5 Best Ways to Secure Mobile Users

As mobile devices have become essential part of human life, soon it will be used as a tool for the employee to enhance their productivity. While workplace flexibility and convenience is increasing, mobile employees are actually putting enormous amounts of company data at risk. Most of the time employees use third party applications, ignores security updates, access unprotected network connections that leave personal and corporate data at risk and become the easiest target for the cyber criminals.

To reduce such risk from employee end, Alvaro Hoyos, the Chief Information Security Officer at OneLogin has suggested some tips that will surely enable organizations to double check the mobile user’s and the employee’s security.

Realistic Security Policies:

The organizations should prefer more reliable and realistic policies, if they implement policies that are rigged as compare to organization’s maturity, chances are that the employees will subvert or ignore them altogether.
Policies should be strict but also workable, so that it influence employee to follow the policy and get their work done. This is important when it comes to mobile users that operates cooperate applications on their Smartphone or tablets. Policies should be implemented for every device that is being used by the employees.

Multifactor authentication:

As many employees access their information and work for the organization from a remote location, it is most important to assure that right person is using the right information. For that Multi-factor authentication should be used that guarantees the access controls.
The hackers are evolving their attacking techniques; the only way to protect unauthorized access is to implement multi-factor authorization for mobile users to reduce the risk of any hacking incident.

Empower Employee:

Organizations deploy many automated detection systems that alerts them with any uncertain or unexpected activity. This process can spread to granular part of the organization that is employees. By empowering employees to become a part of the organization’s detection plan, employees will get to know about the activities they have direct control over, such as changing their password or logging in from a new location, it will help organization to make employee the part of the early detection plan.

Understanding the Risk of Mobility:

Mobile devices, whether those used by employees or by mobile users, should not be the primary or users with complete access or should be carrying organizational confidential information. The organizations should consider the risk of stolen or misplaced devices, that how devastating it could be. To overcome this critical issue, mobile user should protect their devices with a trusted SaaS solution. Additionally, documents on mobile systems should be backed up on a daily basis.
Furthermore, policies should be defined for the mobile end users that what data can be copied to mobile devices and what data should never leave those same systems.

Continuous Monitoring and tracking:

As employees are accessing the systems from mobile devices in a huge number, it is possible that the device may get lost, stolen or misplaced. In such case asset tracking system should be implemented. No doubt these solutions are expensive, but worth investing to protect an organization’s asset from falling into the wrong hands.  Devices that are no longer in use or have been lost or stolen need to be tracked as well, in case they reappear on your network.

Just as making sure about which remote device is doing what from where, threats will be still there. Monitoring is the best option to expose the uncertain activities to prevent the employees to enter privileged mode or access the restricted information. Unauthorized mobile users can be devastating for any organization, so prevention techniques should be implemented to reduce this risk.

Read more

by Malik korrich ~ vendredi 30 septembre 2016 0 commentaires

How to stop WhatsApp to share Mobile Number with Facebook

It’s been around more than two years that Facebook has officially acquired Whatsapp to expand the digital marketing landscape. Despite Whatsapp CEO Jan Koum said that user privacy wouldn’t suffer, the services are about to get a little bit friendlier with their data sharing.

Whatsapp has changed its privacy policy; in its new privacy policy it gives permission to share data, including your phone number, with Facebook. In an FAQ, WhatsApp says it is doing this to:

• More accurately count unique users.
• Better fights spam and abuse.
• Show better friend suggestions and more relevant ads to you on Facebook.

In a blog post, Whatsapp stated the reason behind this data sharing that highlights its plan to test the ways to communicate with businesses.

“Whether it’s hearing from your bank about a potential fraudulent transaction, or getting notified by an airline about a delayed flight, many of us get this information elsewhere, including in text messages and phone calls. We want to test these features in the next several months”.

What can be done to avoid this sharing of information between Whatsapp and Facebook?

There are two ways to opt out the sharing your account information with Facebook for targeting purposes.

Method 1:

On WhatsApp, don’t click Agree when it asks you to confirm you are happy with the change of terms. Instead, click read more. You should then see a check box or control button at the bottom of the screen which says “Share my WhatsApp account information with Facebook to improve my Facebook ads and product experiences”, Uncheck this.

Method 2:

If you have already agreed to the updated terms, you can go to to Settings > Account > Share my account info in the app. Then uncheck the box or toggle the control. But quick, WhatsApp says you only have 30 days to make this choice after agreeing to the new terms.

