InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services
Feb 08 2023
Why Browsers are Essential to the Internet and How Operating Systems are Holding Them Back
Jan 31 2023
RANSOMWARE investigation OSINT Threathunting
Jan 30 2023
HOW TO FIND ZERO-DAY VULNERABILITIES WITH FUZZ FASTER U FOOL (FFUF): DETAILED FREE FUZZING TOOL TUTORIAL
Today, the specialists of the Cyber Security 360 course of the International Institute of Cyber Security (IICS) will show us in detail the use of Fuzz Faster U Fool (ffuf), a free and easy-to-use fuzzing tool, using the command line method for configuration on web servers.
Created by Twitter user @joohoi, cybersecurity professionals around the world have praised ffuf for its advanced capabilities, versatility, and ease of use, making it one of the top choices in fuzzing.
Before keep going, as usual, we remind you that this article was prepared for informational purposes only and does not represent a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.
INSTALLATION
According to the experts of the Cyber Security 360 course, ffuf runs on a Linux terminal or Windows command prompt. Upgrading from the source code is no more difficult than compiling, except for the inclusion of “-u”.
| 1 | go get -u github.com/ffuf/ffuf |
For this example Kali Linux was used, so you will find ffuf in the apt repositories, which will allow you to install it by running a simple command.
| 1 | apt install ffuf |
After installing this program, you can use the “-h” option to invoke the help menu.
| 1 | ffuf –h |
ENTRY OPTIONS
These are parameters that help us provide the data needed for a web search of a URL using word lists.
NORMAL ATTACK
For a normal attack, use the parameters “-u” for the target URL and “-w” to load the word list.
| 1 | ffuf -u http://testphp.vulnweb.com/FUZZ/ -w dict.txt |
After you run the command, you will need to focus on the results.
- First, it’s worth noting that by default it works on HTTP using the GET method
- You can also view the status of the response code (200, 204, 301, 302, 307, 401, 403, and 405). You can track the progress of the attack being performed
USING MULTIPLE WORD LISTS
The experts of the Cyber Security 360 course mention that a single list of words is not always enough to get the desired results. In these cases, you can apply multiple word lists at the same time, one of the most attractive functions of ffuf. In this example, we have granted the program access to two dictionaries (txt:W1 and txt:W2), which the tool will run at the same time:
| 1 | ffuf -u https://ignitetechnologies.in/W2/W1/ -w dict.txt:W1 -w dns_dict.txt:W2 |
IGNORE A COMMENT IN A WORD LIST
Usually, the default word list has some comments that can affect the accuracy of the results. In this case, we can use the “-ic” parameter to delete the comments. Also, to remove any banners in the tools used, use the “-s” parameter:
| 1 | ffuf -u http://testphp.vulnweb.com/FUZZ/ -w dict.txt |
Here we can notice that some comments are shown in the results if the above command is executed. After using the “-s” and “-ic” parameters, all comments and banners will be removed.
| 1 | ffuf -u http://testphp.vulnweb.com/FUZZ/ -w dict.txt -ic –s |
EXTENSIONS
It is also possible to search for a file with a specific extension on a web server using the “-e” option. All you need to do is specify the extension and name of the file along with the parameter in the appropriate command format:
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -e .php |
DIFFERENT QUERIES AND MODES
Burp Suite is a professional platform for monitoring the security of web applications. The “cluster bomb” function allows using multiple payloads, mention the experts of the Cyber Security 360 course. There is a separate payload package for each given location; the attack goes through each payload packet one by one, checking all possible options.
There are several parameters of this tool that make it easy to use the script. For example, the “-request” parameter allows you to use the request in an attack, while “-request-proto” allows you to define the parameter itself, and “-mode” helps you choose the attack mode.
First, random credentials are used on the target URL page and the proxy server is configured to capture the request in interception mode in Burp Suite.
Now, on the Intercept tab, you need to change the credentials provided by adding HFUZZ and WFUZZ. HFUZZ is added before “uname” and WFUZZ before “pass”. Then, you need to copy and paste this query into the text and name according to the purposes of the project. In this case, the file was named as brute.txt.
Later we will move to the main attack mode, where the “-request” parameter contains a “-request-proto” text file that will help you create a prototype of http, and “-mode” will be responsible for the “cluster bomb” attack. The lists of words in question (users.txt and pass.txt) consist of SQL injections. By entering the following command, an attack will be launched:
| 1 | ffuf -request brute.txt -request-proto http -mode clusterbomb -w users.txt:HFUZZ -w pass.txt:WFUZZ -mc 200 |
As you can see from the results of the attack, SQL injections have been successfully found to be effective for this specific purpose.
MAPPING OPTIONS
If we want the ffuf to show only the data that is important for web fuzzing, we must pay attention to these parameters. For example, it can be HTTP code, strings, words, size and regular expressions, mention the experts of the Cyber Security 360 course.
HTTP CODE
To understand this configuration, you should consider a simple attack on which you will be able to see which HTTP codes appear in the results.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt |
It is clear that the codes 302 HTTP and 200 HTTP were received.
If you want to see specific attacks, such as HTTP code 200, you must use the “-mc” parameter along with a specific number. To verify that this parameter works, you just need to run the following command:
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -mc 200 |
LINE
The tool returns results for specific lines in the file using the “-ml” parameter. We can use it by specifying the strings we need.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -ml 15 |
WORDS
Similarly, since the above options correspond to a function, you can provide a result with a certain number of words. For this, use the “-mw” parameter along with the number of words you want to see in the results.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -mw 53 |
SIZE
It is also possible to use the “-ms” parameter along with the specific size you want to see in the results.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -ms 2929 |
REGULAR EXPRESSIONS
This is the last of all the mapping options available in ffuf. LFI fuzzing will be applied by matching the string to the subsequent “root:x” pattern for this dictionary.
A URL is used that can provide this functionality, and with the “-mr” parameter, the corresponding string “root:x” is defined. This is what a special list of words looks like.
Using this list of words, we enter the following command to add the “-mr” parameter to the attack script:
| 1 | ffuf -u http://testphp.vulnweb.com/showimage.php?file=FUZZ -w dict2.txt -mr "root:x" |
We received the http 200 response for /etc/passwd for this list of words.
FILTERING OPTIONS
Filtering options are the exact opposite of matching parameters. The experts of the Cyber Security 360 course recommend using these options to remove unnecessary elements during web fuzzing. It also applies to HTTP code, strings, words, size, and regular expressions.
HTTP CODE
The “-fc” parameter requires a specific HTTP status code that the user wants to remove from the results.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fc 302 |
LINE
With the help of the “-fl” parameter, it is possible to remove a certain row from the result or filter it from the attack.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fl 26 |
SIZE
The “-fs” option allows you to filter the specified size described by the user during the attack.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fs 2929 |
WORDS
The “-fw” option allows you to filter the number of words of the results that the user wants to receive.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fw 83 |
REGULAR EXPRESSIONS
The “-fr” option allows you to delete a specific regular expression. In this case, we will try to exclude the log files from the results.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fr "log" |
GENERAL PARAMETERS
Below are the general parameters of this tool, which are completely related to the web fuzzing process.
AUTOMATIC CUSTOM CALIBRATION
Calibration is the process of providing a measuring instrument with the information it needs to understand the context in which it will be used. When collecting data, calibrating your computer ensures that the process works accurately, mention the experts of the Cyber Security 360 course.
