Don’t buy passwords! Generate your own!

The security researchers reading this may think that the title of this blog post is an obvious statement, but business entrepreneurs might not.

A few years ago, a service called “Diceware Passwords” was created. Recently, it has gained a reputation as a way to receive “cryptographically secure” passwords.

The general concept of this service is that someone will create a password by rolling a dice a few times and then picking the numbered words out of a dictionary.

In this blog post, I am going to go through some of the ridiculous claims that are on their website and why they are incorrect/misleading.


I sell strong, secure passwords.

First of all, buying passwords from someone and then using them is a very bad idea. Not only do they have the password, but it is probably already in thousands of password databases – Ready to be used by attackers across the world.

I use a proven methodology called Diceware to build long, strong, memorable passwords using strings of words from the dictionary.

Using strings from dictionaries in your passwords is a bad idea. They can easily be cracked and your accounts can easily be broken into by brute force attacks if you use words from the dictionary.

Even passphrases that have been modified by substituting letters with symbols and/or numbers can easily be defeated by password crackers that introduce “mutations” to passphrase combinations. An example of a password cracker that does this is HashCat.

Basically, a high entropy password is a long password.

In computer security, entropy is a term used to refer to the overall randomness of a piece of data.

The statement is true if your password uses totally random characters in random combinations (such as aW%CNVs^E{jlLOG% ). However, passwords created from words in the dictionary do not have high entropy, as they only use standard letters and use no symbols or numbers.

Diceware is a good method for passwords that you really want to be secure – such as the passwords for e-mail and financial accounts.

I really wouldn’t use passwords created using a dictionary for financial accounts.

dictionary_passwords

The claims above are misleading. They assume that attackers are simply enumerating through every possible password combination. As I said earlier, attacks that use dictionary words and introduce mutations can easily crack these passwords much quicker. Eight words are not “completely secure” and will not take until 2050 to crack if you use a Dictionary Attack.


How can you create secure passwords?

You can create strong, secure, random passwords by using this Python script I made below:

# This script generates random passwords
# Created by iFuzion77
import random
pslist=["[","]","¬","¦","€"," ","!",""","#","$","%","&","'","(",")","*","+",",","-",".","/","0","1","2","3","4","5","6","7","8","9",":",";","<","=",">","?","@","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","{","\","}","^","_","`","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","{","|","}","~","á","é","í","ó","ú","Á","É","Í","Ó","Ú","ñ","Ñ"]
for x in range(50):
    output = ""
    stringlength = random.randint(30,75)
    for y in range(stringlength):
        output += random.choice(pslist)
    print(output)

This script took about five minutes to make. Furthermore, the passwords generated by this do not use any dictionary words, making it resistant to dictionary attacks. The script is also free!


How should I store my passwords?

Use a password manager. Some good options are 1Password, Keepass, LastPass and Kaspersky Password Manager.

Never store your passwords in a unencrypted text document, since a piece of malware could easily retrieve these and send them to an attacker.


One more thing…

To those of you saying “give her a break!” – The problem is that people actually listen to the advice on creating passwords given on that website. Moreover, they even buy and use the passwords that somebody else created, which is bad!

Advertisements

Scams, Phishing and Web Forgery.

Scams are all over the internet. All of them socially engineer vulnerable people into believing them. Here is a list of how to spot some of the most common used on the internet!

  • Websites that say “You have won the lottery” or something similar are almost always scams. There are rare cases where it just redirects you to another site, but in a nutshell, lottery winning popups are untrustworthy.

lottery-scam

  • Websites that say “You have a virus on your computer” or “Your computer is infected” are scams. Often they are accompanied by a phone number, which when called, results in a fake tech support center. These fake technicians often claim they are from Microsoft or some other reputable company, and make false claims about the security of your computer.

microsoft-scam

  • Websites that say “You have won a free iPad” or “Click here to win a free iPhone” are scams.
  • Websites that say that you need to clean your computer or intall drivers are probably scam websites that want you to install a malicious “cleaner” application.

cq4bmv_wgaafulc

Common Patterns

Out of all the scams I looked at, I noticed that most of them have the following features:

  • The use of generic terms such as “valued customer” or “client”
  • A command (Example: “Click here”)
  • A warning sign or a check mark.
  • A fake logo representing another company, usually to create a sense of authenticity or trustworthiness.
  • Ratings (Example: “Rated 10/10 by customers”)
  • They make the victim panic in order for them to download / install malicious software

Email Scams / Phishing Attempts

You may get an email from a company that you know, saying that they need to perform an action. These actions can be resetting the password or testing a new feature. Always watch out for this:

IF THE EMAIL OR WEBSITE REQUESTS THAT YOU TYPE IN YOUR PASSWORD, IT IS MOST LIKELY A PHISHING ATTEMPT! DO NOT TRUST IT AND DO NOT ENTER YOUR PASSWORD OR ANY PERSONAL INFORMATION!

