Apr 14 2023

Building a Network Security Strategy: Complete Checklist To Protect Your Network

Category: Network securityDISC @ 7:31 am
Building a Network Security Strategy: Complete Checklist To Protect Your Network

Whether you’re a large or small business, network security is something you can’t ignore.

Threat actors can and will, infiltrate businesses of any size wreaking havoc on computer systems, maliciously encrypting data, and in some cases completely destroying a company’s ability to stay in business. 

While the latter situation isn’t that common, there have been several recent instances where poor network security has led to significant security breaches.

Consider the Uber breach QAwZ from September 2022, where an MFA fatigue attack led to a breach of Uber’s systems.

A similar attack led to a breach of CISCO’s systems, and Activision ended up being hacked after an SMS phishing attack, which reportedly led to a significant data breach of Activision’s IP and employee data.

These breaches signal the need for better network security practices, and they also show how single security measures are not enough.

All of the breaches mentioned above happened because of a weakness in each company’s MFA practices, but they could’ve been mitigated by other security measures including zero trust granular access rules.

Organizations of all sizes need a network security strategy with modern, cloud-based tools and technologies to stay secure:

Single Sign-On (SSO) with Multi-Factor Authentication (MFA)

Before we even get to network security, organizations should deploy a Single Sign-On (SSO) identity provider with Multi-Factor Authentication (MFA) support.

SSO allows users to access multiple applications using one login.

This makes it easier for users to integrate network security practices into their daily routine without much friction, while the IT team has a much easier time keeping everyone organized. 

MFA, meanwhile, adds an extra layer of security by requiring users to provide two or more pieces of evidence to prove their identity.

This is typically a username and password, followed by a one-time code, or biometric authentication such as a fingerprint or facial recognition.

Under an MFA scheme, you can require just a second authentication factor or multiple depending on the level of security you need and your threat model.

SSO with MFA also reduces the risk of password-related security incidents, such as password theft or reuse.

It also makes it harder for hackers to access your network since they have to not only steal the password but somehow obtain the second or even third factor to finally break in.

But as we mentioned at the beginning of this article there are ways to get around MFA security measures, so how do you make sure that doesn’t happen?

It starts with training and clearly defined policies that convey to employees that IT teams and outside security contractors will never ask them for their MFA security codes. 

Second, you can increase the difficulty of MFA for higher privileged accounts such as a number-based challenge that requires the user to see both sets of numbers to correctly answer the MFA challenge.

Biometric measures can also be effective as long as employees understand they should never authorize an MFA request they didn’t initiate. 

Zero Trust Network Access (ZTNA)

One of the biggest and most important strategies in modern network security is the deployment of Zero Trust Network Access. ZTNA assumes that all network traffic is untrusted, even if it originates from inside the network itself. 

ZTNA requires that users prove their identity, and then meet specific security requirements before accessing network resources.

This includes granular access rules that can be user- or group-specific. Then context-based verification allows organizations to limit access to resources based on specific criteria, such as device posture, location of the user requesting access, and time of day.

These contexts are also continually verified to ensure that a user’s security posture doesn’t suddenly change, which can be an indication of malicious activity.

Device posture is an important part of context since it demands that user devices meet certain security requirements before accessing resources.

This can be criteria such as the presence of a specific antivirus suite, a custom security certificate, and a minimum operating system version, among others. 

When you put it all together Zero Trust Network Access reduces the risk of unauthorized access to sensitive data and resources.

This is a far better approach than the legacy-based VPN and firewall. Under the old model, you would log in with a VPN, and then once you had access to company resources that was it.

There were limited access rules about who could see what and no context-based requirements with continuous verification.

That meant that once a hacker gained access to a system they had an easier time achieving lateral movement (moving from one server or resource to another).

After lateral movement, hackers would often obtain higher privileged account credentials ultimately gaining access to employee and customer data, or sensitive trade secrets.

ZTNA provides better control over network access, which enables organizations to detect and respond to security incidents more effectively.

Malware Protection

Malware is one of the biggest and most common threats to network security.

It can infect computers and networks leading to damage to computer systems, malicious data encryption (ransomware), and data exfiltration.

Malware protection solutions are designed to detect and prevent malware from infecting your network via the most common vehicle for infiltration: the Internet.

While you can get infected through malicious USB keys and drives, the most common way is through a malicious website or downloading a malicious file from the Internet.

Malware protection guards against these threats by analyzing web traffic to identify and block malware.

This usually includes a number of techniques such as signature-based detection, behavior-based detection, and virtual code emulation, to identify and block malware.

Putting together a proper malware protection solution can prevent everything from known malware infections to zero-day exploits and advanced persistent threats (APTs).

Web Filtering

Web filtering is a security mechanism that blocks access to malicious websites and content.

This is a list-based solution that blocks known malicious websites, and it can also be used to prevent employees from venturing into problematic areas of the Internet that may violate company policies, break local laws, or simply be time-wasting distractions. 

The focus, however, is to reduce the risk of employees accessing malicious websites and content, which can lead to malware infections, data breaches, and other forms of cyber threats.

Web Filtering can also reduce the workload for IT teams if they no longer have to deal with issues related to web usage.

Compliance

Although not directly part of network securitycompliance is a key consideration when looking at tools and technologies to keep your network secure.

Many companies are responsible for maintaining records for their customers including private information such as health data, credit card data, addresses, and more.

Holding onto information like this as a necessary part of your business only increases the need for solid network security as the consequences of a breach are that much greater.

That’s why Zero Trust Network Access and other modern tools are so important.

Under a traditional perimeter-based approach hackers will have an easier time obtaining sensitive information after a successful breach.

Choosing the Right Solution

Now that we understand what tools you need, how do you choose the right network security solution for your organization?

First, you need to anticipate growth and increased demand for your network security needs.

Opt for solutions that can scale with your business, as well as offer the flexibility to adapt to new threats, and regulatory requirements. Quite often cloud-based platforms are the best choice when it comes to flexibility.

Cost is another important issue; network security investment isn’t just about upfront costs.

There can be many ongoing expenses, especially for hardware-based solutions that require regular maintenance, updates, and support.

And don’t forget about potential hidden costs such as additional licensing fees for certain features or upgrades after your initial service contract expires–it pays (literally) to do your due diligence to discover any potential hidden costs.

If your team is too small to allow for a full-time security expert then consider alternatives such as managed service providers (MSPs).

These specialized organizations offer a wide range of fully managed IT services. By outsourcing some or all of your network security functions to an MSP, your organization can benefit from the expertise and resources of a dedicated security team.

MSPs typically offer 24/7 monitoring and support, threat intelligence, and access to the latest security technologies, ensuring that your organization’s network is continuously protected. 

Suppose you have pre-existing systems that cannot be replaced or are crucial for your business. In that case, you should also consider solutions that offer seamless compatibility with those systems.

Some common pre-existing hardware includes a data center firewall or possibly SD-Wan appliances. 

By considering issues such as scalability, compliance, the total cost of ownership, and legacy integration, you can make an informed decision and select the most suitable network security solution for your organization.