It seems that you can’t completely opt out this, as Whatsapp says that your information is sent to Facebook for other purposes such as improving infrastructure and delivery systems, understanding how its services are being used, securing systems, and fighting spam, abuse, or infringement activities.

So, it’s clear that somehow few of your information are accessible to the Facebook in a secure and reliable way. The only way to avoid this information sharing is to avoid the use of Whatsapp.

Read more

by Malik korrich ~ vendredi 16 septembre 2016 0 commentaires

Credit Card 101 - Part 1

Hello guys , we are back with another awesome article. In this series of articles ( credit card 101 ) we are going to learn about various credit cards , how credit cards work , how to hack credit cards and most important how to secure your personal credit card. So to start with credit card hacking we must first understand how credit cards are designed and how they work.

Credit Card Numbers :

So lets consider a random credit card for example ( This is not my credit card ).

4485 3151 5882 2849

Now the credit card number is divided into various parts which help the payment gateway to charge the original consumer of the credit card. 

1. The first number (4) is the MII

2. The next 5-6 numbers are the issuer ID

3. The next numbers leaving the last number are the user ID

4. The last number is the check number also known as check algorithm number.

What is MII ?

MII basically stands for major industry identifier . This is a constant number that is given to the consumer according to the needs of the consumer . For example in most cases a consumer uses his/ her credit card numbers for online transactions. This is the reasons most credit card numbers start from 4 and 5 which means banking and financial industry . This digit can range from 0 to 9. We will provide more information in the bottom of the article .

What is Issuer ID ?

The issuer ID basically stands for the card provider i.e. visa , mastercard , etc. For example if the digit is 4xxxx then it is a VISA card and the length of the card is 16. We have provided more information about in the bottom of the article.

What is User ID ?

This number is basically the Identity of the user and the bank to which the card was issued . It depends on the users account number and other details . This number can be reused if a particular card holder stops using the service.

What is check number ?

A check number is used to ensure the validity of the card. It is the last digit of the credit card. Credit cards follow luhn check algorithm.

Luhn's Credit Card Algorithm :

Original Number : 4485 3151 5882 2849

1. From the back , double every alternate number.

What we get : 8  (16)  6  (10)  (10)  (16)  4  8

2. If the doubled numbers are double-digit numbers then add them.

What we get  : 8   7   6   1   1   7   4   8

3. Write the alternate numbers that we deleted in the first step.

8475   6111   1872   4889

4. Add the new credit card number that we get.

8+4+7+5+6+1+1+1+1+8+7+2+4+8+8+9=80

5. If sum is a multiple of 10 then the credit card number is valid.

Since 80 is the multiple of 10 . We can conclude that 4485 3151 5882 2849 can be a valid credit card number.

MII / Digit Value Category

0 = other industry assignments 
1 = Airlines industry assignments.
2 = Airlines and other industry assignments
3 = Travel and entertainment 
4 = Banking and financial 
5 = Banking and financial 
6 = Merchandising and Banking 
7 = Petroleum 
8 = Telecommunications and other industry assignments 
9 = National assignment

Issuer ID                                  Card Number

• Diner's Club/Carte Blanche   300xxx-305xxx, 36xxxx, 38xxxx
• American Express                   34xxxx, 37xxxx                   
• VISA                                        4xxxxx                               
• Mastercard                              51xxxx-55xxxx
• Discover                                  6011xx     

Download PDF of this article

DownloadMP4 Video of this article

Check Latest Article

Check Next Article ( will be updated soon )

More :

You can access full course free on the following platforms :

www.ehacking.net

www.priyankgada.blogspot.com

www.youtube.com/c/priyankgada

www.facebook.com/webmaster.pg

www.twitter.com/group_flexi

Please note all the content is copyright (c) material of Priyank Gada. Using this without permissions should be prohibited .

Read more

by Malik korrich ~ dimanche 4 septembre 2016 0 commentaires

Want to become Security Engineer?

The risk of financial and reputation damage caused by a data breach has led to greater demand for security engineers, and a growing skills gap. However, with a growing skills gap comes greater opportunity for a fulfilling and lucrative career as a security engineer.

So the question is what security engineer is and what skills are required to be one?