Most companies will never ask you for your password if they need to test something out!

Summary

I hope this helps you to spot scams and phishing attempts. You can always contact a specific company and ask them if a certain email or webpage is fake.

Thanks to @ISniffingWolf for providing me with the iPhone popup website screenshot.

If you think I missed anything out, contact me here

What are state-sponsored attacks?

If you are wondering why I am re-writing this blog post, it is because the old version was terrible and didn’t explain it very good.

State-sponsored attacks / incidents are where government organizations target and attack certain companies such as Google or Facebook and try to steal personal information. This information often contains things which identify and expose members of the public. The state-sponsored actors often find and use vulnerabilities in services to steal this information, which is referred to by some as ‘hacking’ or ‘exploiting’ those services.

What personal information is collected / stolen?

Many things are stolen such as names, gender, phone number, date of birth, home address and many more. The government organisations use this information to identify and locate activists or people who are wanted by the police. However, recently there has been a number of attacks where information was stolen belonging to random members of the public.

What government is doing it the most?

There has been many debates about this, but by far the most notorious countries known for these attacks are Russia, United States, United Kingdom and China. China was somewhat expected to be in this list * as the Chinese government already do some suspicious things with their internet communications.

What vulnerabilities do they use?

Many vulnerabilities are being exploited such as MITM, XSS, SQL Injection or even Cross Site Request Forgery. Some attackers even use one vulnerability to find another.

Summary

Many large companies are warning people if they are believed to be a target of a state-sponsored attack, such as Google, Yahoo, Facebook and Twitter. This means that if you are targeted, you can protect your identity and personal information by removing them from these services, before the governments actually obtain this information.

 * – This is my opinion and I was not trying to be stereotypical or ‘racist’.

MITM: Loading a https logon form over http

Ok, we talked about XSS before, lets talk about MITM now.

MITM (Short for Man In The Middle) is a security flaw / risk in many websites. MITM attacks usually happen when a website has a weak TSL (Transport Security Layer) or a website has loaded parts over http (Without TSL) and parts over https (With TSL).

TSL is a way of verifying that the client and website are communicating securely. All websites that use TSL should be on a https connection, those without TSL will be on a http connection (You can check this in the address bar)

What is the risk of a MITM attack?

Well, let’s say you have a https logon form loaded over http. Normally, When the user enters their credentials, the credentials were securely hashed and salted using a hashing algorithm, they would then sent off to a server php file that analyzed the credentials.

However, during a MITM attack, because the logon form was loaded over a http connection with no TSL, the attacker could manipulate the logon form to send the credentials off to a 3rd party website/server and not to the legit website/server.

Moreover, the attacker could even redirect the client/victim to the legit website, so everything would seem normal to the victim and they wouldn’t even know that their account had been compromised or breached.

At which internet point between the client and the website/server could this be done?

It could happen anywhere. Your router, ISP, proxy or even your computer itself!

I still don’t understand what you are talking about.

If you prefer a video to watch instead of reading this, Troy Hunt did a video about it here. That should help you understand a bit more about the risks of a MITM attack.

Summary

Even though this example was using a logon form, an attacker could easily manipulate anything else that was loaded on a http connection with no TSL. An attacker could manipulate the webpage to make the victim download and run a malicious script or program.

Even if you do not have any logon forms or personal info on your website, it’s still a good idea to secure your site with a https connection and a valid security certificate, to stop the people who visit your website being the victims of a MITM attack.

Check out the risks of XSS attacks with a https logon form being loaded over http here.

10/09/2015

WordPress was comprimised!

WordPress was comprimised by the Nuetrino Exploit Kit.

This exploit kit installs backdoors on WordPress sites running older versions of the content management system (4.2 and older). It then redirects the victim through a series of iFrames to a landing page hosting a Flash exploit.

The exploit targets users running Internet Explorer and the victims computers are infected with CryptoWall 3.0 ransomeware.

Researchers of the Nuetrino Exploit Kit have said that the IP of the landing page is 185[.]44[.]105[.]17 which is registered to a “Max Vlapet” in Moscow.