Perimeter 81 Checks All the Boxes

Putting together all of these essential network security features and tools is easy with Perimeter 81.

This cloud-based, converged network security solution provides comprehensive network security focusing on ease of use, lightning-fast deployment, and easy scalability.

Most importantly, however, Perimeter 81 allows you to use  ZTNA, Malware Protection, and Web Filtering from a single management console for easier all-around management.

If your ZTNA needs are simpler than most you can also use Perimeter 81’sFirewall as a Service to protect on-prem and cloud-based resources.

While you can permit access to all services to everyone in the company using the firewall, that is not recommended as granular access control is simple to implement with Perimeter 81 even for those with seemingly basic requirements.

A comprehensive network security strategy is critical for all organizations that want to protect their network and data from cyber threats.

This checklist allows organizations to build a robust and effective network security strategy that meets their specific needs and requirements.

Network Security Checklist – Download Free E-Book

Network Security: Private Communication in a Public World

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Network Security Checklist

Apr 13 2023

AGAIN HYUNDAI AND TOYOTA LEAK CUSTOMER PERSONAL DATA

Category: Data Breach,data security,PIIDISC @ 8:22 am
One again Hyundai and Toyota leak customer personal data

Hackers were able to acquire access to individuals’ personal information after Hyundai announced a data breach that affected vehicle owners in Italy and France as well as those who had scheduled test drives with the automaker. According to Troy Hunt, the author of the website “HaveIBeenPwned,” the event has caused the personal data of clients  to become public.

The letter also makes it clear that the individual who hacked into Hyundai’s database did not take any financial information or identifying numbers. It is unknown how many Hyundai customers have been impacted by this event, how long the network attack lasted, or what additional nations may be at risk. Customers of a South Korean automobile manufacturer are being cautioned to be wary of unsolicited e-mails and SMS messages that pretend to come from the company. These communications might be efforts at phishing or social engineering. In response to the incident, Hyundai claims it has enlisted the help of information technology specialists, who have taken the affected systems down while new security measures are put into place. In February of 2023, the business released emergency software patches for a number of car models that had been compromised by a simple hack with a USB cable, which had made it possible for criminals to take the vehicles.

How to hack any Hyundai, Toyota or Kia cars to steal them

On the other hand, the Japanese automaker Toyota has admitted that there may have been a breach of consumer data due to security flaws at its operations in Italy. Throughout the course of more than one and a half years, up until this past March, Toyota Italy carelessly disclosed confidential information. In particular, it divulged confidential information on its Salesforce Marketing Cloud and Mapbox APIs. Threat actors might utilize this information to their advantage to acquire access to the telephone numbers and email addresses of Toyota customers and then use those details to start phishing attacks on those customers. According to the findings of the research team at Cybernews, the organization exposed credentials to the Salesforce Marketing Cloud, which is a supplier of software and services related to digital marketing automation and analytics. Threat actors might get access to phone numbers and email addresses, as well as customer monitoring information, as well as the contents of email, SMS, and push-notification messages by abusing the data. Moreover, Toyota Italy exposed the application programming interface (API) tokens for the software business Mapbox. These tokens were used to access map data. Although while the data is not as sensitive as the credentials for the Salesforce Marketing Cloud, it is still possible for threat actors to misuse it in order to query a large number of queries and drive up Toyota’s API use costs.

Toyota is not the only automaker that has lately put itself as well as its consumers in Italy in a vulnerable position. In January of this year, the Indian branch of Toyota Motor announced a data breach, claiming that it was possible that the personal information of some of its customers had been exposed.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Hyundai, LEAK CUSTOMER PERSONAL DATA, Toyota

Apr 12 2023

NEW SPYWARE QUADREAM IS A REPLACEMENT OF PEGASUS SOFTWARE USED TO HACK IPHONES REMOTELY

Category: Hacking,Smart Phone,SpywareDISC @ 8:58 am
New spyware QuaDream is a replacement of Pegasus software used to hack iPhones remotely

Security researchers have uncovered fresh malware with hacking capabilities comparable to those of Pegasus, which was developed by NSO Group. The software, which is sold by an Israeli firm named QuaDream, has previously been used by customers to target journalists, political opposition leaders, and an employee of an NGO. The company that makes and sells the spyware is called QuaDream.

The malware was spread to the victims’ phones when the operators of the spyware, who are thought to be government customers, sent them an invitation to an iCloud calendar. The cyberattacks took place between the years 2019 and 2021, and the term “Reign” is given to the hacking program that was used.

A phone that has been infected with Reign can, similar to a phone that has been infected with Pegasus, record conversations that are taking place near the phone, read messages that are stored on encrypted apps, listen to phone conversations, track the location of a user, and generate two-factor authentication codes on an iPhone in order to break into a user’s iCloud account.

Apple, which has been marketing its security measures as being among the finest in the world, has taken yet another hit as a result of the recent disclosures. It would seem that Reign poses an unprecedented and significant danger to the security of the company’s mobile phones.


The spyware that was built by QuaDream attacks iPhones by having the operators of the malware, who are believed to be government customers, issue an invitation to an iCloud calendar to the mobile users of the iPhones. Since the calendar invites were issued for events that had been recorded in the past, the targets of the hacking were not made aware of them because they were sent for activities that had already occurred.

Since users of the mobile phone are not required to click on any malicious link or do any action in order to get infected, these kind of attacks are referred to as “zero-click” attacks.

When a device is infected with spyware, it is able to record conversations that are taking place nearby by taking control of the recorder on the device, reading messages sent via encrypted applications, listening in on phone calls, and monitoring the position of the user.

The malware may also produce two-factor authentication tokens on an iPhone in order to enter a user’s iCloud account. This enables the spyware operator to exfiltrate data straight from the user’s iCloud, which is a significant advantage. In contrast to NSO Group, QuaDream maintains a modest profile among the general population. The firm does not have a website and does not provide any additional contact information on its page. The email address of Israeli attorney Vibeke Dank was included on the QuaDream business registration form; however, she did not respond to a letter asking for her opinion.

Citizen Lab did not name the individuals who were discovered to have been targeted by clients while they were using Reign. However, the organization did say that more than five victims were located in North America, Central Asia, south-east Asia, Europe, and the Middle East. These victims were described as journalists, political opposition figures, and an employee of an NGO. In addition, Citizen Lab said that it was able to identify operator sites for the malware in the countries of Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates, and Uzbekistan.

In a security report that was published in December 2022 by Meta, the corporation that owns Facebook, the name of the firm was mentioned briefly. The report defined QuaDream as being an Israeli-based startup that was created by former NSO personnel.

Seifan: See the version of Pegasus spyware software designed just for Police

At the time, Meta stated that it had removed 250 accounts on Facebook and Instagram that were linked to QuaDream. The company believed that the accounts were being used to test the capabilities of the spyware maker using fake accounts. These capabilities included exfiltrating data such as text messages, images, video files, and audio files.