We can adjust this function according to the needs in each case using the “-acc” parameter, which cannot be used without the “-ac” parameter.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -acc -ac -fl 26 -ac -fs 2929 -ac -fw 54 |
COLOR
Sometimes color separation helps identify relevant details in the results. The “-c” parameter helps to divide the data into categories.ç
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt –c |
MAXIMUM TASK EXECUTION TIME
If you want to apply fuzzing for a limited period of time, you can use the “-maxtime” parameter. You must enter a command to specify the selected time interval.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -maxtime 5 |
MAXIMUM TURNAROUND TIME
Using the “-max time-job” parameter, the user can set a time limit for a specific job. With this command, you can limit the time it takes to complete a task or query.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -maxtime-job 2 |
DELAY
Using the “-p” parameter, the user will add a slight delay for each request offered by the attack. According to the experts of the Cyber Security 360 course, with this feature the consultation becomes more efficient and provides clearer results.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -p 1 |
QUERY SPEED
We can select the request speed you need for each of the attacks using the “-rate” parameter. For example, we can create one request per second according to the desired attack.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -rate 500 |
ERROR FUNCTIONS
There are three parameters that support the error function. The first parameter is “-se”, a “false error” that says whether the next request is genuine or not. The second “-sf” parameter will stop the attack when more than 95% of the requests are counted as an error. The third parameter is “-sa”, a combination of the above parameters.
In the example shown below, we will use the “-se” parameter:
| 1 | Ffuf -u http://ignitetechnologies.in/W2/W1/ -w dict.txt:W1 -w dns_dict.txt:W2 –se |
VERBOSE MODE
Verbose Mode is a feature used in many operating systems that provide additional information about what the computer does and what drivers and applications it loads when initialized. In programming, this mode provides accurate output for debugging purposes, making it easier to debug the program itself. To access this mode, the “-v” parameter is applied.
| 1 | Ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt –v |
EXECUTION THREADS
The “-t” parameter is used to speed up or slow down the process. By default, it is set to 40. If you want to speed up the process, you need to increase its value.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -t 1000 |
OUTPUT OPTIONS
We may save the results of attacks carried out in order to keep records, improve readability and find possible links. Enter the “-o” parameter to save the output, but you must specify its format using the “-of” parameter.
Once the attack is complete, it should be checked whether the file with the output data corresponds to this format or not, mention the experts of the Cyber Security 360 course. As you can see, the file itself refers to HTML.
OUTPUT DATA IN CSV FORMAT
Similarly, we can create CSV files using the “-of” parameter, where csv are comma-separated values. For example:
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -o file.html -of html |
When the attack is complete, you need to check whether the file with the output data corresponds to this format or not. As you can see, the file itself belongs to the CSV.
DATA OUTPUT IN ALL AVAILABLE FORMATS
Similarly, if you want to recover data in all formats, use the “-of all” parameter. For example, it can be json, ejson, html, md, csv, ecsv.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -o output/file -of all |
Now, once the attack is complete, you need to check all the files. We can see that they were saved in various formats.
HTTP OPTIONS
Sometimes the fuzzing process requires details such as an HTTP request, cookies, and an HTTP header, mention the experts of the Cyber Security 360 course.
TIME-OUT
This feature acts as a deadline for the event to complete. The “-timeout” parameter helps to activate this option.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -timeout 5 |
HOST HEADER
If you want to fuzz out subdomains, you can use the “-H” parameter along with the word list of the domain name.
| 1 | Ffuf -u https://google.com -w dns_dict.txt -mc 200 -H “HOST: FUZZ.google.com” |
RECURSION
According to the experts of the Cyber Security 360 course, this is a mechanism for reusing objects; if a program requires the user to access a function within another function, this is called a recursive call to the function. Using the “-recursion” parameter, the user can implement this functionality in their attacks.
| 1 | ffuf -u "http://testphp.vulnweb.com/FUZZ/" -dict.txt –recursion |
COOKIE ATTACK
There are times when fuzzing is not effective on a site where authentication is required. In these cases, we may use the “-b” parameter to use session cookies.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -b "PHPSESSID:"7aaaa6d88edcf7cd2ea4e3853ebb8bde"" |
REPLAY-PROXY
There are speed limits when using the Intruder feature in the free version of Burp (Community Edition). The attack slowed down a lot, and each new “order” slowed it down even more.
In this case, the user uses the Burp Suite proxy server to get the results and evaluate them. First, you need to install the localhost proxy server on port number 8080.
Now let’s use “-replay-proxy”, which helps to get the local proxy server of the host, installed in the previous step on port number 8080.
| 1 | ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -replay-proxy http://127.0.0.1:8080 -v -mc 200 |
This attack will show results on two platforms. The first platform is in the Kali Linux terminal and the second is in the “HTTP history” tab in Burp Suite. With the help of various methods, you will be able to better understand the target and analyze the results of the attack.
It is common to compare ffuf with other tools such as dirb or dirbuster. While ffuf can be used for deploying brute-force attacks, its real appeal lies in simplicity.
Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, information technologies, and to know more details about the Cyber Security 360 course
HOW TO DO PROFESSIONAL VULNERABILITY ASSESSMENT ON YOUR WEBSITE FOR FREE USING JUICE SHOP?
Jan 30 2023
HOW TO EASILY SPOOF MAC ADDRESS AUTOMATICALLY AND BE MORE ANONYMOUS
WHY CHANGE THE MAC ADDRESS?
The MAC address is (should be) unique to each network interface. By the way, if the device has several network interfaces, then each of them has its own MAC address. For example, laptops have at least two network interfaces: wired and Wi-Fi – each of them has an MAC address. Desktop computers are usually the same. When we talk about “changing MAC addresses”, we need to understand that there are several of these addresses. By the way, each port has its own unique MAC address, if the device supports wireless networks, then each wireless interface (2.4 GHz and 5 GHz) also has its own MAC address.
So, since the MAC address must be unique, it allows you to uniquely identify the network device. And since this network device is part of your computer, this allows you to uniquely identify your computer. Moreover, the MAC address (also called a hardware, physical address) does not change when the operating system changes.
In short, the replacement of the MAC address is needed so that it is not possible to track and identify the device by the MAC address. But there is a more important reason (than paranoia) to learn about MAC addresses and about methods from substitution, or prohibiting changes in your system. Based on MAC addresses, user identification can be performed when connected via the Intercepting Portal. A few words about the Intercepting Portal. Captive Portal). This is a way to force the user to comply with certain conditions for providing Internet access. You can most often encounter examples of Intercepting Portals in public places that provide Internet access services via Wi-Fi to an indefinite circle of people, but who want to identify the user and / or allow access only to persons with credentials. For example, at the airport you may need to confirm your phone number via SMS to access the free Wi-Fi network. The hotel will provide you with a username and password for accessing the Internet via Wi-Fi – this ensures that only hotel customers can use Wi-Fi services.
Due to the features of the Intercepting Portal, user identification is based on MAC addresses. And starting with NetworkManager 1.4.0 (a popular program for managing network connections on Linux), an automatic MAC-address spoofing is now present. And in case of incorrect settings, you may encounter an Internet access problem running through the Intercepting Portal. There are also problems with customized filtering by MAC on the router.
Well, for pentesting experts , of course, there are reasons to change the MAC address: for example, to pretend to be another user, and take advantage of its open access to the magical world of the Internet, or to increase anonymity.
Who can see my MAC address?
The MAC address is used to transfer data on a local network. That is, it is not transmitted when connecting to websites and when accessing the global network. Although there are exceptions: some vulnerabilities allow a person who is not on your local network to find out your MAC address.
If you connect to the router via the local network, then the router knows your MAC address, but if you open the site on the Internet, the site owner cannot find out your MAC address.
