After you run the command, you will need to focus on the results.
First, itās worth noting that by default it works on HTTP using the GET method
You can also view the status of the response code (200, 204, 301, 302, 307, 401, 403, and 405). You can track the progress of the attack being performed
USING MULTIPLE WORD LISTS
The experts of the Cyber Security 360 course mention that a single list of words is not always enough to get the desired results. In these cases, you can apply multiple word lists at the same time, one of the most attractive functions of ffuf. In this example, we have granted the program access to two dictionaries (txt:W1 and txt:W2), which the tool will run at the same time:
Usually, the default word list has some comments that can affect the accuracy of the results. In this case, we can use the ā-icā parameter to delete the comments. Also, to remove any banners in the tools used, use the ā-sā parameter:
1
ffuf-uhttp://testphp.vulnweb.com/FUZZ/-wdict.txt
Here we can notice that some comments are shown in the results if the above command is executed. After using the ā-sā and ā-icā parameters, all comments and banners will be removed.
It is also possible to search for a file with a specific extension on a web server using the ā-eā option. All you need to do is specify the extension and name of the file along with the parameter in the appropriate command format:
Burp Suite is a professional platform for monitoring the security of web applications. The ācluster bombā function allows using multiple payloads, mention the experts of the Cyber Security 360 course. There is a separate payload package for each given location; the attack goes through each payload packet one by one, checking all possible options.
There are several parameters of this tool that make it easy to use the script. For example, the ā-requestā parameter allows you to use the request in an attack, while ā-request-protoā allows you to define the parameter itself, and ā-modeā helps you choose the attack mode.
First, random credentials are used on the target URL page and the proxy server is configured to capture the request in interception mode in Burp Suite.
Now, on the Intercept tab, you need to change the credentials provided by adding HFUZZ and WFUZZ. HFUZZ is added before āunameā and WFUZZ before āpassā. Then, you need to copy and paste this query into the text and name according to the purposes of the project. In this case, the file was named as brute.txt.
Later we will move to the main attack mode, where the ā-requestā parameter contains a ā-request-protoā text file that will help you create a prototype of http, and ā-modeā will be responsible for the ācluster bombā attack. The lists of words in question (users.txt and pass.txt) consist of SQL injections. By entering the following command, an attack will be launched:
As you can see from the results of the attack, SQL injections have been successfully found to be effective for this specific purpose.
MAPPING OPTIONS
If we want the ffuf to show only the data that is important for web fuzzing, we must pay attention to these parameters. For example, it can be HTTP code, strings, words, size and regular expressions, mention the experts of the Cyber Security 360 course.
HTTP CODE
To understand this configuration, you should consider a simple attack on which you will be able to see which HTTP codes appear in the results.
1
ffuf-uhttp://192.168.1.12/dvwa/FUZZ/-wdict.txt
It is clear that the codes 302 HTTP and 200 HTTP were received.
If you want to see specific attacks, such as HTTP code 200, you must use the ā-mcā parameter along with a specific number. To verify that this parameter works, you just need to run the following command:
Similarly, since the above options correspond to a function, you can provide a result with a certain number of words. For this, use the ā-mwā parameter along with the number of words you want to see in the results.
This is the last of all the mapping options available in ffuf. LFI fuzzing will be applied by matching the string to the subsequent āroot:xā pattern for this dictionary.
A URL is used that can provide this functionality, and with the ā-mrā parameter, the corresponding string āroot:xā is defined. This is what a special list of words looks like.
Using this list of words, we enter the following command to add the ā-mrā parameter to the attack script:
We received the http 200 response for /etc/passwd for this list of words.
FILTERING OPTIONS
Filtering options are the exact opposite of matching parameters. The experts of the Cyber Security 360 course recommend using these options to remove unnecessary elements during web fuzzing. It also applies to HTTP code, strings, words, size, and regular expressions.
HTTP CODE
The ā-fcā parameter requires a specific HTTP status code that the user wants to remove from the results.
Below are the general parameters of this tool, which are completely related to the web fuzzing process.
AUTOMATIC CUSTOM CALIBRATION
Calibration is the process of providing a measuring instrument with the information it needs to understand the context in which it will be used. When collecting data, calibrating your computer ensures that the process works accurately, mention the experts of the Cyber Security 360 course.