The discovery of Reign underscores the continuous spread of very powerful hacking tools, even as NSO Group, the developer of one of the world’s most sophisticated cyberweapons, has received intensive investigation and been banned by the Biden administration, likely limiting its access to new clients. NSO Group is the maker of one of the most advanced cyberweapons in the world.

Global Spyware Scandal: Exposing Pegasus, Season 1



InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Pegasus spyware, Quadream

Apr 11 2023

Protect your data with a USB condom

Category: data securityDISC @ 3:15 pm

Better to have USB data protection and not need it, than need it and not be prepared.

A selection of PortaPow USB condoms, also known as data blockers
A selection of PortaPow USB condoms, also known as data blockers

There are three things that I make sure I do when I’m out and about. I seek out the best coffee I can find. I make sure I use a VPN when using public Wi-Fi, and I always make sure I use a USB data blocker, otherwise known as a USB condom, whenever I use a third-party charger (such as those you find in coffee shops).

OK, first off, what on earth is a USB condom? 

Also: FBI warns of public ‘juice jacking’ charging stations that steal your data. How to stay protected

A USB condom is a small dongle that adds a layer of protection between your device and the charging point you’re attaching it to. 

Remember, USB isn’t just a charging protocol, it also allows data to flow back and forth, and while most of the time this data flow is safe, it is possible to create a malicious charging port that can do bad things, such as plant malware on your device or steal your data.

Buy the PortaPow USB | Data Blocker at Amazon

Source:

https://www.zdnet.com/article/protect-your-data-with-a-usb-condom/

Shockproof Carrying Case Hard Protective EVA Case Impact Resistant Travel 12000mAh Bank Pouch Bag USB Cable Organizer Earbuds Pocket Accessory Smooth Coating Zipper Wallet Rose Gold


InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Data blocker, USB condoms

Apr 11 2023

Apple Fixes Zero Day Vulnerability in iOS And MacOS

Category: Zero dayDISC @ 9:46 am
Apple Fixes Zero Day Vulnerability in iOS And MacOS

Apple Fixes Zero Day vulnerabilities for iOS And MacOS devices.

Apple recently released a security update for its iOS and MacOS devices, and fixing zero-day vulnerabilities that could allow cyber attackers to access users’ devices.

The iOS and iPadOS, version 15.7.5, addresses a vulnerability in the iOSurfaceAccelerator and WebKit engine that could allow an app and website to execute arbitrary code with kernel privileges processing maliciously.

Apple notes that this vulnerability has been actively exploited in the wild, making it especially important for users to update their devices as soon as possible.

Meanwhile, the MacOS update, including macOS Big Sur 11.7.6 and macOS Monterey 12.6.5, addressed with improved input validation.

macOS Big Sur 11.7.6

  • CVE-2023-28206

Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.

iOS 15.7.5 and iPadOS 15.7.5

  • CVE-2023-28206

IOSurfaceAccelerator

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: An out-of-bounds write issue was addressed with improved input validation.

WebKit

  • CVE-2023-28205

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 254797

macOS Monterey 12.6.5

  • CVE-2023-28206

Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved input validation.

Keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security.

  • The latest version of iOS and iPadOS is 16.4.1.
  • The latest version of macOS is 13.3.1.
  • The latest version of tvOS is 16.4.
  • The latest version of watchOS is 9.4.

Note that after a software update is installed for iOS, iPadOS, tvOS, and watchOS, it cannot be downgraded to the previous version.

As always, Apple is urging all users to update their devices to the latest iOS and MacOS as soon as possible to ensure they are protected against these critical security vulnerabilities. Users can download the updates to the iOS device Settings app, and the Software Update section of the System Preferences app on their MacOS device.

Zero-Day Fixes macOS and iOS

The Art of Mac Malware: The Guide to Analyzing Malicious Software


InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: iOS, macOS Zero-Day

Apr 10 2023

What is Server-Side Request Forgery (SSRF)?

Category: Web SecurityDISC @ 8:38 am

Server_Side_Request_Forgery_Prevention_Cheat_Sheet_SSRF_Bible-1Download

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: SSRF, SSRF cheatsheet

Apr 10 2023

What is Cloud Mining and How Does it Work?

Category: Cloud computingDISC @ 8:18 am
What is Cloud Mining and How Does it Work?

Cloud mining is a way for you to purchase mining power from a remote data centre. Cloud mining works in the same way as regular cryptocurrency mining, except that instead of purchasing expensive hardware and dealing with its maintenance yourself, you just need to buy some shares and let a service provider do all the work. 

This can be especially appealing if you haven’t got access to cheap electricity in your area (or any at all), or if you simply don’t want to deal with the hassle of setting up your rig.

What is Cloud Mining?

Cloud mining is a service that allows you to purchase mining power from data centres. The process of mining is done remotely, and the owner of the data centre pays for the hardware and electricity usage. You pay for the hash power that you rent from them.

It is a process of renting crypto mining capacity from a third-party provider and using it to mine cryptocurrencies yourself. Instead of having to buy an expensive mining hardware, pay for its electricity use, and maintain it yourself, cloud mining lets you buy into a mining pool without requiring any of the hassles involved in normal crypto mining.

How does cloud mining work?

Cloud mining is a way to earn cryptocurrencies without having to buy expensive hardware. You can buy hash power from a cloud mining company, which means you won’t have to set up your hardware or software.

You don’t need any special knowledge or skills to start earning money immediately with this method of cryptocurrency mining.

Bitcoin Cloud Mining is the process by which transactions are verified and added to the public ledger, known as the blockchain. The blockchain is what allows a user to send Bitcoin or other cryptocurrencies between their accounts and to pay for goods or services from any merchant that accepts cryptocurrencies. 

The blockchain is distributed across thousands of computers around the world. One of those computers is owned by you! So when your computer works on creating a new transaction block, it adds some cryptographic hashing which validates and secures the block and all subsequent blocks.

The key part here is that if your computer is doing work on someone else’s transaction block, you’ll be rewarded with Bitcoins or other cryptocurrencies, which you can then spend however you’d like. With the Bitcoin price today of over $22,000, this is the currency that receives the most mining.

Advantages of Cloud Mining

  • No need for hardware: Cloud mining is completely virtual. You don’t need to buy any equipment, so you can start earning immediately without having to worry about maintenance or electricity costs.
  • No need for software: Unlike traditional mining where you have to install specific software on your computer, cloud mining requires no software installation at all. Once you purchase hash power from a provider and connect it with their platform (usually via API key), everything else works automatically in the background without any additional effort from your side.
  • No maintenance required: The majority of cloud mining providers offer contracts with monthly fees rather than daily fees like other companies do. This makes it much easier because there’s no need for regular checkups or maintenance work every month like some other platforms require. 