All devices located on the local network can see each other’s MAC addresses (there are many scanners that can get this data). An example of a local network scan made using arp-scan. A slightly different situation with wireless network interfaces. If you are connected to an access point (router), then all the rules of the local network work: the router and other devices can find out your MAC address. But also any person who is within the reach of your Wi-Fi signal (from the phone, laptop) can find out your MAC address.
SPOOFING MAC ADDRESSES IN NETWORKMANAGER
NetworkManager may reassign MAC installed by other programs
Starting with NetworkManager 1.4.0, this program supports MAC spoofing, and has many different options.
So that we can understand them, we need to understand some concepts
First, network adapters are :
- wired (ethernet);
- wireless (wifi).
For each group, MAC rules are customized separately.
Secondly, a wireless adapter can be in two states:
- scanning (search, not connected to the network) – is set using the property wifi.scan-rand-mac-address, default set to yes, which means that during scanning it sets an arbitrary MAC address. Another acceptable value is no;
- connected to the network – installed using the property wifi.cloned-mac-address, the default value is preserve.
For wired interface (installed by property ethernet.cloned-mac-address) and the wireless interface in the connection state (installed by the property wifi.cloned-mac-address) the following values are available (regimes):
- clearly specified MAC address (t.e. you can write the desired value that will be assigned to the network interface)
- permanent: use the MAC address sewn into the device
- preserve: do not change the device’s MAC address after activation (for example, if the MAC has been changed by another program, the current address will be used)
- random: generate a random variable for each connection
- stable: similar to random – i.e. for each connection to generate a random variable, NO when connecting to the same network, the same value will be generated
- NULL / not installed: This is the default value that allows you to roll back to global settings by default. If global settings are not set, then NetworkManager rolls back to the value preserve.
If you are trying to change the MAC in other ways and you are failing, it is entirely possible that NetworkManager, which changes the MAC in its own rules, is to blame. Since most Linux distributions with a NetworkManager graphical interface are installed and running by default, to solve your problem, you must first understand how NetworkManager works and by what rules.
NETWORKMANAGER CONFIGURATION FILES
NetworkManager settings, including settings related to MAC, can be done in a file /etc/NetworkManager/NetworkManager.conf or adding an additional file with the extension . . . .conf to the directory /etc/NetworkManager/conf.d
The second option is highly recommended, since when updating NetworkManager usually replaces the main one . . . . . . . . . .conf file and if you made changes to /etc/NetworkManager/NetworkManager.conf, then the settings you made will be overwritten.
HOW TO MAKE KALI LINUX REPLACE WITH EACH CONNECTION
If you want the MAC address to be replaced with each connection, but the same MAC is used in the connection to the same network, then the file /etc/NetworkManager/conf.d/mac.conf:
| 1 | sudo gedit /etc/NetworkManager/conf.d/mac.conf |
Add lines :
| 123 | [connection]ethernet.cloned-mac-address=stablewifi.cloned-mac-address=stable |
Lines with ethernet.cloned-mac-address & wifi.cloned-mac-address can be added individually or together.
Check the current values :
| 1 | ip link |
Restart the service :
| 1 | sudo systemctl restart NetworkManager |
We will make connections to wired and wireless networks. Now check the values of MAC again
As you can see, MAC is replaced for both the wired and wireless interfaces.
As already mentioned, the same addresses will be generated for the same networks, if you want different MACs each time even for the same networks, then the lines should look like this:
| 123 | [connection]ethernet.cloned-mac-address=randomwifi.cloned-mac-address=random |
HOW TO CONFIGURE AUTOMATIC MAC SPOOFING IN UBUNTU AND LINUX MINT
Ubuntu and Linux Mint use NetworkManager versions that support automatic MAC configuration. However, if you connect a Wi-Fi card to Ubuntu or Linux Mint, you will see a real MAC. This is due to the fact that in the file /etc/NetworkManager/NetworkManager.conf indicated not to spoof :
To change this, open the file :
| 1 | sudo gedit /etc/NetworkManager/NetworkManager.conf |
And delete the lines :
| 12 | [device]wifi.scan-rand-mac-address=no |
or comment on them to make it happen :
| 12 | #[device]#wifi.scan-rand-mac-address=no |
or change no on yes:
| 12 | [device]wifi.scan-rand-mac-address=yes |
And restart NetworkManager :
| 1 | sudo systemctl restart NetworkManager |
Similarly, you can add lines to replace MAC (these settings create a new address for each connection, but when connecting to the same networks, the same address is used):
| 123 | [connection]ethernet.cloned-mac-address=stablewifi.cloned-mac-address=stable |
OTHER WAYS TO CHANGE THE MAC ADDRESS
CHANGE MAC USING IPROUTE2
We will use the program ip, which is included in the package iproute2.
Let’s start by checking the current MAC address with the command :
| 1 | ip link show interface_name |
Where Interface_name – This is the name of a particular network interface that you want to see. If you do not know the name, or want to see all the interfaces, then the command can be started like this :
| 1 | ip link show |
At the moment, we are interested in the part that follows after link / ether“and represents a 6-byte number. It will look something like this :
| 1 | link/ether 00:c0:ca:96:cf:cb |
The first step for spoofing MAC addresses is to transfer the interface to a state down. This is done by the team
| 1 | sudo ip link set dev interface_name down |
Where Interface_name replaces the real name. In my case, this wlan0, then the real team looks like this:
| 1 | sudo ip link set dev wlan0 down |
Next, we go directly to the MAC spoofing. You can use any hexadecimal value, but some networks may be configured not to assign IP addresses to customers whose MAC address does not match any known vendor (producer). In these cases, so that you can successfully connect to the network, use the MAC prefix of any real vendor (first three bytes) and use arbitrary values for the next three bytes.
To change the MAC, we need to run the command :
| 1 | sudo ip link set dev interface_name address XX:XX:XX:XX:XX:XX |
Where XX: XX: XX: XX: XX: XX – This is the desired new MAC .
For example, I want to set the hardware address EC: 9B: F3: 68: 68: 28 for my adapter, then the team looks like this:
| 1 | sudo ip link set dev wlan0 address EC:9B:F3:68:68:28 |
In the last step, we return the interface to the state up. This can be done by a team of the form :
| 1 | sudo ip link set dev interface_name up |
For my system, a real team:
| 1 | sudo ip link set dev wlan0 up |
If you want to check if the MAC is really changed, just run the command again:
| 1 | ip link show interface_name |
Value after “link / ether“should be the one you installed.
CHANGE MAC WITH MACCHANGER
Another method uses macchanger (also known as the GNU MAC Changer). This program offers various functions, such as changing the address so that it matches a particular manufacturer, or its complete randomization.
Set macchanger – it is usually present in official repositories, and in Kali Linux it is installed by default.
At the time of the change of the MAC, the device should not be used (be connected in any way, or have status up). To transfer the interface to a state down:
| 1 | sudo ip link set dev interface_name down |
For spoofing, you need to specify the name of the interface, and replace in each next command wlan0 in the name of the interface that you want to change the MAC.
To find out the values of MAC, execute the command with the option -s:
| 1 | sudo macchanger -s wlan0 |
Something like:
| 12 | Current MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)Permanent MAC: 00:c0:ca:96:cf:cb (ALFA, INC.) |
The “Current MAC” line means the address at the moment, and “Permanent MAC” means a constant (real) address.