We can adjust this function according to the needs in each case using the ā-accā parameter, which cannot be used without the ā-acā parameter.
If you want to apply fuzzing for a limited period of time, you can use the ā-maxtimeā parameter. You must enter a command to specify the selected time interval.
Using the ā-max time-jobā parameter, the user can set a time limit for a specific job. With this command, you can limit the time it takes to complete a task or query.
Using the ā-pā parameter, the user will add a slight delay for each request offered by the attack. According to the experts of the Cyber Security 360 course, with this feature the consultation becomes more efficient and provides clearer results.
1
ffuf-uhttp://192.168.1.12/dvwa/FUZZ/-wdict.txt-p1
QUERY SPEED
We can select the request speed you need for each of the attacks using the ā-rateā parameter. For example, we can create one request per second according to the desired attack.
There are three parameters that support the error function. The first parameter is ā-seā, a āfalse errorā that says whether the next request is genuine or not. The second ā-sfā parameter will stop the attack when more than 95% of the requests are counted as an error. The third parameter is ā-saā, a combination of the above parameters.
In the example shown below, we will use the ā-seā parameter:
Verbose Mode is a feature used in many operating systems that provide additional information about what the computer does and what drivers and applications it loads when initialized. In programming, this mode provides accurate output for debugging purposes, making it easier to debug the program itself. To access this mode, the ā-vā parameter is applied.
The ā-tā parameter is used to speed up or slow down the process. By default, it is set to 40. If you want to speed up the process, you need to increase its value.
We may save the results of attacks carried out in order to keep records, improve readability and find possible links. Enter the ā-oā parameter to save the output, but you must specify its format using the ā-ofā parameter.
Once the attack is complete, it should be checked whether the file with the output data corresponds to this format or not, mention the experts of the Cyber Security 360 course. As you can see, the file itself refers to HTML.
OUTPUT DATA IN CSV FORMAT
Similarly, we can create CSV files using the ā-ofā parameter, where csv are comma-separated values. For example:
When the attack is complete, you need to check whether the file with the output data corresponds to this format or not. As you can see, the file itself belongs to the CSV.
DATA OUTPUT IN ALL AVAILABLE FORMATS
Similarly, if you want to recover data in all formats, use the ā-of allā parameter. For example, it can be json, ejson, html, md, csv, ecsv.
Now, once the attack is complete, you need to check all the files. We can see that they were saved in various formats.
HTTP OPTIONS
Sometimes the fuzzing process requires details such as an HTTP request, cookies, and an HTTP header, mention the experts of the Cyber Security 360 course.
TIME-OUT
This feature acts as a deadline for the event to complete. The ā-timeoutā parameter helps to activate this option.
According to the experts of the Cyber Security 360 course, this is a mechanism for reusing objects; if a program requires the user to access a function within another function, this is called a recursive call to the function. Using the ā-recursionā parameter, the user can implement this functionality in their attacks.
There are times when fuzzing is not effective on a site where authentication is required. In these cases, we may use the ā-bā parameter to use session cookies.
There are speed limits when using the Intruder feature in the free version of Burp (Community Edition). The attack slowed down a lot, and each new āorderā slowed it down even more.
In this case, the user uses the Burp Suite proxy server to get the results and evaluate them. First, you need to install the localhost proxy server on port number 8080.
Now letās use ā-replay-proxyā, which helps to get the local proxy server of the host, installed in the previous step on port number 8080.
This attack will show results on two platforms. The first platform is in the Kali Linux terminal and the second is in the āHTTP historyā tab in Burp Suite. With the help of various methods, you will be able to better understand the target and analyze the results of the attack.
It is common to compare ffuf with other tools such as dirb or dirbuster. While ffuf can be used for deploying brute-force attacks, its real appeal lies in simplicity.
Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, information technologies, and to know more details about the Cyber Security 360 course
The MAC address is (should be) unique to each network interface. By the way, if the device has several network interfaces, then each of them has its own MAC address. For example, laptops have at least two network interfaces: wired and Wi-Fi ā each of them has an MAC address. Desktop computers are usually the same. When we talk about āchangingĀ MAC addressesā, we need to understand that there are several of these addresses. By the way, each port has its own unique MAC address, if the device supports wireless networks, then each wireless interface (2.4 GHz and 5 GHz) also has its own MAC address.