Disadvantages of Cloud Mining

  • High electricity costs: Mining cryptocurrency requires a lot of electricity. If you’re using cloud mining, this cost is passed on to you, the customer. This can be very expensive and make it hard for your ROI (return on investment) to pay off.
  • Maintenance costs: You’ll also need to consider maintenance costs for your hardware, as well as any downtime or downtime during which the machine may malfunction or be repaired by the company providing it. This could also affect your ROI negatively if they don’t have a good track record with repairs and replacements promptly.
  • Low returns on investment: Finally, there’s no guarantee that any particular cryptocurrency will increase in value over time; it may even decrease. If this happens while you’re paying high fees just so someone else can mine coins for themselves instead of doing it yourself directly through an ASIC miner or GPU rig at home then those losses will likely outweigh whatever gains might result from having used cloud mining services like Hashflare or Genesis Mining in order.

Types of Cloud Mining

Cloud mining is a way to mine cryptocurrencies without having to buy expensive equipment or even invest in it at all. Instead, you pay someone else to do it for you.

Host Mining

Host mining is a type of cloud mining where you buy a physical mining rig and pay for the electricity. The price of host mining can be very high, but it’s also the most profitable way to earn money. You need technical knowledge and experience to host mine successfully, so this isn’t recommended for beginners.

Hash Power Leasing 

Hash power leasing is a way to get hash power without buying the hardware. This can be done by signing up with a service provider and paying them for their services. The provider will then provide you with the necessary equipment, which you need to pay for separately.

The process works like this:

  • You sign up with a cloud mining company (like Hashflare or Genesis Mining)
  • They give you access to their mining farm’s equipment and software through an API key or web interface
  • You set up an account with them and deposit money into it (usually Bitcoin)

You are then able to use this money as if it were your own – but instead of buying physical hardware yourself, all of that work has already been done by someone else.

How to spot potential fraud in cloud mining

To avoid fraud, you should look for companies that are transparent about their ownership and location. Look at the company’s domain name and website for authenticity. Avoid any cloud mining company that does not provide a physical address or phone number on its website.

You should also check for reviews and complaints about the company in question by searching online or contacting local authorities (e.g., Better Business Bureau aka BBB).

BitDeer

BitDeer is a cloud mining platform that allows users to rent computing power to mine various cryptocurrencies, including Bitcoin, Ethereum, Litecoin, and more. It was founded in 2018 and is headquartered in Singapore.

BitDeer partners with mining farms and data centres worldwide to provide cloud mining services. Users can rent mining machines or hash power from BitDeer’s partners, which are located in regions with favourable conditions for cryptocurrency mining, such as regions with low electricity costs and cool climates.

StormGain

StormGain is a cryptocurrency trading and exchange platform that offers a range of services for cryptocurrency traders and investors. It was founded in 2019 and is headquartered in Seychelles.

StormGain aims to provide a user-friendly and accessible platform for trading and investing in cryptocurrencies, with a focus on leveraged trading and cryptocurrency mining. Some of the features and services offered by StormGain include Cryptocurrency Trading, Leverage Trading, Crypto Mining, Wallet Services and more.

GMiners

GMiner is a cloud mining company based in Hong Kong. It’s a subsidiary of Genesis Mining, one of the largest Bitcoin mining companies in the world. GMiner offers a variety of different mining contracts for Bitcoin, Ethereum, Dash, Litecoin and Bitcoin Cash.

Potential Risks

Please note that the cryptocurrency market is constantly evolving, and the performance and reputation of cloud mining companies may change over time. It’s essential to do thorough research, read reviews from multiple sources, and exercise caution when investing in cloud mining services or any other form of cryptocurrency investment. Always consider the risks and consult with experienced investors or seek professional advice before making any investment decisions.

Cryptocurrency Mining: A Complete Beginners Guide to Mining Cryptocurrencies, Including Bitcoin, Litecoin, Ethereum, Altcoin, Monero, and Others

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Cloud Mining, cloud security, cryptocurrency mining

Apr 09 2023

Red Teaming Toolkit

Category: Information Security,Security ToolsDISC @ 11:09 am

Red-Teaming-Toolkit-1-1Download

Red Teaming: How Your Business Can Conquer the Competition by Challenging Everything – Free with Kindle trial

Red Teaming: How Your Business Can Conquer the Competition by Challenging Everything

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Red teaming, Security Toolkit

Apr 09 2023

Malware types and analysis

Category: Information Security,MalwareDISC @ 9:48 am

Accelerated Windows Malware Analysis with Memory Dumps: Training Course Transcript and WinDbg Practice Exercises, (Windows Internals Supplements)

Malware analysis reports – Reports and IoCs from the NCSC malware analysis team

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Malware, Malware Analysis, windows malware

Apr 08 2023

What is a smart sustainable city?

Category: Information Security,Smart CitiesDISC @ 12:02 pm
Smart Cities World - Cultural space - Smart city futures showcased in Dubai

Smart sustainable cities

Abu Dhabi and Dubai have  have been ranked as the smartest cities in the Middle East and North Africa region.in the ‘Smart City Index 2021’. The index, by the Institute for Management Development (IMD), in collaboration with Singapore University for Technology and Design (SUTD) surveys residents in ranked cities to assess smart infrastructure and services covering health and safety, mobility, activities, opportunities, and governance.

What is a smart sustainable city?

According to ITU, a smart sustainable city is an innovative city that uses information and communication technologies (ICTs) and other means to improve quality of life, efficiency of urban operation and services, and competitiveness, while ensuring that it meets the needs of present and future generations with respect to economic, social and environmental aspects.

In 2016, the ITU, the United Nations Economic Commission for Europe (UNECE) and the UN Habitat launched the initiative ‘United for Smart Sustainable Cities’ (U4SSC). The U4SSC developed a set of key performance indicators (KPIs) for Smart Sustainable Cities (SSC) to establish the criteria to evaluate the contribution of ICT in making cities smarter and more sustainable, and to provide cities with the means for self-assessments in order to achieve the sustainable development goals (SDGs).

The State of Play of Sustainable Cities and Buildings in the Arab Region-2017

The State of Play of Sustainable Cities and Buildings in the Arab Region Report (PDF 26.19 MB) is a compilation of the main public policies, programmes, case studies, organisations and initiatives associated with sustainable city and building practices in twelve countries in the Arab region. Read about the UAE’s current situation with respect to sustainable cities from pages 79 to 86.

Read more on:

Smart sustainable cities in the UAE

The UAE Government aims to ensure sustainable development while preserving the environment and to achieve a perfect balance between economic and social development. Abu Dhabi and Dubai are planning and developing several smart sustainable cities.

Smart city index

For the second year in a row, Abu Dhabi and Dubai have been ranked as the smartest cities in the Middle East and North Africa region, as per the Smart City Index 2021.

While Abu Dhabi is ranked 28, Dubai is closely behind at 29, out of 118 cities. Compared to 2020, both the emirates climbed up 14 places globally.

The top three smart cities are:

  1. Singapore (1st)
  2. Zurich (2nd)
  3. Oslo (3rd).

Smart City Index report 2023

Smart Cities

Explore how New Zealand is using technology and data to design sustainable smart cities.