For spoofing the MAC address to a completely arbitrary address (option -r):
| 1 | sudo macchanger -r wlan0 |
About the following will be displayed :
| 123 | Current MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)Permanent MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)New MAC: be:f7:5a:e7:12:c2 (unknown) |
The first two lines are already explained, the line “New MAC” means a new address.
For randomization, only bytes that determine the uniqueness of the device, the current MAC address (i.e.e. if you check the MAC address, it will register as from the same vendor) run the command (option -e):
| 1 | sudo macchanger -e wlan0 |
To set the MAC address to a specific value, execute (option -m):
| 1 | sudo macchanger -m XX:XX:XX:XX:XX:XX wlan0 |
Here XX: XX: XX: XX: XX: XX – This is the MAC you want to change to.
Finally, to return the MAC address to the original, constant value prescribed in the iron (option -p):
| 1 | sudo macchanger -p wlan0 |
CONCLUSION
NetworkManager currently provides a wealth of MAC spoofing capabilities, including a change to a random address, or to a specific one. A feature of NetworkManager is the separation of “scanning” and “connected” modes, i.e. you may not see that the settings made have already entered into force until you connect to any network.
If after the change of MAC you have problems with connecting (you cannot connect to networks – wired or wireless), this means that there is a ban on connecting with MAC from an unknown vendor (producer). In this case, you need to use the first three octets (bytes) of any real vendor, the remaining three octets can be arbitrary says pentesting experts.
The Art of Mac Malware: The Guide to Analyzing Malicious Software
Jan 25 2023
Everyone Wants Your Email Address. Think Twice Before Sharing It
Your email address has become a digital bread crumb for companies to link your activity across sites. Here’s how you can limit this.
When you browse the web, an increasing number of sites and apps are asking for a piece of basic information that you probably hand over without hesitation: your email address.
It may seem harmless, but when you enter your email, you’re sharing a lot more than just that. I’m hoping this column, which includes some workarounds, persuades you to think twice before handing over your email address.
First, it helps to know why companies want email addresses. To advertisers, web publishers and app makers, your email is important not just for contacting you. It acts as a digital bread crumb for companies to link your activity across sites and apps to serve you relevant ads.
If this all sounds familiar, that’s because it is.
For decades, the digital advertising industry relied on invisible trackers planted inside websites and apps to follow our activities and then serve us targeted ads. There have been sweeping changes to this system in the past few years, including Apple’s release of a software feature in 2021 allowing iPhone users to block apps from tracking them and Google’s decision to prevent websites from using cookies, which follow people’s activities across sites, in its Chrome browser by 2024.
Advertisers, web publishers and app makers now try to track people through other means — and one simple method is by asking for an email address.
Imagine if an employee of a brick-and-mortar store asked for your name before you entered. An email address can be even more revealing, though, because it can be linked to other data, including where you went to school, the make and model of the car you drive, and your ethnicity.
- Dig deeper into the moment.
“I can take your email address and find data you may not have even realized you’ve given to a brand,” said Michael Priem, the chief executive of Modern Impact, an advertising firm in Minneapolis. “The amount of data that is out there on us as consumers is literally shocking.”
Advertising tech is continuing to evolve, so it helps to understand what exactly you’re sharing when you enter in an email address. From there, you can decide what to do.
Your email address has become a potent piece of data.
For many years, the digital ad industry has compiled a profile on you based on the sites you visit on the web. Information about you used to be collected in covert ways, including the aforementioned cookies and invisible trackers planted inside apps. Now that more companies are blocking the use of those methods, new ad targeting techniques have emerged.
One technology that is gaining traction is an advertising framework called Unified ID 2.0, or UID 2.0, which was developed by the Trade Desk, an ad-technology company in Ventura, Calif.
Say, for example, you are shopping on a sneaker website using UID 2.0 when a prompt pops up and asks you to share your email address and agree to receive relevant advertising. Once you enter your email, UID 2.0 transforms it into a token composed of a string of digits and characters. That token travels with your email address when you use it to log in to a sports streaming app on your TV that uses UID 2.0. Advertisers can link the two accounts together based on the token, and they can target you with sneaker ads on the sports streaming app because they know you visited the sneaker website.
Since your email address is not revealed to the advertiser, UID 2.0 may be seen as a step up for consumers from traditional cookie-based tracking, which gives advertisers access to your detailed browsing history and personal information.
“Websites and apps are increasingly asking for email authentication in part because there needs to be a better way for publishers to monetize their content that’s more privacy-centric than cookies,” Ian Colley, the chief marketing officer of the Trade Desk, said in an email. “The internet is not free, after all.”A New Direction for Tech FixOur tech problems have become more complex, so Brian X. Chen has rebooted his column to focus on the societal implications of the tech we use.Personal Tech Has Changed. So Must Our Coverage of It.Nov. 2, 2022
However, in an analysis, Mozilla, the nonprofit that makes the Firefox web browser, called UID 2.0 a “regression in privacy” because it enabled the type of tracking behavior that modern web browsers were designed to prevent.
There are simpler ways for websites and apps to track your web activity through your email address. An email could contain your first and last name, and assuming you’ve used it for some time, data brokers have already compiled a comprehensive profile on your interests based on your browsing activity. A website or an app can upload your email address into an ad broker’s database to match your identity with a profile containing enough insights to serve you targeted ads.
The bottom line is that if you’re wondering why you are continuing to see relevant ads despite the rise of privacy tools that combat digital tracking, it’s largely because you are still sharing your email address.
So what to do?
There are various options for limiting the ability of advertising companies to target you based on your email address:
- Create a bunch of email addresses. Each time a site or an app asks for your email, you could create a unique address to log in to it, such as, for example, netflixbrianchen@gmail.com for movie-related apps and services. That would make it hard for ad tech companies to compile a profile based on your email handle. And if you receive spam mail to a specific account, that will tell you which company is sharing your data with marketers. This is an extreme approach, because it’s time-consuming to manage so many email addresses and their passwords.
- Use email-masking tools. Apple and Mozilla offer tools that automatically create email aliases for logging in to an app or a site; emails sent to the aliases are forwarded to your real email address. Apple’s Hide My Email tool, which is part of its iCloud+ subscription service that costs 99 cents a month, will create aliases, but using it will make it more difficult to log in to the accounts from a non-Apple device. Mozilla’s Firefox Relay will generate five email aliases at no cost; beyond that, the program charges 99 cents a month for additional aliases.
- When possible, opt out. For sites using the UID 2.0 framework for ad targeting, you can opt out by entering your email address at https://transparentadvertising.org. (Not all sites that collect your email address are using UID 2.0, however.)
You could also do nothing. If you enjoy receiving relevant advertising and have no privacy concerns, you can accept that sharing some information about yourself is part of the transaction for receiving content on the internet.
I try to take a cautious but moderate approach. I juggle four email accounts devoted to my main interests — food, travel, fitness and movies. I’ll use the movie-related email address, for example, when I’m logging in to a site to buy movie tickets or stream videos. That way, those sites and apps will know about my movie preferences, but they won’t know everything about me.
Source:
Checkout our previous posts on “Email Security”
The Art of Email Security: Putting Cybersecurity In Simple Terms
InfoSec books | InfoSec tools | InfoSec services
Jan 23 2023
Learn Python and Learn it Well
Jan 23 2023
The U.S. ‘No Fly List’ Found On the Open Internet
The Ohio-based airline, CommuteAir, responsible for the incident confirmed the legitimacy of the data to the media.
The No Fly List and other sensitive files were discovered by Maia Arson Crimew, a Swiss security researcher and hacker, while searching for Jenkins servers on Shodan.