So, since the MAC address must be unique, it allows you to uniquely identify the network device. And since this network device is part of your computer, this allows you to uniquely identify your computer. Moreover, the MAC address (also called a hardware, physical address) does not change when the operating system changes.
In short, the replacement of the MAC address is needed so that it is not possible to track and identify the device by the MAC address. But there is a more important reason (than paranoia) to learn about MAC addresses and about methods from substitution, or prohibiting changes in your system. Based on MAC addresses, user identification can be performed when connected via the Intercepting Portal. A few words about the Intercepting Portal. Captive Portal). This is a way to force the user to comply with certain conditions for providing Internet access. You can most often encounter examples of Intercepting Portals in public places that provide Internet access services via Wi-Fi to an indefinite circle of people, but who want to identify the user and / or allow access only to persons with credentials. For example, at the airport you may need to confirm your phone number via SMS to access the free Wi-Fi network. The hotel will provide you with a username and password for accessing the Internet via Wi-Fi ā this ensures that only hotel customers can use Wi-Fi services.Ā
Due to the features of the Intercepting Portal, user identification is based on MAC addresses. And starting with NetworkManager 1.4.0 (a popular program for managing network connections on Linux), an automatic MAC-address spoofing is now present. And in case of incorrect settings, you may encounter an Internet access problem running through the Intercepting Portal. There are also problems with customized filtering by MAC on the router.
Well, for pentesting experts , of course, there are reasons to change the MAC address: for example, to pretend to be another user, and take advantage of its open access to the magical world of the Internet, or to increase anonymity.
Who can see my MAC address?
The MAC address is used to transfer data on a local network. That is, it is not transmitted when connecting to websites and when accessing the global network. Although there are exceptions: some vulnerabilities allow a person who is not on your local network to find out your MAC address.
If you connect to the router via the local network, then the router knows your MAC address, but if you open the site on the Internet, the site owner cannot find out your MAC address.Ā
All devices located on the local network can see each otherās MAC addresses (there are many scanners that can get this data). An example of a local network scan made using arp-scan. A slightly different situation with wireless network interfaces. If you are connected to an access point (router), then all the rules of the local network work: the router and other devices can find out your MAC address. But also any person who is within the reach of your Wi-Fi signal (from the phone, laptop) can find out your MAC address.
SPOOFING MAC ADDRESSES IN NETWORKMANAGER
NetworkManager may reassign MAC installed by other programs
Starting with NetworkManager 1.4.0, this program supports MAC spoofing, and has many different options.
So that we can understand them, we need to understand some concepts
First, network adapters are :
wired (ethernet);
wireless (wifi).
For each group, MAC rules are customized separately.
Secondly, a wireless adapter can be in two states:
scanning (search, not connected to the network) ā is set using the property wifi.scan-rand-mac-address, default set to yes, which means that during scanning it sets an arbitrary MAC address. Another acceptable value is no;
connected to the network ā installed using the property wifi.cloned-mac-address, the default value is preserve.
For wired interface (installed by property ethernet.cloned-mac-address) and the wireless interface in the connection state (installed by the property wifi.cloned-mac-address) the following values are available (regimes):
clearly specified MAC address (t.e. you can write the desired value that will be assigned to the network interface)
permanent: use the MAC address sewn into the device
preserve: do not change the deviceās MAC address after activation (for example, if the MAC has been changed by another program, the current address will be used)
random: generate a random variable for each connection
stable: similar to random ā i.e. for each connection to generate a random variable, NO when connecting to the same network, the same value will be generated
NULL / not installed: This is the default value that allows you to roll back to global settings by default. If global settings are not set, then NetworkManager rolls back to the value preserve.
If you are trying to change the MAC in other ways and you are failing, it is entirely possible that NetworkManager, which changes the MAC in its own rules, is to blame. Since most Linux distributions with a NetworkManager graphical interface are installed and running by default, to solve your problem, you must first understand how NetworkManager works and by what rules.