Moreover, researchers say the goal of the exploit kit was to harvest credentials and inject an iFrame to redirect users to the landing page. They also said that people who are not using IE should not get the malciious iFrame and those using IE will not get attacked over and over again due to a cookie that the attackers injected.

The CryptoWall ransomware has recently been used in a lot of 0-day exploits leading some to believe that an APT group is behind this attack.

Like other ransomware, CryptoWall 3.0 encrypts files on a compromised computer and demands a ransom to decrypt them, usually over $400 in Bitcoin. This particular piece of ransomware uses numerous channels to communicate stolen traffic to its keepers, including I2P and Tor anonymity networks.

Summary

WordPress remains a soft spot for hackers and attackers and the Nuetrino Exploit Kit is still active. More often than not, attackers will find and exploit vulnerabilities in plugins (Such as Java and Flash), however there have been occasions where the WordPress Core Engine was attacked.

Also, if you haven’t noticed, this webpage is running on the WordPress Core engine, which is why I made this blog post and is why this is relevant.

24/08/2015

How safe do you keep your credentials?

So I’ve noticed that a lot of us do not keep our credentials (Usernames, passwords, pins and others) safe from attackers and people who use remote access.

In fact, a few days ago, I discovered that my brother keeps some of his passwords and usernames in an un-encrypted text file. Which, if you ask me, is a pretty dumb thing to do. Considering the amount of malware he accidentally downloads regularly.

Also, many people do not truly know what a hacker is. Many people think a hacker is someone who logs into your account without permission or someone who guesses your password over and over again. Well, no. Hacking is the use of malicious software (Malware) to steal confidential data (aka credentials).

If the attacker does not use malware, then it is not hacking. It would probably be either Phishing or a Brute Force attack.

Summary

The best way to keep your credentials safe is to simply remember them and not store them anywhere. Don’t use password managers and don’t store them in text files or other documents like my brother did.

Also, always use a decent Anti-Malware / Anti-Virus program to keep you safe from ransomware, trojan backdoors and keyloggers. Some of the best programs to do that are listed below:

Kaspersky Internet Security, BitDefender Internet Security, Emsisoft Anti-Malware and Malwarebytes Anti-Exploit.

21/08/2015

XSS: Loading a https logon form over http

Ok, so I saw this on twitter and I decided to take a look at it:

The response from EnglishNationalOpera was amazing, I couldn’t believe it:

Now, you are probably thinking “What’s going on?” – It’s simple, EnglishNationalOpera does not understand the risks of having a https logon form being loaded over http.

The Explanation:

Loading a https logon form over a http connection makes the website and people who visit that website vulnerable to XSS attacks. XSS (Short for Cross Site Scripting) is a client-side script that when exexcuted, performs a malicious action in the clients web browser.

Most of the time, attackers who exploit this XSS vulnerability will attempt to steal customers’ cookies, which (if you dont know what a cookie does) holds sensitive data, such as usernames, passwords and session ids. Another thing that attackers usually do is redirect customers off to a potentially malicious website.

How dangerous is XSS?

Well, lets put it this way, Facebook and other companies offer bounties (Money) to people who find and report XSS vulnerabilities. Over 50% of websites are vulnerable to XSS.

How can I avoid XSS attacks?

  1. Don’t click on random links on social media websites (Especially Facebook, over 53% of all phishing attacks are from people on Facebook)
  2. Try to avoid shortened or obfuscated links (Such as bitly or adfly)
  3. If you see a website with a logon form and a http address. Then report it to the website owner/hoster.
  4. If you own a website, make sure that everything is loaded over https. (Even your advertisements if you have any) Some XSS attacks are from someone comprimising your adverts, because most adverts are loaded over http.
  5. If you own a website and your website uses cookies, make sure that the cookies are http only, this will stop attackers stealing the cookies, as http only cookies cannot be accessed by the client. This will prevent some XSS attacks to your website. XSS is a client side script, but since the http only cookies cannot be accessed by the client, the XSS attack will not affect your customer if the XSS script is trying to access the cookies to your website.

An example of an XSS attack would be this. Note that the link you see there is a safe and non-malicious.

Summary

XSS should not be underestimated, a few years ago, someone created an XSS worm on MySpace, which infected over 1 million PCs in the space of about a week. This worm rose awareness of XSS in the web security community, however the amount of XSS attacks are still growing, which is why we need everyone to be aware of it.

Note that it’s a good idea to clear your cookies, form data and history regularly to be safe of XSS.

Thanks to Troy Hunt, he informed me about XSS through his YouTube videos here.

17/08/2015