A Swiss hacker by the name of Maia Arson Crimew discovered an unsecured server run by the Ohio-based airline, CommuteAir, a United Express carrier. The hacker claims they found the server while searching for Jenkins servers on Shodan, a specialized search engine used by cybersecurity researchers to locate exposed servers and misconfigured databases on the Internet.
After a while of skimming through the files, Crimew claimed to have found a file labelled “NoFly.csv,” which turned out to be a legitimate U.S. no-fly, terrorist watch list from 2019.
The 80-MB exposed file, first reported on by the Daily Dot, is a smaller subset of the U.S. government’s Terrorist Screening Database, maintained and used by the DOJ, FBI, and Terrorist Screening Center (TSC).
With over 1.5 million entries, the file contains the first names, last names, and dates of birth of people with suspected or known ties to terrorist organizations.
This should not come as a surprise, since the US (along with China) topped the 2021 list of countries that exposed the most misconfigured databases online.
The leak of the No Fly List should not be a jaw-dropper, as in August 2021, the US government’s secret terrorist watchlist with two million records was exposed online. However, the watchlist was exposed on a misconfigured server hosted on a Bahrain IP address instead of a US one.
As for the latest breach, CommuteAir confirmed the legitimacy of the data, stating that it was a version of the federal no-fly list from approximately four years ago. CommuteAir told the Daily Dot that the unsecured server had been used for testing purposes and was taken offline before the Daily Dot published their article.
They have also reported the data exposure to the Cybersecurity and Infrastructure Security Agency (CISA).CommuteAir further confirms that the server did not expose any customer information, based on an initial investigation. However, the same cannot be said for the safety of the employees’ data.
On the other hand, the hacker, Crimew claims in their report to have found extensive personally identifiable information (PII) about 900 of the crewmates including their full names, addresses, phone numbers, passport numbers, pilot’s license numbers and much more. User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir were also exposed, said crime.
The list contained notable figures such as the Russian arms dealer Victor Bout who was recently freed in exchange for the WNBA star Brittney Griner. Since the list contained over 16 potential aliases for him, many other entries in the list are likely aliases of the same person and the number of individuals is far less than 1.5 million.
Certain names on the list also belong to suspected members of the IRA, the Irish paramilitary organization. The list contained someone as young as 8 years old, based on their birth date, according to crime.
The majority of the names, however, appeared to be of Arabic or Middle Eastern descent, along with Hispanic and Anglican-sounding names. The entire dataset is available on the official website of DDoSecrets, upon request.
Although it is rare for this list to be leaked and is considered highly secretive, it is not labelled as a classified document due to the number of agencies and individuals that access it.
In a statement to the Daily Dot, TSA stated that it was “aware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners.”
1,001 REASONS YOU MIGHT BE ON THE NO FLY LIST: 1,001 Reasons You Might Be On The No Fly List
Jan 22 2023
Global Cybersecurity Outlook 2023
#Geopolitical Instability Means a #Cyber “Catastrophe” is Imminent
Routledge Companion to Global Cyber-Security Strategy
The 2023-2028 Outlook for Cybersecurity in China
Global Cyber Security Labor Shortage and International Business Risk
The Cyber Threat and Globalization : The Impact on U.S. National and International Security
InfoSec books | InfoSec tools | InfoSec services
Jan 17 2023
Windows PowerShell Cheat Sheet
Jan 12 2023
Microsoft Exchange Vulnerabilities Most Exploited by Hackers Targeting Financial Sector
During the month of November, researchers at the cybersecurity firm LookingGlass examined the most significant vulnerabilities in the financial services industry in the United States.
The company looked at assets with public internet-facing assets from more than 7 million IP addresses in the industry and discovered that a seven-year-old Remote Code Execution vulnerability affecting Microsoft Windows was at the top of the list.
According to CISA, the “Financial Services Sector includes thousands of depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and the providers of the critical financial utilities and services that support these functions.”
Reports stated that the industry employs about 8 million Americans and contributes $1.5 trillion, or 7.4% of the nation’s overall GDP.
Microsoft Exchange Vulnerabilities
Over 900 times in the financial sector have been affected by a critical remote code execution vulnerability identified as (CVE-2015-1635), affecting Microsoft Windows and it has been around for seven years.
If this vulnerability is exploited successfully, a remote attacker may execute arbitrary code with system privileges and result in a buffer overflow.
The next most often exploited vulnerability was (CVE-2021-31206), which affects Microsoft Exchange Servers. Reports say in the month of November, this vulnerability was exploited 700 times in the financial services industry in the United States.
“Our data holdings attribute roughly 7 million of these to the U.S. financial services sector, which includes insurance companies, rental & leasing companies, and creditors, among other subsectors”, explains LookingGlass researchers.
According to recent reports from the U.S. Department of Treasury, ransomware attacks alone cost U.S. financial institutions close to $1.2 billion in 2021, a nearly 200% increase from the year before.
The Financial Crimes Enforcement Network (FCEN) of the Treasury identified Russia as the main source of numerous ransomware variants hitting the industry in its study.
Joint Cybersecurity Advisory: Compromise of Microsoft Exchange Server
Jan 10 2023
Remote code execution bug discovered in the popular JsonWebToken library
The open-source jsonwebtoken (JWT) library is affected by a high-severity security flaw that could lead to remote code execution.
The open-source JsonWebToken (JWT) library is affected by a high-severity security flaw, tracked as CVE-2022-23529 (CVSS score: 7.6), that could lead to remote code execution.
The package is maintained by Auth0, it had over 9 million weekly downloads as of January 2022 and it is used by more than 22.000 projects.
The flaw was discovered by Unit 42 researchers, it can be exploited by threat actors by tricking a server into verifying a maliciously crafted JSON web token (JWT) request.
“By exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request.” reads the advisory published by Palo Alto Networks. “With that being said, in order to exploit the vulnerability described in this post and control the secretOrPublicKey value, an attacker will need to exploit a flaw within the secret management process.”
JsonWebToken is an open-source JavaScript package that allows users to verify/sign JSON web tokens (JWT).
The flaw impacts JsonWebToken package version 8.5.1 or an earlier version, the JsonWebToken package version 9.0.0 addressed the issue.
“For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).” reads the advisory published on GitHub. “You are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.”
Vulnerabilities in open-source projects are very dangerous, threat actors could exploit them as part of supply chain attacks that can impact any projects relying on them.
“Open source projects are commonly used as the backbone of many services and platforms today. This is also true for the implementation of sensitive security mechanisms such as JWTs, which play a huge role in authentication and authorization processes.” concludes Palo Alto. “Security awareness is crucial when using open source software. Reviewing commonly used security open source implementations is necessary for maintaining their dependability, and it’s something the open source community can take part in.”
Below is the timeline for this vulnerability:
- July 13, 2022 – Unit 42 researchers sent a disclosure to the Auth0 team under responsible disclosure procedures
- July 27, 2022 – Auth0 team updated that the issue was under review
- Aug. 23, 2022 – Unit 42 researchers sent an update request
- Aug. 24, 2022 – Auth0 team updated that the engineering team was working on the resolution
- Dec. 21, 2022 – A patch was provided by the Auth0 engineering team
Infosec books | InfoSec tools | InfoSec services
Jan 02 2023
Cyber Crime: The Dark Web Uncovered
Cyber Crime: The Dark Web Uncovered
11 of the world’s top cyber security experts gather to discuss how to protect ourselves against cybercrime. Includes interviews with Rob Boles, Jesse Castro, Michael Einbinder-Schatz, Rick Jordan, Konrad Martin, Rene Miller, Paul Nebb, Will Nobles, Adam Pittman, Leia Shilobod, and Peter Verlezza.