NETWORKMANAGER CONFIGURATION FILES
NetworkManager settings, including settings related to MAC, can be done in a file /etc/NetworkManager/NetworkManager.conf or adding an additional file with the extension . . . .conf to the directory /etc/NetworkManager/conf.d
The second option is highly recommended, since when updating NetworkManager usually replaces the main one . . . . . . . . . .conf file and if you made changes to /etc/NetworkManager/NetworkManager.conf, then the settings you made will be overwritten.
HOW TO MAKE KALI LINUX REPLACE WITH EACH CONNECTION
If you want the MAC address to be replaced with each connection, but the same MAC is used in the connection to the same network, then the file /etc/NetworkManager/conf.d/mac.conf:
Lines with ethernet.cloned-mac-address & wifi.cloned-mac-address can be added individually or together.
Check the current values :
1
ip link
Restart the service :
1
sudo systemctl restart NetworkManager
We will make connections to wired and wireless networks. Now check the values of MAC againĀ
As you can see, MAC is replaced for both the wired and wireless interfaces.
As already mentioned, the same addresses will be generated for the same networks, if you want different MACs each time even for the same networks, then the lines should look like this:
HOW TO CONFIGURE AUTOMATIC MAC SPOOFING IN UBUNTU AND LINUX MINT
Ubuntu andĀ LinuxĀ Mint use NetworkManager versions that support automatic MAC configuration. However, if you connect a Wi-Fi card to Ubuntu or Linux Mint, you will see a real MAC. This is due to the fact that in the fileĀ /etc/NetworkManager/NetworkManager.confĀ indicated not to spoof :
Similarly, you can add lines to replace MAC (these settings create a new address for each connection, but when connecting to the same networks, the same address is used):
We will use the program ip, which is included in the package iproute2.
Letās start by checking the current MAC address with the command :
1
ip link show interface_name
Where Interface_name ā This is the name of a particular network interface that you want to see. If you do not know the name, or want to see all the interfaces, then the command can be started like this :
1
ip link show
At the moment, we are interested in the part that follows after link / etherāand represents a 6-byte number. It will look something like this :
1
link/ether 00:c0:ca:96:cf:cb
The first step for spoofing MAC addresses is to transfer the interface to a state down. This is done by the team
1
sudo ip link set dev interface_name down
Where Interface_name replaces the real name. In my case, this wlan0, then the real team looks like this:
1
sudo ip link set dev wlan0 down
Next, we go directly to the MAC spoofing. You can use any hexadecimal value, but some networks may be configured not to assign IP addresses to customers whose MAC address does not match any known vendor (producer). In these cases, so that you can successfully connect to the network, use the MAC prefix of any real vendor (first three bytes) and use arbitrary values for the next three bytes.
To change the MAC, we need to run the command :
1
sudo ip link set dev interface_name address XX:XX:XX:XX:XX:XX
Where XX: XX: XX: XX: XX: XX ā This is the desired new MAC .
For example, I want to set the hardware address EC: 9B: F3: 68: 68: 28 for my adapter, then the team looks like this:
1
sudo ip link set dev wlan0 address EC:9B:F3:68:68:28
In the last step, we return the interface to the stateĀ up. ThisĀ can be done by a team of the form :
1
sudo ip link set dev interface_name up
For my system, a real team:
1
sudo ip link set dev wlan0 up
If you want to check if the MAC is really changed, just run the command again:
1
ip link show interface_name
Value after ālink / etherāshould be the one you installed.
CHANGE MAC WITH MACCHANGER
Another method uses macchanger (also known as the GNU MAC Changer). This program offers various functions, such as changing the address so that it matches a particular manufacturer, or its complete randomization.
Set macchanger ā it is usually present in official repositories, and in Kali Linux it is installed by default.
At the time of the change of the MAC, the device should not be used (be connected in any way, or have status up). To transfer the interface to a state down:
1
sudo ip link set dev interface_name down
For spoofing, you need to specify the name of the interface, and replace in each next command wlan0 in the name of the interface that you want to change the MAC.
To find out the values of MAC, execute the command with the option -s:
1
sudo macchanger -s wlan0
Something like:
12
Current MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)Permanent MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)
The āCurrent MACā line means the address at the moment, and āPermanent MACā means a constant (real) address.
For spoofing the MAC address to a completely arbitrary address (option -r):
The first two lines are already explained, the line āNew MACā means a new address.