A typical responsibility for a security engineer includes installing and maintaining hardware and software (firewalls, antivirus, and intrusion detection) to reduce security risks within an organization.

The security engineer role is about building and maintaining IT security solutions that help organizations to stay protected against cyber threats. This differs from a security analyst, who is concerned with organizational awareness, policy and governance risk management.

Skills and Qualification:

To become a security engineer, in term of qualification, an employee should have a bachelor’s degree in a technical subject. Such as: computer science, cyber security, mathematics, engineering or science.

While experience in network security is beneficial, and certification with industry standard technologies like Juniper, Blue Coat, Checkpoint, Palo Alto Networks, Cisco IOS or Sophos Enterprise Portal would be a bonus. There is also a range of internationally recognized certifications from organizations such as: CEH, CISSP and (ISC).

Tips:

A tip to become security engineer is to start learning new skills straight away. Watch YouTube videos, subscribe to security blogs and keep up-to-date on recent hacks in the news.

Remember, you don't need a Masters in Cyber Security or ten years experience to become security engineer. An enthusiastic attitude and understanding of the main industry challenges can take you a long way.

Moreover, you can also learn different practical based security courses to gain some practical knowledge, a security engineer requires both practical and theoretical backgrounds of security measure that are used to secure organization and it’s information system.

Read more

by Malik korrich ~ dimanche 28 août 2016 0 commentaires

How to win against Phishing attacks?

A Phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers, that the legitimate organization already has.

Phishing attacks are originated by an attacker from a remote location using some authentic or similar to authentic sources. That tends user to click on their links and disclose their personal information.

The attackers can run a Phishing campaign that takes only five minutes to put together, and within 25 minutes they get the access to corporate data that can lead to an organization-wide breach.

There are some ways to win against these types of attacks.

Check source of Incoming email:

Your bank or other financial institution will never ask you to give your financial detail, passwords or other personal information by email. Never respond to these emails, and in case of any doubt, call your bank for clarification.

Never follow your bank website link from emails:

You should manually logon to your bank’s website, instead of following the provided links through email. It may take you to a dummy page that attacker have created to steal your login information.

Enhance security of your computer:

Being observing is the key to identify the suspicious activities to protect your computer, but you should install a good antivirus solution to block these types of attacks. In addition, also keep your system and antivirus updated to detect latest attacks and malware.

Serve your sensitive data over private and protected websites only:

There are many websites that are not secured, that are acquiring personal details without any security. Avoid such websites and make sure that you are connected to private and secured network and computer before sending your personal and classified information.

Have any doubt? Don’t risk it:

Just in case you have a doubt that the website is acting abnormally or redirecting you towards unnecessary pages, stop there and don’t risk your information. This is the most basic technique to avoid Phishing attacks.

These are some of the basic techniques to overcome and win against the Phishing attacks, but the organizations should also need to create network strategies to restrict users to access only trusted websites. Additionally, emails should be monitored continuously to block malicious links.

Read more

by Malik korrich ~ vendredi 26 août 2016 0 commentaires

Why your security awareness program fails?

The best way to protect organizations from cyber threat is to train employees, conduct an awareness program that enables them to work securely. Although risk is everywhere, millions of people become victim of identity theft each year and the number is rising.

Even the best cyber security solution can’t protect your organization when your employees are unaware of the severity of their routine practice. Regular awareness can train them to handle threats at a granular level.

Many organizations failed to provide successful security awareness to their employees. There are certain deficiencies in awareness programs that are relevant to the poor state of the awareness in many organizations.

Poor Governance:

The greatest deficiency in most of the awareness programs is that they focus on what not to do instead of focusing on what they are supposed to do. Implementation of good security related behavior is the main purpose of this awareness program. In other words, security awareness programs should be the promotion of behaviors defined in governance.

Security policies and procedures are not referred when conducting day to day tasks; it is the major flaw that skips the detection of threats on a routine bases.

Relying on Fear:

In many organizations, the awareness program lacks the positive promotion of procedures and techniques. This is a gross mistake that makes security awareness program a big flop. Organizations are more concerned with frightening the employees so they adopt the awareness tips, surprisingly, it left employee afraid to do their basic routine task.

Awareness program should not scare the employees; instead make them more confident to look ahead while performing their tasks safely.

The Hacker Mentality:

The main objective of awareness program is to tell people that how a hacker can hack them and then telling not to fall victim to it. For example, they will tell you how a hacker can ask for your password over the phone, but you should not give out your password over the telephone.