Directors Jeff Roldan Starring 11 Top Cyber Security Experts
Genres Documentary SubtitlesEnglish [CC] Audio languagesEnglish
Jan 02 2023
Windows PowerShell Tutorial and Cheat Sheet
Dec 31 2022
Windows event log analysis
Dec 26 2022
Cybersecurity Awareness Training in Companies: Why You Can’t Do Without It
Cybersecurity awareness is no longer a “nice to have”; in fact, it has become a fundamental part of your corporate training process across all levels and aspects of your business.
Would you leave your business unlocked and open to all comers? Of course not – but if you don’t have solid cybersecurity in place, that’s effectively what you’re doing! As the business world becomes a digital space, security has also become a digital matter.
One cybercriminal can wreak havoc if unchecked, and our potential flashpoints for vulnerabilities are growing daily. Nor is this something you can achieve alone – a great IT security team is one thing, but if one of your other workers leaves the metaphorical door unlocked, you’ll still be in trouble.
With top-down training boosted with the power of video, however, security can become a simple matter.
A Growing Risk
The average cost-per-company of a data breach is over $4 million. Cybercrime currently costs companies globally $8.4 trillion a year- and that is expected to soar to $23 trillion (or more) by 2027. Fortunately, there’s a lot you can do to mitigate your risk and keep your company out of those stats.
Humans are and will remain, the weakest link in any business’s digital security. Just as a thoughtless individual can leave a door unlocked and bypass your multi-million dollar security system in a heartbeat, one wrong move from an employee and even the best cybersecurity comes tumbling down.
It’s critical that all people in your organization are aware of cybersecurity risks, know the best practices for data and network security, and understand the consequences of laziness leading to cybersecurity failures.
Cybersecurity Awareness Training
It’s a simple idea – using a technical approach to proactively educate employees, ensuring awareness of data privacy, identity, and digital assets permeates every level of your organization. This will immensely reduce your risk of cybersecurity breaches. In turn, that means fewer financial losses from this type of crime, making it a solid return on investment.
And being cybersecurity-aware will have knock-on positives in your reputation with consumers, making you seem more trustworthy and desirable. Prevention of security issues means no loss of brand reputation, too.
The Learning Gap
Of course, your training is only as good as its retention rate. Cybersecurity training for employees can’t be some dull, dusty lecture or 500-page word document that’s unengaging, boring, and packed with jargon, or you may as well not waste your time. It’s critical that staff feel both empowered with their new skills, and that it comes over as simple to understand and easy to implement.
We all know that video is one of the most powerful storytelling formats out there. From the power of video shorts and reels for marketing to the way a great TV program can unite us, it’s a format that delivers punchy messages in an engaging way.
Unlike text, where aspects like reading level can play a role, everyone can engage with video. Plus you have the benefit of being able to condense a lot of information into short, pithy, and easy-to-retain factoids. You can power that up further with the power of AI, making videos simple to create, engaging, and easy to update and adapt without a huge financial outlay.
Using a simple text-to-speech format, you can create compelling, entertaining, and educational content that will help keep every member of your organization aware of cybersecurity risks and qualified to prevent them from occurring.
Cybersecurity awareness is no longer a ‘nice to have’. It’s an absolutely essential part of your corporate training process, across all levels and aspects of your business. With the power of simple-to-use AI video on your side, creating engaging learning programs to keep staff informed and ahead of cyber criminals is a simple matter, so don’t delay in addressing this critical aspect of business security today.
Cybersecurity Fundamentals
Learn cybersecurity fundamentals, including how to detect threats, protect systems and networks, and anticipate potential cyber attacks.
Cybersecurity for Remote Workers Staff Awareness E-learning Course
Security Awareness Program Builder
Infosec books | InfoSec tools | InfoSec services
Dec 16 2022
Microsoft revised CVE-2022-37958 severity due to its broader scope
Microsoft revised the severity rate for the CVE-2022-37958 flaw which was addressed with Patch Tuesday security updates for September 2022.
Microsoft revised the severity rate for the CVE-2022-37958 vulnerability, the IT giant now rated it as “critical” because it discovered that threat actors can exploit the bug to achieve remote code execution.
The CVE-2022-37958 was originally classified as an information disclosure vulnerability that impacts the SPNEGO Extended Negotiation (NEGOEX) security mechanism.
The SPNEGO Extended Negotiation Security Mechanism (NEGOEX) extends Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) described in [RFC4178].
The SPNEGO Extended Negotiation (NEGOEX) Security Mechanism allows a client and server to negotiate the choice of security mechanism to use.
The issue was initially rated as high severity because the successful exploitation of this issue required an attacker to prepare the target environment to improve exploit reliability.
Microsoft addressed the vulnerability with the release of Patch Tuesday security updates for September 2022.
IBM Security X-Force researcher Valentina Palmiotti demonstrated that this vulnerability is a pre-authentication remote code execution issue that impacts a wide range of protocols. It has the potential to be wormable and can be exploited to achieve remote code execution.
“The vulnerability could allow attackers to remotely execute arbitrary code by accessing the NEGOEX protocol via any Windows application protocol that authenticates, such as Server Message Block (SMB) or Remote Desktop Protocol (RDP), by default.” reads the post published by IBM. “This list of affected protocols is not complete and may exist wherever SPNEGO is in use, including in Simple Message Transport Protocol (SMTP) and Hyper Text Transfer Protocol (HTTP) when SPNEGO authentication negotiation is enabled, such as for use with Kerberos or Net-NTLM authentication.”
Unlike the CVE-2017-0144 flaw triggered by the EternalBlue exploit, which only affected the SMB protocol, the CVE-2022-37958 flaw could potentially affect a wider range of Windows systems due to a larger attack surface of services exposed to the public internet (HTTP, RDP, SMB) or on internal networks. The expert pointed out that this flaw can be exploited without user interaction or authentication.
IBM announced it will release full technical details in Q2 2023 to give time organizations to apply the security updates.
Mastering Windows Security and Hardening: Secure and protect your Windows environment from intruders, malware attacks, and other cyber threats
Dec 13 2022
Multiple Zero-Day Vulnerabilities in Antivirus and Endpoint Let Attackers Install Data Wipers
Next-Generation Wiper Tool
Aikido is the wiper tool that has been developed by the Or Yair of SafeBreach Labs, and the purpose of this wiper is to defeat the opponent by using their own power against them.
As a consequence, this wiper can be run without being given privileges. In addition, it is also capable of wiping almost every file on a computer, including the system files, in order to make it completely unbootable and unusable.
EDRs are responsible for deleting malicious files in two main ways, depending on the following contexts:-
- Time of threat identification
- Time of threat deletion
As soon as a malicious file is detected and the user attempts to delete it, the Aikido wiper takes advantage of a moment of opportunity.
This wiper makes use of a feature in Windows allowing users to create junction point links (symlinks) regardless of the privileges of the users’ accounts, which is abused by this wiper.
A user who does not have the required permissions to delete system files (.sys) will not be able to delete those files according to Yair. By creating a decoy directory, he was able to trick the security product to delete the file instead of preventing it from being deleted.