For randomization, only bytes that determine the uniqueness of the device, the current MAC address (i.e.e. if you check the MAC address, it will register as from the same vendor) run the command (option -e):
1
sudo macchanger -e wlan0
To set the MAC address to a specific value, execute (optionĀ -m):
1
sudo macchanger -m XX:XX:XX:XX:XX:XX wlan0
Here XX: XX: XX: XX: XX: XX ā This is the MAC you want to change to.
Finally, to return the MAC address to the original, constant value prescribed in the iron (option -p):
1
sudo macchanger -p wlan0
CONCLUSION
NetworkManager currently provides a wealth of MAC spoofing capabilities, including a change to a random address, or to a specific one. A feature of NetworkManager is the separation of āscanningā and āconnectedā modes, i.e. you may not see that the settings made have already entered into force until you connect to any network.
If after the change of MAC you have problems with connecting (you cannot connect to networks ā wired or wireless), this means that there is a ban on connecting with MAC from an unknown vendor (producer). In this case, you need to use the first three octets (bytes) of any real vendor, the remaining three octets can be arbitrary saysĀ pentesting experts.
Your email address has become a digital bread crumb for companies to link your activity across sites. Hereās how you can limit this.
When you browse the web, an increasing number of sites and apps are asking for a piece of basic information that you probably hand over without hesitation: your email address.
It may seem harmless, but when you enter your email, youāre sharing a lot more than just that. Iām hoping this column, which includes some workarounds, persuades you to think twice before handing over your email address.
First, it helps to know why companies want email addresses. To advertisers, web publishers and app makers, your email is important not just for contacting you. It acts as a digital bread crumb for companies to link your activity across sites and apps to serve you relevant ads.
If this all sounds familiar, thatās because it is.
For decades, the digital advertising industry relied on invisible trackers planted inside websites and apps to follow our activities and then serve us targeted ads. There have been sweeping changes to this system in the past few years, includingĀ Appleās release of a software feature in 2021Ā allowing iPhone users to block apps from tracking them andĀ Googleās decision to prevent websites from using cookies, which follow peopleās activities across sites, in its Chrome browser by 2024.
Advertisers, web publishers and app makers now try to track people through other means ā and one simple method is by asking for an email address.
Imagine if an employee of a brick-and-mortar store asked for your name before you entered. An email address can be even more revealing, though, because it can be linked to other data, including where you went to school, the make and model of the car you drive, and your ethnicity.
Dig deeper into the moment.
āI can take your email address and find data you may not have even realized youāve given to a brand,ā said Michael Priem, the chief executive of Modern Impact, an advertising firm in Minneapolis. āThe amount of data that is out there on us as consumers is literally shocking.ā
Advertising tech is continuing to evolve, so it helps to understand what exactly youāre sharing when you enter in an email address. From there, you can decide what to do.
Your email address has become a potent piece of data.
For many years, the digital ad industry has compiled a profile on you based on the sites you visit on the web. Information about you used to be collected in covert ways, including the aforementioned cookies and invisible trackers planted inside apps. Now that more companies are blocking the use of those methods, new ad targeting techniques have emerged.
One technology that is gaining traction is an advertising framework called Unified ID 2.0, or UID 2.0, which was developed by the Trade Desk, an ad-technology company in Ventura, Calif.
Say, for example, you are shopping on a sneaker website using UID 2.0 when a prompt pops up and asks you to share your email address and agree to receive relevant advertising. Once you enter your email, UID 2.0 transforms it into a token composed of a string of digits and characters. That token travels with your email address when you use it to log in to a sports streaming app on your TV that uses UID 2.0. Advertisers can link the two accounts together based on the token, and they can target you with sneaker ads on the sports streaming app because they know you visited the sneaker website.
Since your email address is not revealed to the advertiser, UID 2.0 may be seen as a step up for consumers from traditional cookie-based tracking, which gives advertisers access to your detailed browsing history and personal information.