Smart Cities: MIT Press Essential Knowledge Series – audio book $0.00

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Oslo, Singapore, Smart Citi, Smart Citi Dubai, Zurich

Apr 07 2023

Microsoft aims at stopping cybercriminals from using cracked copies of Cobalt Strike

Category: Cyber crime,CybercrimeDISC @ 11:21 am
Microsoft aims at stopping cybercriminals from using cracked copies of Cobalt Strike

Microsoft announced it has taken legal action to disrupt the illegal use of copies of the post-exploitation tool Cobalt Strike by cybercriminals.

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. The Beacon includes a wealth of functionality for the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. 

Microsoft Digital Crimes Unit (DCU) announced that has collaborated with Fortra, the company that develops and maintains the tool, and Health Information Sharing and Analysis Center (Health-ISAC) to curb the abuse of Cobalt Strike by cybercriminals.

The Microsoft DCU secured a court order in the U.S. to remove cracked versions of Cobalt Strike (“refer to stolen, unlicensed, or otherwise unauthorized versions or copies of the tool”) so they can no longer be used by cybercriminals.

Threat actors, including ransomware groups and nation-state actors, use Cobalt Strike after obtaining initial access to a target network. The tool is used to conduct multiple malicious activities, including escalating privileges, lateral movements, and deploying additional malicious payloads.

“More specifically, cracked versions of Cobalt Strike allow Defendants to gain control of their victim’s machine and move laterally through the connected network to find other victims and install malware. This includes installing ransomware like ContiLockBit, Quantum Locker, Royal, Cuba, BlackBasta, BlackCat and PlayCrypt, to arrest access to the systems. In essence, Defendants are able to leverage cracked versions of Cobalt Strike to brutally force their way into victim machines and deploy malware.” reads the court order. “Additionally, once the Defendants deploy the malware or ransomware onto computers running Microsoft’s Window operating system, Defendants are able to execute a series of actions involving abuse of Microsoft’s copyrighted declaring code.”

Cobalt Strike attack chain

Example of an attack flow by threat actor DEV-0243.

Microsoft observed more than 68 ransomware attacks, involving the use of cracked copies of Cobalt Strike, against healthcare organizations in more than 19 countries around the world.

The attacks caused huge financial damages to the attacked hospitals in recovery and repair costs, plus interruptions to critical patient care services.

Microsoft also observed nation-state actors, including APT groups from Russia, China, Vietnam, and Iran, using cracked copies of Cobalt Strike.

“Microsoft, Fortra and Health-ISAC remain relentless in our efforts to improve the security of the ecosystem, and we are collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF) and Europol’s European Cybercrime Centre (EC3) on this case. While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts. Our action is therefore not one and done.” concludes the report.

In November 2022, Google Cloud researchers announced the discovery of 34 different Cobalt Strike hacked release versions with a total of 275 unique JAR files across these versions.

Google Cloud Threat Intelligence (GCTI) researchers developed a set of YARA rules to detect hacked variants in the wild with a high degree of accuracy. The researchers noticed that each Cobalt Strike version contains approximately 10 to 100 attack template binaries


InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Cobalt Strike, Microsoft

Apr 06 2023

Hackers use Rilide browser extension to bypass 2FA, steal crypto

Category: 2FA,Crypto,Information SecurityDISC @ 12:45 pm
Hackers use Rilide browser extension to bypass 2FA, steal crypto
Security researchers discovered a new malicious browser extension called Rilide, that targets Chromium-based products like Google Chrome, Brave, Opera, and Microsoft Edge.

The malware is designed to monitor browser activity, take screenshots, and steal cryptocurrency through scripts injected in web pages.

Researchers at Trustwave SpiderLabs found that Rilide mimicked benign Google Drive extensions to hide in plain sight while abusing built-in Chrome functionalities.

The cybersecurity company detected two separate campaigns that distributed Rilide. One was using Google Ads and Aurora Stealer to load the extension using a Rust loader. The other one distributed the malicious extension using the Ekipa remote access trojan (RAT).

Two campaigns pushing Rilide
Two campaigns pushing Rilide (Trustwave)

While the origin of the malware is unknown, Trustwave reports that it has overlaps with similar extensions sold to cybercriminals. At the same time, portions of its code were recently leaked on an underground forum due to a dispute between cybercriminals over unresolved payment.

A parasite in the browser

Rilide’s loader modifies the web browser shortcut files to automate the execution of the malicious extension that is dropped on the compromised system.

Malicious extension on Edge
Malicious extension on Edge (Trustwave)

If there’s a match, the extension loads additional scripts injected into the webpage to steal from the victim information related to cryptocurrencies, email account credentials, etc.

The extension also disables ‘Content Security Policy,’ a security feature designed to protect against cross-site scripting (XSS) attacks, to freely load external resources that the browser would normally block.

In addition to the above, the extension regularly exfiltrates browsing history and can also capture screenshots and send them to the C2.

Capabilities graph
Rilide’s capabilities graph (Trustwave)

Bypassing two-factor authentication

An interesting feature in Rilide is its 2FA-bypassing system, which uses forged dialogs to deceive victims into entering their temporary codes.

The system is activated when the victim initiates a cryptocurrency withdrawal request to an exchange service that Rilide targets. The malware jumps in at the right moment to inject the script in the background and process the request automatically.

Once the user enters their code on the fake dialog, Rilide uses it to complete the withdrawal process to the threat actor’s wallet address.

“Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser,” explains Turstwave in the report.

“The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code.”

Replacing the email while extracting the 2FA code
Replacing the legitimate email (right) while extracting the 2FA code (Trustwave)

Rilide showcases the growing sophistication of malicious browser extensions that now come with live monitoring and automated money-stealing systems.

While the roll-out of Manifest v3 on all Chromium-based browsers will improve resistance against malicious extensions, Trustwave comments that it won’t eliminate the problem.

source:

https://www.bleepingcomputer.com/news/security/hackers-use-rilide-browser-extension-to-bypass-2fa-steal-crypto/

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: bypass 2FA, Rilide browser extension

Apr 05 2023

HOW TO CREATE UNDETECTABLE MALWARE VIA CHATGPT IN 7 EASY STEPS BYPASSING ITS RESTRICTIONS

Category: AI,ChatGPT,MalwareDISC @ 9:35 am
How to create undetectable malware via ChatGPT in 7 easy steps bypassing its restrictions

There is evidence that ChatGPT has helped low-skill hackers generate malware, which raises worries about the technology being abused by cybercriminals. ChatGPT cannot yet replace expert threat actors, but security researchers claim there is evidence that it can assist low-skill hackers create malware.

Since the introduction of ChatGPT in November, the OpenAI chatbot has assisted over 100 million users, or around 13 million people each day, in the process of generating text, music, poetry, tales, and plays in response to specific requests. In addition to that, it may provide answers to exam questions and even build code for software.

It appears that malicious intent follows strong technology, particularly when such technology is accessible to the general people. There is evidence on the dark web that individuals have used ChatGPT for the development of dangerous material despite the anti-abuse constraints that were supposed to prevent illegitimate requests. This was something that experts feared would happen. Because of thisexperts from forcepoint came to the conclusion that it would be best for them not to create any code at all and instead rely on only the most cutting-edge methods, such as steganography, which were previously exclusively used by nation-state adversaries.