The deficiency in telling what not to do specifically is that the hacker will apply other techniques to acquire the passwords. They can ask the employee to modify registry files in the computer, as they are not told to deny such activity in an awareness program.

Bad Technical Security:

The users should not be allowed to install software on systems, therefore ransomware should not be allowed to install on a system, if a user opens a malicious file. Storage devices should be encrypted and access to the suspicious and unsafe website should be prohibited.

Although, users are aware of threats and security, but leaving technical security can be dangerous. It will work as a second layer to the end user that is securely operating. Poor technical security enables the inevitable user failing to become a serious incident.

Treating Awareness as an ordinary activity:

While treating awareness program as ordinary activity, you are allowing insecure access to the internet from your own employees. It can be disastrous to the organization if attacker compromises or trick user to gain access.

Making awareness program the top priority is the only solution to overcome many threats at initial and base level. Many organization think it’s unnecessary to do so, and it changes the whole scenario when came in contact to any cyber attack.

The underlying problem is that security awareness programs are more difficult to implement than most security professionals want to acknowledge. It requires appropriate knowledge, skills, and abilities to implement a security awareness program more effectively. Organizations should consider not repeating such common mistakes to make their security awareness program successful.

Read more

by Malik korrich ~ jeudi 25 août 2016 0 commentaires

5 Basic Tips to Reduce Insider Threat

As cyber attacks are rising consistently, organizations are looking forward to increase their security policies, management and strategies in order to detect and prevent cyber attacks. But there is a lot more sensitive threat relies, among them is the insider threat.

The Insider threat is crucial and should be addressed seriously as other external threats. Here are some easy tips to follow in order to reduce and prevent insider threats:

Securing Data

An organization must secure data, not by only implementing hard encryption techniques, but also controlled access as well as logging and monitoring who touches that data. Before implementing the insider threat program first secure your data and restrict data access. Data can be of millions dollar if exposed to competitors.

Learn From the Past Attack

“If you are experiencing a cyber attack, you are not alone, learn from others”
With each attack, advance your security strategies and put new controls in place to explicitly watch for similar types of attacks so it can be prevented before damaging the company’s assets.

Train Employees

In many cases it has been noticed that employees don’t even know that they are being used against their organization by performing any suspicious activities that are not harmful in nature but sensitive and critical to the organization and beneficial for the competitor. So training should be provided on a regular basis for the awareness of employee about the outcome of their activities.

Use Latest Technologies

Latest technologies play an important role while fighting with cyber security threats. The Centralized logging tool can be used to monitor employee logs, and also notice their nature of emails, whether if they exceed certain specified size of attachments. It can detect many of the insider attacks as well as record employee’s activity log.

Cooperate with Your Employee

One thing to keep in mind to overcome the insider threat is, don’t make your employee unhappy. An unhappy employee can be dangerous to an organization than any outsider. Insiders have all the access to the system; don’t give them a reason to spoil your business.

By adopting these simple tips you can overcome the insider threat easily. Don’t take insider threat leniently; it’s more dangerous than any other attack as they have all the access to enter your system. One bad employee can ruin your whole business, so keep monitoring your employee.

Read more

by Malik korrich ~ mardi 26 juillet 2016 0 commentaires

Cyber Security Career Guide

What is a Cyber Security Specialist?

Cyber security specialist works with the companies to secure computer systems. They acquire staff about their current security methods. They inspect whole system and classify company’s data with its severity. They find out what information needs protection. Cyber security specialists are also responsible for defining the access level for the employees that what information should be accessible to specific user. Security specialists use their findings to plan the security policies and strategies. They regularly train staff on how to use security software and properly use computers to prevent any cyber attack.

Specialists evaluate security breaks and determine if there are problems or errors. If there is a problem, specialists track where the break came from and shut off the access point.

Why to Become Cyber Security Specialist?

The career of cyber security is expected to grow faster than average rate. An increase in cyber security jobs is expected as technology continues to advance and attackers being highly active. More businesses will go online, that somehow requires cyber security plans and strategies to secure them.

Education Path:

There are many ways to become cyber security specialist. Many employers prefer to hire people with some formal university background, Bachelor’s degree in computer science majors in information security. Another Route is self study and then gets certified.

An important part of preparing for this field is learning the latest technology. Some people learn through classes and other teach them self by online courses and tutorials.