āWebsites and apps are increasingly asking for email authentication in part because there needs to be a better way for publishers to monetize their content thatās more privacy-centric than cookies,ā Ian Colley, the chief marketing officer of the Trade Desk, said in an email. āThe internet is not free, after all.āA New Direction for Tech FixOur tech problems have become more complex, so Brian X. Chen has rebootedĀ his columnĀ to focus on the societal implications of the tech we use.Personal Tech Has Changed. So Must Our Coverage of It.Nov. 2, 2022
However, in an analysis, Mozilla, the nonprofit that makes the Firefox web browser, called UID 2.0 a āregression in privacyā because it enabled the type of tracking behavior that modern web browsers were designed to prevent.
There are simpler ways for websites and apps to track your web activity through your email address. An email could contain your first and last name, and assuming youāve used it for some time, data brokers have already compiled a comprehensive profile on your interests based on your browsing activity. A website or an app can upload your email address into an ad brokerās database to match your identity with a profile containing enough insights to serve you targeted ads.
The bottom line is that if youāre wondering why you are continuing to see relevant ads despite the rise of privacy tools that combat digital tracking, itās largely because you are still sharing your email address.
So what to do?
There are various options for limiting the ability of advertising companies to target you based on your email address:
Create a bunch of email addresses. Each time a site or an app asks for your email, you could create a unique address to log in to it, such as, for example, netflixbrianchen@gmail.com for movie-related apps and services. That would make it hard for ad tech companies to compile a profile based on your email handle. And if you receive spam mail to a specific account, that will tell you which company is sharing your data with marketers. This is an extreme approach, because itās time-consuming to manage so many email addresses and their passwords.
Use email-masking tools. Apple and Mozilla offer tools that automatically create email aliases for logging in to an app or a site; emails sent to the aliases are forwarded to your real email address. Appleās Hide My Email tool, which is part of its iCloud+ subscription service that costs 99 cents a month, will create aliases, but using it will make it more difficult to log in to the accounts from a non-Apple device. Mozillaās Firefox Relay will generate five email aliases at no cost; beyond that, the program charges 99 cents a month for additional aliases.
When possible, opt out. For sites using the UID 2.0 framework for ad targeting, you can opt out by entering your email address at https://transparentadvertising.org. (Not all sites that collect your email address are using UID 2.0, however.)
You could also do nothing. If you enjoy receiving relevant advertising and have no privacy concerns, you can accept that sharing some information about yourself is part of the transaction for receiving content on the internet.
I try to take a cautious but moderate approach. I juggle four email accounts devoted to my main interests ā food, travel, fitness and movies. Iāll use the movie-related email address, for example, when Iām logging in to a site to buy movie tickets or stream videos. That way, those sites and apps will know about my movie preferences, but they wonāt know everything about me.
The Ohio-based airline, CommuteAir, responsible for the incident confirmed the legitimacy of the data to the media.
The No Fly List and other sensitive files were discovered by Maia Arson Crimew, a Swiss security researcher and hacker, while searching for Jenkins servers on Shodan.
A Swiss hacker by the name of Maia Arson Crimew discovered an unsecured server run by the Ohio-based airline, CommuteAir, a United Express carrier. The hacker claims they found the server while searching for Jenkins servers on Shodan, a specialized search engine used by cybersecurity researchers to locate exposed servers and misconfigured databases on the Internet.
After a while of skimming through the files, Crimew claimed to have found a file labelled āNoFly.csv,ā which turned out to be a legitimate U.S. no-fly, terrorist watch list from 2019.
The 80-MB exposed file, first reported on by the Daily Dot, is a smaller subset of the U.S. governmentās Terrorist Screening Database, maintained and used by the DOJ, FBI, and Terrorist Screening Center (TSC).
With over 1.5 million entries, the file contains the first names, last names, and dates of birth of people with suspected or known ties to terrorist organizations.
This should not come as a surprise, since the US (along with China) topped the 2021 list of countries that exposed the most misconfigured databases online.
The leak of the No Fly List should not be a jaw-dropper, as in August 2021, the US governmentās secret terrorist watchlist with two million records was exposed online. However, the watchlist was exposed on a misconfigured server hosted on a Bahrain IP address instead of a US one.
As for the latest breach, CommuteAir confirmed the legitimacy of the data, stating that it was a version of the federal no-fly list from approximately four years ago. CommuteAir told the Daily Dot that the unsecured server had been used for testing purposes and was taken offline before the Daily Dot published their article.