The demonstration of the following two points was the overarching goal of this exercise:

  1. How simple it is to get around the inadequate barriers that ChatGPT has installed.
  2. How simple it is to create sophisticated malware without having to write any code and relying simply on ChatGPT

Initially ChatGPT informed him that malware creation is immoral and refused to provide code.

  1. To avoid this, he generated small codes and manually assembled the executable.  The first successful task was to produce code that looked for a local PNG greater than 5MB. The design choice was that a 5MB PNG could readily hold a piece of a business-sensitive PDF or DOCX.

 2. Then asked ChatGPT to add some code that will encode the found png with steganography and would exfiltrate these files from computer, he asked ChatGPT for code that searches the User’s Documents, Desktop, and AppData directories then uploads them to google drive.

3. Then he asked ChatGPT to combine these pices of code and modify it to to divide files into many “chunks” for quiet exfiltration using steganography.

4. Then he submitted the MVP to VirusTotal and five vendors marked the file as malicious out of sixty nine.

5. This next step was to ask ChatGPT to create its own LSB Steganography method in my program without using the external library. And to postpone the effective start by two minutes.https://www.securitynewspaper.com/2023/01/20/this-new-android-malware-allows-to-hack-spy-on-any-android-phone/embed/#?secret=nN5212UQrX#?secret=8AnjYiGI6e

6. The another change he asked ChatGPT to make was to obfuscate the code which was rejected. Once ChatGPT rejected hisrequest, he tried again. By altering his request from obfuscating the code to converting all variables to random English first and last names, ChatGPT cheerfully cooperated. As an extra test, he disguised the request to obfuscate to protect the code’s intellectual property. Again, it supplied sample code that obscured variable names and recommended Go modules to construct completely obfuscated code.

7. In next step he uploaded the file to virus total to check

And there we have it; the Zero Day has finally arrived. They were able to construct a very sophisticated attack in a matter of hours by only following the suggestions that were provided by ChatGPT. This required no coding on our part. We would guess that it would take a team of five to ten malware developers a few weeks to do the same amount of work without the assistance of an AI-based chatbot, particularly if they wanted to avoid detection from all detection-based suppliers.

ChatGPT for Startups

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: ChatGPT malware

Apr 04 2023

I THINK SOMEONE IS SPYING ME USING AIRTAG, WHAT SHOULD I DO?

Category: Cyber Spy,SpywareDISC @ 9:16 am
I think someone is spying me using AirTag, what should I do?

Keeping track of your most vital belongings, such as your keys, wallet, remote controls, and even motorcycles, may be made easier with the assistance of an Apple AirTag. Yet, allegations that they were utilized to monitor individuals without first obtaining their permission threw an unfavorable light on the utilization and implementation of these technologies. It’s possible that your iPhone will warn you before you have to take any action if you have reason to believe that someone is monitoring your whereabouts via an AirTag. If you believe that you may be in danger because someone is following you without your permission and you feel that you should call law authorities, Apple may provide further information about the owner of the AirTag.

You will be notified of this

If you have an iPhone and you are being tracked by an AirTag, your phone may send you a notification that says “AirTag discovered moving with you.” This will occur if all of the following conditions are met:

The AirTag has been detached from its rightful owner.
iPhone of yours is awake.
When you move the AirTag, it will make a sound.
This may also occur with other accessories that are compatible with Find My Network, such as AirPods, AirPods Pro, or AirPods Max. When you move any of these goods when they are not being handled by their owners, each of them will make a sound.

Verify that the Tracking Notifications feature is turned on.
In the event that you do not get an alert, it is possible that you will need to complete the following procedures in order to guarantee that your tracking alerts are activated:

Go to the Settings menu, and then pick Privacy.
To activate Location Services, choose Location Services from the menu.
Go to the System Services menu.
Put your iPhone in find mode and activate the Notable Places feature.
Return to the Settings menu, and then choose Bluetooth.
Bluetooth must be on.
Last but not least, open the Locate My app and choose yourself.
Activate the Tracking Alerts on your browser.

Try out the app called “Find My.”
When AirTags get separated from their owners, they will produce a sound whenever they are moved in order to assist others in locating them. After confirming that Step 2 has finished, you may open the Locate My app and check to see if the AirTag is located if you think you may have heard an AirTag or another sound that you are unable to identify and suspect it may be an AirTag.

Make AirTag produce a sound.
If you have been notified that an AirTag was traveling with you and are checking the Find My app, you have the option to play a sound on the device in order to locate it more quickly. You can monitor other people’s AirTags by using the Find My app, which you may access by touching on the alert, selecting continue, and then tapping Locate Nearby.

Check all the details about AirTag 
When you have the AirTag in your line of sight, you may access the information it contains on your iPhone or any other smartphone that supports NFC. You will need to bring the top of your iPhone close to the white side of the AirTag that you have located and wait for it to identify it. A notice displays beside a webpage that contains the owner’s last four digits of their phone number in addition to the AirTag’s serial number. If this is a lost AirTag, the owner may have included their contact information so that the person who found it may get in touch with them.

Inactivate the AirTag.
If the owner of an AirTag disables it, they will no longer be able to see its current position or get updates about it. Just removing the battery is all that is required to deactivate the AirTag. You may do this by first opening the AirTag by depressing the button on top and then removing the battery by turning the lid counterclockwise.

Researcher publishes way to bypass Apple AirTag anti-spying protection

You will be able to determine the position of another person’s iPhone so long as your AirTag is in close proximity to that device. And with Apple’s recent release of an official app for monitoring AirTags on Android devices, you don’t even need an iDevice to accomplish that anymore! Yet, there is one very significant exception to this rule.

With Apple Music, the Beats app, and an application for transitioning to iOS, Tracker Detect is one of the few Apple applications that can be downloaded and used on Android devices. If you wish to zero in on a specific rogue AirTag, you can use the app to play a sound on it, and you can also use the app to monitor neighboring rogue AirTags using it. From that point on, you have the option of scanning the AirTag using an NFC reader or turning it off by removing its battery. The functionality is really fundamental, despite the fact that it is rather cool looking. Since it does not have an auto-scan feature, you will not get alerts about nearby missing AirTags as you would on an iPhone. This means that in order to look for a tag, you will need to manually launch the application first. One may argue that this renders the Tracker Detect app rather worthless since a large number of individuals in the reviews part of the app believe that it ought to be able to auto-scan. Spending your day manually searching your immediate environment for AirTags every five minutes is not the most effective use of your time.

It’s not even like there are roadblocks in the way of making that happen on Android phones; all you need is Bluetooth Low Energy (BLE). And enabling auto-scanning for AirTags on non-Apple devices and having those devices participate to Apple’s Find My network would also considerably increase the success of finding AirTags in general. Download the application from the Google Play Store right now if you have an Android device and want to be able to scan AirTags with it.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: AIRTAG

Apr 03 2023

Tor Project Creates New Privacy-Focused Browser using VPN Layer

Category: Information Privacy,Web SecurityDISC @ 3:18 pm
Tor Project Creates New Privacy-Focused Browser using VPN Layer

The Tor browser guarantees that your communication remains operational through a decentralized network of transfers maintained by volunteers located worldwide.