Likewise, he placed a string inside the group that resembled the path intended for deletion, for example, as follows:-
- C:\temp\Windows\System32\drivers vs C:\Windows\System32\drivers
Qualities of the Aikido Wiper
Here below we have mentioned all the general qualities of the Aikido Wiper:-
- Fully Undetectable
- Makes the System Unbootable
- Wipes Important Data
- Runs as an Unprivileged User
- Deletes the Quarantine Directory
Product analysis and response from the vendor
It was found that six out of 11 security products tested by Or Yair were vulnerable to this exploit. In short, over 50% of the products in this category that is tested are vulnerable.
Here below we have mentioned the vulnerable ones:-
- Defender
- Defender for Endpoint
- SentinelOne EDR
- TrendMicro Apex One
- Avast Antivirus
- AVG Antivirus
Here below we have mentioned the products that are not vulnerable:-
- Palo Alto XDR
- Cylance
- CrowdStrike
- McAfee
- BitDefender
Between the months of July and August of this year, all the vulnerabilities have been reported to all the vendors that have been affected. There was no arbitrary file deletion achieved by the researcher in the case of Microsoft Defender and Microsoft Defender for Endpoint products.
In order to cope with the vulnerabilities, three of the vendors have issued the following CVEs:-
- Microsoft: CVE-2022-37971
- TrendMicro: CVE-2022-45797
- Avast & AVG: CVE-2022-4173
This exploit was also addressed by three of the software vendors by releasing updated versions of their software to address it:-
- Microsoft Malware Protection Engine: 1.1.19700.2
- TrendMicro Apex One: Hotfix 23573 & Patch_b11136
- Avast & AVG Antivirus: 22.10
This type of vulnerability should be proactively tested by all EDR and antivirus vendors to ensure that their products are protected from similar attacks in the future.
For organizations using EDR and AV products, the researcher strongly recommends that they consult with their vendors for updates and patches immediately.
Dec 08 2022
Don’t Sell Your Laptop Without Following These Steps
Before selling or trading in your laptop, it is important to prepare the device for its new owner as this will help ensure all of your personal data remains safe.
In an age when every day, a new version of a laptop with better features, sleek design, and improved performance hits the market, it is no wonder that you also wish to buy a new laptop to achieve excellence in performance and enjoy new features.
You have money, you can buy a new laptop, great! But what about your previous laptop? If you are thinking of selling it, then…stop.
If you think selling a laptop is all about saving your data, finding a seller, and selling it, then you need to think again. It goes beyond this! It is not all about getting a fair price, but also saving your personal information and private data from reaching a stranger – that might cost you a lot if that stranger is fraudulent or malicious.
Before selling or trading in your laptop, it is important to prepare the device for its new owner. This can be done by taking several simple precautions that will help ensure all of your personal data remains safe.
1 Save Your Important Data
It goes without saying that your first step should be keeping a backup of your essential data, including personal and work-related files and folders, containing documents, presentations, emails, plans, strategies, or anything else that you have prepared with so much hard work.
If you don’t want to see your data slipping from your fingers, then this should be your number one step.
You can save your data on a data drive or upload it to a reliable cloud service. Or send them to your own email address (well, this is my favorite way of saving my data!). Do whatever suits you, but saving data is a must before selling your laptop.
However, this can only work if you have a few GB of data. In case you have terabytes of data then owning a workstation from companies like Western Digital (WD) is a good way to go.
2 Delete Passwords Permanently
Nobody wants the passwords of important accounts to get leaked. Full stop! But have you ever thought about how to save your passwords before giving your laptop? What — did you just say you can do it by signing off from all your accounts and deleting history and cookies? Ah, I wish it was really that easy, but it is not.
Where technology has brought so much ease into our lives, there it has also become a trouble in many ways — like this one. Unfortunately, some software can extract passwords even if you log out from your accounts.
That is where you should act smartly if you don’t want someone to sneak into your Facebook and start sending weird messages through your accounts to your friends. It could trigger so many controversies – eh. So, cut iron with iron.
You can also use apps such as password generators. One such example is the IPVanish password generator which lets users delete passwords permanently from their browsers. If you wish to do that manually, follow these easy steps:
For Chrome browser: First, open Chrome and click on the three-dot menu icon located in the top right corner. Then select “Settings” and click on “Passwords” under Autofill. Here you will find a list of all the websites that have saved credentials, along with their usernames and passwords.
Select an entry to see the details, then click on the three-dot menu icon next to it and select “Remove.” You’ll be asked to confirm by clicking “remove” again; once confirmed all login information for that website will be deleted from your computer. (Read more on Google.)
For Firefox: First, launch the Firefox browser on your device. Then, click the ‘Menu’ icon (three lines in the upper right corner) and select ‘Options’ or ‘Preferences’. In this menu, you will see a section for ‘Logins & Passwords. You can then scroll through all of your saved logins and passwords until you find the one that needs to be deleted.
For Safari Browser: To begin, open up the Safari browser on your computer and click the ‘Safari’ menu at the top left corner. In that menu option, select ‘Preferences’ and then navigate to the ‘Passwords’ tab. (Read more on Mozilla.)
Here you will see a list of all of your stored passwords that have been saved by Safari. To delete one or more of these passwords, simply check off each box next to each entry that you wish to remove and hit delete in the bottom right corner. (Read more on Apple.)
3 Format the Drive
Have you saved your important data? Great! Now, what about data that is still on your laptop? Obviously, you can’t leave it like this for others to see your private information and confidential data. No, just deleting data files and clearing Recycle Bin or Shift + Delete might not work. It can still keep the issue of data leakage and privacy breaches there.
In this condition, most people go for drive formatting that cleans up your laptop and makes it data free. However, this method works if your files are overwritten and you are using a solid-state drive (SSD) with TRIM enabled.
With HDD or TRIM disabled, you would have to overwrite the hard drive if you don’t want cheap software to recover your data – yes, even after formatting. It is very easy to recover a permanently deleted file through even cheap software. So, be safe than sorry!
4 Prepare Your Laptop for Selling
Once you are done saving your information, next, it is time to prepare your laptop for sale at a good price. The price of your gadget also depends on its model, functionalities, current market price, and a lot more. However, improving the outer condition, and speed, upgrading Windows, and enhancing the memory storage can enhance the price of your laptop.
So, work on the following things to get good bucks:
- First, install the latest Windows to make your buyer happy. You can vow anyone with the latest functionalities already installed on the laptop, so that person wouldn’t have to go through all the trouble. It is a good chance to impress a buyer.
- Second, work on the speed of the laptop. Half of the work is already done when you delete files and data. So, reset the laptop to speed it up.
- Clean up your laptop, please. Don’t take your laptop to a buyer with all the lint or dust trapped between keys and scratches on the screen. You can remove lint or dust with a brush and change the screen cover. This simple work can make a lot of difference.
- Lastly, visit a laptop expert and ask for a thorough inspection so that you can rectify if there are any internal faulty parts.
Nov 29 2022
Why the updated ISO 27001 standard matters to every business’ security
On the morning of August 4, 2022, Advanced, a supplier for the UK’s National Health Service (NHS), was hit by a major cyberattack. Key services including NHS 111 (the NHS’s 24/7 health helpline) and urgent treatment centers were taken offline, causing widespread disruption. This attack served as a brutal reminder of what can happen without a standardized set of controls in place. To protect themselves, organizations should look to ISO 27001.
ISO 27001 is an internationally recognized Information Security Management System standard. It was first published in 2005 to help businesses implement and maintain a solid information security framework for managing risks such as cyberattacks, data leaks and theft. As of October 25, 2022, it has been updated in several important ways.
The standard is made up of a set of clauses (clauses 4 through 10) that define the management system, and Annex A which defines a set of controls. The clauses include risk management, scope and information security policy, while Annex A’s controls include patch management, antivirus and access control. It’s worth noting that not all of the controls are mandatory; businesses can choose to use those that suit them best.