They have also reported the data exposure to the Cybersecurity and Infrastructure Security Agency (CISA).CommuteAir further confirms that the server did not expose any customer information, based on an initial investigation. However, the same cannot be said for the safety of the employeesā data.
On the other hand, the hacker, Crimew claims in their report to have found extensive personally identifiable information (PII) about 900 of the crewmates including their full names, addresses, phone numbers, passport numbers, pilotās license numbers and much more. User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir were also exposed, said crime.
Screenshot from the exposed data (Credit: Maia Arson Crimew)
The list contained notable figures such as the Russian arms dealer Victor Bout who was recently freed in exchange for the WNBA star Brittney Griner. Since the list contained over 16 potential aliases for him, many other entries in the list are likely aliases of the same person and the number of individuals is far less than 1.5 million.
Certain names on the list also belong to suspected members of the IRA, the Irish paramilitary organization. The list contained someone as young as 8 years old, based on their birth date, according to crime.
The majority of the names, however, appeared to be of Arabic or Middle Eastern descent, along with Hispanic and Anglican-sounding names.Ā The entire dataset is available on the official website of DDoSecrets, upon request.
Although it is rare for this list to be leaked and is considered highly secretive, it is not labelled as a classified document due to the number of agencies and individuals that access it.
In a statement to the Daily Dot, TSA stated that it was āaware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners.ā
During the month of November, researchers at the cybersecurity firm LookingGlass examined the most significant vulnerabilities in the financial services industry in the United States.
The company looked at assets with public internet-facing assets from more than 7 million IP addresses in the industry and discovered that a seven-year-old Remote Code Execution vulnerability affecting Microsoft Windows was at the top of the list.
According to CISA, the āFinancial Services Sector includes thousands of depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and the providers of the critical financial utilities and services that support these functions.ā
Reports stated that the industry employs about 8 million Americans and contributes $1.5 trillion, or 7.4% of the nationās overall GDP.
Microsoft Exchange Vulnerabilities
Over 900 times in the financial sector have been affected by a critical remote code execution vulnerability identified as (CVE-2015-1635), affecting Microsoft Windows and it has been around for seven years.
If this vulnerability is exploited successfully, a remote attacker may execute arbitrary code with system privileges and result in a buffer overflow.
The next most often exploited vulnerability was (CVE-2021-31206), which affects Microsoft Exchange Servers. Reports say in the month of November, this vulnerability was exploited 700 times in the financial services industry in the United States.
Top list of vulnerabilities in the financial services sector
āOur data holdings attribute roughly 7 million of these to the U.S. financial services sector, which includes insurance companies, rental & leasing companies, and creditors, among other subsectorsā, explains LookingGlass researchers.
According to recent reports from the U.S. Department of Treasury, ransomware attacks alone cost U.S. financial institutions close to $1.2 billion in 2021, a nearly 200% increase from the year before.
The Financial Crimes Enforcement Network (FCEN) of the Treasury identified Russia as the main source of numerous ransomware variants hitting the industry in its study.
The open-source jsonwebtoken (JWT) library is affected by a high-severity security flaw that could lead to remote code execution.
The open-source JsonWebToken (JWT) library is affected by a high-severity security flaw, tracked as CVE-2022-23529 (CVSS score: 7.6), that could lead to remote code execution.
The package is maintained by Auth0, it had over 9 million weekly downloads as of January 2022 and it is used by more than 22.000 projects.
The flaw was discovered by Unit 42 researchers, it can be exploited by threat actors by tricking a server into verifying a maliciously crafted JSON web token (JWT) request.
āBy exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request.ā reads theĀ advisoryĀ published by Palo Alto Networks.Ā āWith that being said, in order to exploit the vulnerability described in this post and control the secretOrPublicKey value, an attacker will need to exploit a flaw within the secret management process.ā
JsonWebToken is an open-source JavaScript package that allows users to verify/sign JSON web tokens (JWT).
The flaw impacts JsonWebToken package version 8.5.1 or an earlier version, the JsonWebToken package version 9.0.0 addressed the issue.
āFor versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).ā reads theĀ advisoryĀ published on GitHub.Ā āYou are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.ā
Vulnerabilities in open-source projects are very dangerous, threat actors could exploit them as part of supply chain attacks that can impact any projects relying on them.