It safeguards your internet connection from prying eyes by preventing any individual from monitoring the websites you visit, shields your physical location from being disclosed to the websites you browse, and enables access to blocked websites.

Numerous reasons exist for why individuals may seek to share files anonymously, with the most prominent being the case of whistleblowers or political activists striving to avoid persecution.

When a user initiates Tor, it initially passes through the first node in the circuit chosen from a pool of 2500 out of 7000 computers referred to as the “Entry Guard.” These nodes are known for their high uptime and availability.

New Mullvad Browser

A new browser was launched today, featuring an alternative infrastructure that includes a layer of VPN support in place of the Tor network.

With the new Mullvad Browser, anyone can fully utilize the privacy features developed by the Tor Project.

“Mullvad Browser, a free, privacy-preserving web browser to challenge the all-too-prevalent business model of exploiting people’s data for profit,” Torproject said.

https://twitter.com/torproject/status/1642830938089594881

This could be another privacy-focused browser that does not require extensions or plugins to bolster its privacy features.

“Our goal was to give users the privacy protections of Tor Browser without Tor. For instance, the Mullvad Browser applies a “hide-in-the-crowd” approach to online privacy by creating a similar fingerprint for all of its users.”

The Mullvad Browser has a default private mode that obstructs third-party trackers and cookies while providing convenient cookie deletion options.

Mullvad aims to handle all of that for you, allowing you to open the browser with the assurance that you are not easily traceable.

“Our mission at the Tor Project is to advance human rights by building technology that protects people’s privacy, provides anonymity and helps them bypass censorship.”

“We want to free the internet from mass surveillance and a VPN alone is not enough to achieve privacy. From our perspective there has been a gap in the market for those who want to run a privacy-focused browser as good as the Tor Project’s but with a VPN instead of the Tor Network,” says Jan Jonsson, CEO at Mullvad VPN.

The Tor Project has released a statement affirming that the Tor Browser will continue to evolve and enhance its capabilities.

Dark Web Onion Sites For Anonymous Online Activities: Browse The Dark Web Safely And Anonymously

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: dark web, Privacy-Focused Browser, Tor Project

Mar 31 2023

CRITICAL SAMBA VULNERABILITIES EASILY ALLOW HACKING OF SERVERS

Category: Hacking,Security vulnerabilitiesDISC @ 10:09 am
Critical Samba vulnerabilities easily allow hacking of servers

Samba is a free software project that runs on operating systems that are similar to UNIX and supports the Windows file sharing protocol. This protocol once went by the name SMB, but it was renamed CIFS a little while later. Computers running GNU/Linux, Mac OS X, or Unix in general may be perceived as servers or communicate with other computers in Windows-based networks in this fashion, making it possible for these machines to perform either role.

Samba has recently been found to have several security flaws, any one of which might possibly let an attacker obtain access to sensitive data. This poses a substantial danger to the system’s security.

CVE-2023-0614 (CVSSV3 SCORE OF 7.7): ACCESS-CONTROLLED AD LDAP ATTRIBUTES CAN BE FOUND

The vulnerability known as CVE-2023-0614 has been discovered, and it enables attackers to access and possibly gain private information, such as BitLocker recovery keys, from a Samba AD DC. As the remedy for the prior vulnerability, CVE-2018-10919, was inadequate, companies that store such secrets in their Samba AD should assume that they have been compromised and need to be replaced.

Impact: The exposure of secret information has the potential to result in unauthorized access to sensitive resources, which presents a severe threat to the organization’s security.

All Samba releases since the 4.0 version are impacted by this issue.

Workaround: The solution that is proposed is to avoid storing sensitive information in Active Directory, with the exception of passwords or keys that are essential for AD functioning. They are in the hard-coded secret attribute list, hence they are not vulnerable to the vulnerability.

4 critical vulnerabilities in Samba: Patch immediately

CVE-2023-0922 (CVSSV3 SCORE OF 5.9): 

They are in the hard-coded secret attribute list, hence they are not vulnerable to the vulnerability.
This vulnerability, identified as CVE-2023-0922, affects the Samba AD DC administrative tool known as samba-tool. By default, this tool transmits credentials in plaintext whenever it is used to perform operations against a remote LDAP server. When samba-tool is used to reset a user’s password or add a new user, this vulnerability is triggered. It might theoretically enable an attacker to intercept the freshly set passwords by analyzing network traffic.

The transmission of passwords in plain text opens up the possibility of unwanted access to critical information and puts the security of the whole network at risk.

All versions of Samba released after 4.0 are included in this category.

Workaround: To reduce the risk of exploiting this issue, change the smb.conf file to include the line “client ldap sasl wrapping = seal,” or add the —option=clientldapsaslwrapping=sign option to each samba-tool or ldbmodify invocation that sets a password.

As is the case with vulnerabilities in other software, those in Samba may put an organization’s security at severe risk. Administrators of Samba are strongly encouraged to update to these versions or to install the patch as soon as reasonably practical.

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: SAMBA VULNERABILITIES

Mar 30 2023

What is a blockchain security implication

Category: Blockchain,cyber security,Information SecurityDISC @ 3:14 pm

Table of Contents

What is Blockchain Security?

What Are the Types of Blockchain?

Blockchain Security Challenges

6 Blockchain Security Examples

Blockchain 2035: The Digital DNA of Internet 3.0

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: blockchain security implications

Mar 30 2023

API Security Checklist

Category: API security,Information SecurityDISC @ 12:43 pm

Specification-based-security-analysis-of-api-1Download

Hacking APIs: Breaking Web Application Programming Interfaces

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: API security checklist

Mar 30 2023

New WiFi Flaw Let Attackers Hijack Network Traffic

Category: Cyber Attack,Wi-Fi SecurityDISC @ 8:27 am
New WiFi Flaw Let Attackers Hijack Network Traffic

A fundamental security issue in the design of the IEEE 802.11 WiFi protocol standard, according to a technical study written by Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef of imec-DistriNet, KU Leuven, allows attackers to deceive access points into exposing network frames in plaintext.

When the receiver is in sleep mode, for example, Wi-Fi devices routinely queue frames at different tiers of the network stack before sending.

WiFi frames are data packages comprising a header, data payload, and trailer containing data like the MAC addresses of the source and destination and control and management information.

By keeping track of the busy/idle states of the receiving points, these frames are broadcast in a regulated manner to prevent collisions and maximize data exchange performance.

According to the researchers, queued/buffered frames are not sufficiently protected from attackers, who can control data transmission, client spoofing, frame redirection, and capturing.

Adversary Can Abuse the Power-Save Mechanisms

The initial version of the 802.11 standards already included power-saving features that let clients go into a sleep or doze mode to use less power. All frames intended for a client station are queued when it goes into sleep mode because it sends a frame to the access point with a header that includes the power-saving flag.