Why is ISO 27001 being updated?
It’s been nine years since the standard was last updated, and in that time, the technology world has changed in profound ways. New technologies have grown to dominate the industry, and this has certainly left its mark on the cybersecurity landscape.
With these changes in mind, the standard has been reviewed and revised to reflect the state of cyber- and information security today. We have already seen ISO 27002 (the guidance on applying the Annex A controls) updated. The number of controls has been reduced from 114 to 93, a process that combined several previously existing controls and added 11 new ones.
Many of the new controls were geared to bring the standard in line with modern technology. There is now, for example, a new control for cloud technology. When the controls were first created in 2013, cloud was still emerging. Today, cloud technology is a dominant force across the tech sector. The new controls thus help bring the standard up to date.
In October, ISO 27001 was updated and brought in line with the new version of ISO 27002. Businesses can now achieve compliance with the updated 2022 controls, certifying themselves as meeting this new standard, rather than the now-outdated list from 2013.
How can ISO 27001 certification benefit your business?
Implementing ISO 27001 brings a host of information security advantages that benefit companies from the outset.
Companies that have invested time in achieving ISO 27001 certification will be recognized by their customers as organizations that take information security seriously. Companies that are focused on the needs of their customers should want to address the general feeling of insecurity in their users’ minds.
Moreover, as part of the increasingly rigorous due-diligence processes that many companies are now undertaking, ISO 27001 is becoming mandatory. Therefore, organizations will benefit from taking the initiative early to avoid missing out commercially.
In the case of cyber-defense, prevention is always better than cure. Attacks mean disruption, which almost always proves costly for an organization, in regard to both reputation and finances. Therefore, we might view ISO 27001 as a form of cyber-insurance, where the correct steps are taken preemptively to save organizations money in the long term.
There’s also the matter of education. Often, an organization’s weakest point, and thus the point most often targeted, is the user. Compromised user credentials can lead to data breaches and compromised services. If users were more aware of the nature of the threats they face, the likelihood of their credentials being compromised would decrease significantly. ISO 27001 offers clear and cogent steps to educate users on the risks they face.
Ultimately, whatever causes a business to choose implementation of ISO 27001, the key to getting the most out of it is ingraining its processes and procedures in their everyday activity.
Overcoming the challenge of ISO 27001 certification
A lot of companies have already implemented many controls from ISO 27001, including access control, backup procedures and training. It might seem at first glance that, as a result, they’ve already achieved a higher standard of cybersecurity across their organization. However, what they continue to lack is a comprehensive management system to actually manage the organization’s information security, ensuring that it is aligned with business objectives, tied into a continuous improvement cycle, and part of business-as-usual activities.
While the benefits of ISO 27001 may be obvious to many in the tech industry, overcoming obstacles to certification is far from straightforward. Here are some steps to take to tackle two of the biggest issues that drag on organizations seeking ISO 27001 certification:
- Resources — time, money, and manpower: Businesses will be asking themselves: How can we find the extra budget and dedicate the finite time of our employees to a project that could last six to nine months? The key here is to place trust in the industry experts within your business. They are the people who will be implementing the standard day-by-day, and they should be placed at the wheel.
- Lack of in-house knowledge: How can businesses that have no prior experience implementing the standard get it right? In this case, we advise bringing in third-party expertise. External specialists have done this all before: They have already made the mistakes and learned from them, meaning they can come into your organization directly focused on implementing what works. In the long run, getting it right from the outset is a more cost-effective strategy because it will achieve certification in a shorter time.
Next steps toward a successful future
While making this all a reality for your business can seem daunting, with the right plan in place, businesses can rapidly benefit from all that ISO 27001 certification has to offer.
It’s also important to recognize that this October was not the cutoff point for businesses to achieve certification for the new version of the standard. Businesses will have a few months before certification bodies will be ready to offer certification, and there will likely then be a two-year transition period after the new standard’s publication before ISO 27001:2013 is fully retired.
Ultimately, it’s vital to remember that while implementation comes with challenges, ISO 27001 compliance is invaluable for businesses that want to build their reputations as trusted and secure partners in today’s hyper-connected world.
Source: https://wordpress.com/read/blogs/126020344/posts/2830377
ISO 27001 Risk Assessment and Gap Assessment
ISO 27001 Compliance and Certification
Nov 19 2022
Black Friday and retail season – watch out for PayPal “money request” scams
Given that we’re getting into peak retail season, you’ll find cybersecurity warnings with a “Black Friday” theme all over the internet…
…including, of course, right here on Naked Security!
As regular readers will know, however, we’re not terribly keen on online tips that are specific to Black Friday, because cybersecurity matters 365-and-a-quarter days a year.
Don’t take cybersecurity seriously only when it’s Thanksgiving, Hannukah, Kwanzaa, Christmas or any other gift-giving holiday, or only for the New Year Sales, the Spring Sales, the Summer sales or any other seasonal discount opportunity.
As we said when retail season kicked off earlier this month in many parts of the world:
The best reason for improving your cybersecurity in the leadup to Black Friday is that it means you will be improving your cybersecurity for the rest of the year, and will encourage you to keep on improving through 2023 and beyond.
Having said that, this article is about a PayPal-branded scam that was reported to us earlier this week by a regular reader who thought it would be worth warning others about, especially for those with PayPal accounts who may be more inclined to use them at this time of year than any other.
The good thing about this scam is that you should spot it for what it is: made-up nonsense.
The bad thing about this scam is that it’s astonishingly easy for criminals to set up, and it carefully avoids sending spoofed emails or tricking you to visit bogus websites, because the crooks use a PayPal service to generate their initial contact via official PayPal servers.
Here goes.
Spoofing explained
A spoofed email is one that insists it’s from a well-known company or domain, typically by putting a believable email address in the From: line, and by including logos, taglines or other contact details copied from the brand it’s trying to impersonate.
Remember that the name and email address shown in an email next to the word From are actually just part of the message itself, so the sender can put almost anything they like in there, regardless of where they really sent the message from.
A spoofed website is one that copies the look and feel of the real thing, often simply by ripping off the exact web content and images from the original site to make it look as pixel-perfect as possible.
Scam sites may also try to make the domain name that you see in the address bar look at least vaguely realistic, for example by putting the spoofed brand at the left-hand end of the web address, so that you might see something like paypal.com.bogus.example, in the hope that you won’t check the right-hand end of the name, which actually determines who owns the site.
Other scammers try to acquire lookalike names, for example by replacing W (one W-for-Whisky character) with VV (two V-for Victor characters), or by using I (writing an upper case I-for-India character) in place of l (a lower case L-for-Lima).
But spoofing tricks of this sort can often be spotted fairly easily, for example by:
- Learning how to examine the so-called headers of an email message, which shows which server a message actually came from, rather than the server that the sender claimed they sent it from.
- Setting up an email filter that automatically scans for scamminess in both the headers and the body of every email message that anyone tries to send you.
- Browsing via a network or endpoint firewall that blocks outbound web requests to fake sites and discards inbound web replies that include risky content.
- Using a password manager that ties usernames and passwords to specific websites, and thus can’t be fooled by fake content or lookalike names.
Email scammers therefore often go out of their way to ensure that their first contact with potential victims involves messages that really do come from genuine sites or online services, and that link to servers that really are run by those same legitimate sites…
…as long as the scammers can come up with some way of maintaining contact after that initial message, in order to keep the scam going.
« Previous Page — Next Page »