āOpen source projects are commonly used as the backbone of many services and platforms today. This is also true for the implementation of sensitive security mechanisms such as JWTs, which play a huge role in authentication and authorization processes.ā concludes Palo Alto. āSecurity awareness is crucial when using open source software. Reviewing commonly used security open source implementations is necessary for maintaining their dependability, and itās something the open source community can take part in.ā
Below is the timeline for this vulnerability:
July 13, 2022 ā Unit 42 researchers sent a disclosure to the Auth0 team under responsible disclosure procedures
July 27, 2022 ā Auth0 team updated that the issue was under review
Aug. 23, 2022 ā Unit 42 researchers sent an update request
Aug. 24, 2022 ā Auth0 team updated that the engineering team was working on the resolution
Dec. 21, 2022 ā A patch was provided by the Auth0 engineering team
11 of the world’s top cyber security experts gather to discuss how to protect ourselves against cybercrime. Includes interviews with Rob Boles, Jesse Castro, Michael Einbinder-Schatz, Rick Jordan, Konrad Martin, Rene Miller, Paul Nebb, Will Nobles, Adam Pittman, Leia Shilobod, and Peter Verlezza.
Cybersecurity awareness is no longer a ānice to haveā; in fact, it has become a fundamental part of your corporate training process across all levels and aspects of your business.
Would you leave your business unlocked and open to all comers? Of course not ā but if you donāt have solid cybersecurity in place, thatās effectively what youāre doing! As the business world becomes a digital space, security has also become a digital matter.
One cybercriminal can wreak havoc if unchecked, and our potential flashpoints for vulnerabilities are growing daily. Nor is this something you can achieve alone ā a great IT security team is one thing, but if one of your other workers leaves the metaphorical door unlocked, youāll still be in trouble.
With top-down training boosted with the power of video, however, security can become a simple matter.
A Growing Risk
The average cost-per-company of a data breach is over $4 million. Cybercrime currently costs companies globally $8.4 trillion a year- and that is expected to soar to $23 trillion (or more) by 2027. Fortunately, thereās a lot you can do to mitigate your risk and keep your company out of those stats.
Humans are and will remain, the weakest link in any businessās digital security. Just as a thoughtless individual can leave a door unlocked and bypass your multi-million dollar security system in a heartbeat, one wrong move from an employee and even the best cybersecurity comes tumbling down.
Itās critical that all people in your organization are aware of cybersecurity risks, know the best practices for data and network security, and understand the consequences of laziness leading to cybersecurity failures.
Cybersecurity Awareness Training
Itās a simple idea ā using a technical approach to proactively educate employees, ensuring awareness of data privacy, identity, and digital assets permeates every level of your organization. This will immensely reduce your risk of cybersecurity breaches. In turn, that means fewer financial losses from this type of crime, making it a solid return on investment.
And being cybersecurity-aware will have knock-on positives in your reputation with consumers, making you seem more trustworthy and desirable. Prevention of security issues means no loss of brand reputation, too.
The Learning Gap
Of course, your training is only as good as its retention rate. Cybersecurity training for employees canāt be some dull, dusty lecture or 500-page word document thatās unengaging, boring, and packed with jargon, or you may as well not waste your time. Itās critical that staff feel both empowered with their new skills, and that it comes over as simple to understand and easy to implement.
We all know that video is one of the most powerful storytelling formats out there. From the power of video shorts and reels for marketing to the way a great TV program can unite us, itās a format that delivers punchy messages in an engaging way.
Unlike text, where aspects like reading level can play a role, everyone can engage with video. Plus you have the benefit of being able to condense a lot of information into short, pithy, and easy-to-retain factoids. You can power that up further with the power of AI, making videos simple to create, engaging, and easy to update and adapt without a huge financial outlay.
Using a simple text-to-speech format, you can create compelling, entertaining, and educational content that will help keep every member of your organization aware of cybersecurity risks and qualified to prevent them from occurring.
Cybersecurity awarenessĀ is no longer a ānice to haveā. Itās an absolutely essential part of your corporate training process, across all levels and aspects of your business. With the power of simple-to-use AI video on your side, creating engaging learning programs to keep staff informed and ahead of cyber criminals is a simple matter, so donāt delay in addressing this critical aspect of business security today.