Nevertheless, the standard does not specify how to manage the security of these queued frames and does not impose any time restrictions on how long the frames may remain in this state.

The access point dequeues the buffered frames, adds encryption, and transmits them to the target after the client station has awakened.

Attack Diagram

In this case, a hacker might impersonate a network device’s MAC address and transmit power-saving frames to access points, making them queue up frames for the intended target. To obtain the frame stack, the attacker then sends a wake-up frame.

Typically, the WiFi network’s group-addressed encryption key or a pairwise encryption key, specific to each device and used to encrypt frames sent between two devices, are used to encrypt the transmitted frames.

By providing authentication and association frames to the access point, the attacker can force it to transmit the frames in plaintext or encrypt them using a key provided by the attacker, changing the security context of the frames.

“As a result of the attack, anyone within the communication range of the vulnerable access point can intercept the leaked frames in plaintext or encrypted using the group-addressed encryption key, depending on the respective implementation of the stack (i.e., user-space daemon, kernel, driver, firmware).”, explain the researchers.

Network Device Models That Are Known To Be Vulnerable:

“An adversary can use their Internet-connected server to inject data into this TCP connection by injecting off-path TCP packets with a spoofed sender IP address,” researchers warn.

“This can, for instance, be abused to send malicious JavaScript code to the victim in plaintext HTTP connections with as goal to exploit vulnerabilities in the client’s browser.”

The researchers warn that these attacks may be exploited to inject malicious content, such as JavaScript, into TCP packets.

Cisco is the first firm to recognize the significance of the WiFi protocol weakness, acknowledging that the attacks described in the paper may be effective against Cisco wireless access point products and Cisco Meraki products.

“This attack is seen as an opportunistic attack, and the information gained by the attacker would be of minimal value in a securely configured network.” – Cisco.

The company advises implementing mitigating strategies such as employing software like Cisco Identity Services Engine (ISE), which can impose network access restrictions by implementing Cisco TrustSec or Software Defined Access (SDA) technologies.

“Cisco also recommends implementing transport layer security to encrypt data in transit whenever possible because it would render the acquired data unusable by the attacker,” Cisco.

Hacking Exposed Wireless, Third Edition: Wireless Security Secrets & Solutions 

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Hijack Network Traffic

Mar 29 2023

HACKING WPA1, WPA2, AND WPA3 USING 802.11 WI-FI STANDARD VULNERABILITY

Category: Hacking,Wi-Fi SecurityDISC @ 8:01 am
Hacking WPA1, WPA2, and WPA3 using 802.11 Wi-Fi standard vulnerability

An adversary may circumvent encryption for some communications by exploiting a flaw in the widespread 802.11 protocol, which enables them to do so. The university researchers that made the discovery claim that the flaw enables an adversary to “trick access points into leaking frames in plaintext, or encrypted using the group or an all-zero key.”

Due to the fact that it is a flaw in the Wi-Fi protocol, it impacts more than one implementation. A ground-breaking academic paper with the provocative title “Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmission Queues” was made available to the public on March 27, 2023. This document revealed flaws in the 802.11 Wi-Fi standard. Because of these vulnerabilities, an attacker could be able to impersonate a targeted wireless client and reroute frames that are already in the transmit queues of an access point to a device that the attacker controls. In this post, we will analyze the workings of this opportunistic attack and investigate the many preventative measures that may be taken to protect your network from this danger.

The attack, which has been given the name “MacStealer,” is directed against Wi-Fi networks that include hostile insiders and takes advantage of client isolation bypasses (CVE-2022-47522). Even if clients are unable to communicate with one another, it is able to intercept communication at the MAC layer. Wi-Fi networks that use client isolation, Dynamic ARP inspection (DAI), and other mechanisms meant to prevent clients from attacking one another are susceptible to this issue.

The first company to recognize the flaw was Cisco, which said that the attacks described in the research article might be effective against Cisco Wireless Access Point devices and Cisco Meraki products with wireless capabilities. Cisco was the first firm to admit the issue.

The client authentication and packet routing processes in Wi-Fi networks function independently of one another, which is the root cause of the security hole known as CVE-2022-47522. The usage of passwords, users, 802.1X IDs, and/or certificates is required for authentication, although MAC addresses are what determine how packets are routed. This inconsistency may be exploited by a malicious insider who disconnects a victim from the network and then reconnects to it using the victim’s MAC address and the attacker’s credentials. As a consequence of this, any packets that are still on their way to the victim, such as data from a website, will instead be received by the attacker.

The following are the three basic stages of this attack:

The attacker will wait for the victim to connect to a susceptible Access Point (AP), at which point the attacker will submit a request to an internet server. For example, the attacker may send an HTTP request to a website that only displays plaintext.
Steal the Identifying Information of the Victim: The perpetrator of the attack removes the victim’s network connection before the AP has a chance to process the server’s response. After that, the attacker creates a fake version of the victim’s MAC address and logs in to the network using their own credentials.
Intercept the Response: At this step, the access point (AP) pairs the attacker’s encryption keys with the victim’s MAC address. This gives the attacker the ability to intercept any pending traffic that is destined for the victim.
It is essential to keep in mind that the communication that is being intercepted may be secured by higher-layer encryption, such as that provided by TLS and HTTPS. Therefore, regardless of whether or not a higher-layer encryption is being used, the IP address that a victim is talking with may still be discovered by this approach. This, in turn, exposes the websites that a victim is viewing, which, on its own, might be considered sensitive information.

All Corporate WPA1, WPA2, and WPA3 networks are vulnerable to the attack in exactly the same way. This is due to the fact that the attack does not take use of any cryptographic features of Wi-Fi; rather, it takes advantage of the way in which a network decides to which client packets should be transmitted, sometimes known as routing.

To summarize, the attack described in the “Framing Frames” study is a worrying vulnerability that presents the possibility of adversaries being able to intercept and perhaps read sensitive information that is being carried across Wi-Fi networks. It is essential for businesses to take all of the required steps, such as implementing strong security measures and using mitigations that have been advised, in order to guarantee the safety and security of their networks.

Different Ways for Wifi Cracking

Using 802.1X authentication and RADIUS extensions are two methods that may be utilized to stop MAC address theft. Safeguarding the MAC address of the gateway, putting in place Managed Frame Protection (802.11w), and making use of virtual local area networks (VLANs) are all viable mitigations. The use of policy enforcement techniques using a system such as Cisco Identity Services Engine (ISE), which may limit network access by utilizing Cisco TrustSec or Software Defined Access (SDA) technologies, is something that Cisco advises its customers to do. It is also recommended by Cisco to implement transport layer security in order to encrypt data while it is in transit if it is practicable to do so. This would prevent an attacker from using the data they have collected.

Hacking Exposed Wireless, Third Edition: Wireless Security Secrets & Solutions 

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: 802.11, Hacking Exposed Wireless, WPA1, WPA2, WPA3

« Previous PageNext Page »