Formal Studies: 

Many people choose to take the formal degree plan to become specialized with a degree. For them, Master’s in Cyber Security is best they can choose. Another degree to become a Cyber Security Specialist, which is a more practical based study, is Information Security Assurance.

Certificates:

As with other computer science degree, certificates increase your appeal to employers. Only bachelor degree won’t teach you cyber security in depth, so self studies, tutorials, online courses and certifications will lead you towards the specialized zone.
Some recommended courses are:

Certified Ethical Hacker (CEH)
Certified Information Systems Security professional (CISSP)
Certified Network Defense Architect (CNDA)
Certified Network Security Administrator (NSA)

Many of the courses are available and taught online in highly affordable rates, just to overcome the shortage of cyber security professional in the world of growing security threats.


Salary and Wages
The increasing need for cyber security professional has raised the average salary for the field. An average Security consultant earns $50,000+ annually. The average annual salary is $60,000. This shows the demand for cyber security professionals by the companies.

Once you’ve got a cyber security career in mind, we recommend you do a quick search for that job on major employment sites (SimplyHired, Monster, Indeed, etc.). This will give you a sense of what kinds of current qualifications, certifications and degrees employers want to see.

However the lists of hard skills and certifications are not written in stone. They’re simply suggested starting points. You may find some of them unnecessary; you may require more specialized skills for your dream job. Again, feel free to take away what you find useful.

Read more

by Malik korrich ~ mardi 5 juillet 2016 0 commentaires

Four Things You Shouldn't Forget About Web Application Security

Eliminating all vulnerabilities from your web applicationis an important part of maintaining your overall security posture. As part of that process, web application vulnerability scanners play a crucial role in that they provide an efficient and effective method of exposing vulnerabilities and helping to keep your application online and secure.

Because automated web security scanners play such a crucial role in the process of web application security, it’s easy to forget that there are many other elements of security that also deserve your attention.

In this post, we’re going to cover some of the “other” important security elements that are often overlooked — both in terms of the application itself as well as the infrastructure.

Don’t Let Infrastructure be Your Weakest Link

Like everything else, a strong security posture starts with the foundation. As important as it is to eliminate web application vulnerabilities, efforts may be wasted in the event that your application resides on an insecure web server, or you’re running insecure software, as what happened in theinfamous Mossack Fonseca and Panama papers leak.

We’re not going to get into the process of securing your web server other than to point out a few of the obvious ways that you can harden your security. However, as an example, if you’re running a popular open source option like LAMP stack, there are some straightforward actions you can take such as:

●     Make sure you are running the latest version of Apache

●     Disable any unused or unnecessary modules

●     Prevent the version number, operating system and installed modules from being displayed

●     Disable/Prevent directory browsing

●     Limit the total HTTP request size to reduce the probability of a DDoS Attack

●     Enabling Apache Logging

There are a multitude of additional steps you can take to reduce your overall exposure including:

●     Eliminating remote access or at the very least, restricting remote access to a limited number of IP’s and users

●     Using a separate environment for development, testing and production. Amazon EC2 makes the process of setting up temporary testing and development environments relatively simple which limits access to your production environment.

If you’re unsure of how to configure your server, get advice from your server admin or system engineer.

Manage User and Application Privileges Responsibly

The best way manage user privileges is by following the principle of least privilege (POLP). POLP states that each individual user should have their access limited to the minimal level required complete their necessary tasks. The same rule applies to web applications — assign the minimal level of permissions required for normal functioning.

Managing privileges is something that can occur on a variety of different levels — including the server, database and software level. For example, if you are running WordPress, full administrator privileges is something that should be restricted to very few users. Even at the administrator level, there are certain functions that can be disabled in order to further harden security. Read the Principle of Least Privileges for WordPressfor more specific information on POLP on WordPress.

Keep Software Up To Date

As vulnerabilities are discovered and patches are released, it’s important to keep all of your software up to date. We can approach this from two angles:

The first is making sure that any software you’re using is running on the current version. This is an issue we see frequently on platforms like WordPress and with JavaScript libraries. Looking at currentWordPress statistics, over 15% of installations are currently running version 3.9 or older.

In many instances, using a web application vulnerability scanner will help in this regard. For example, if your web application is using a JavaScript librarythat is out of date, ideally you should be alerted not only that the library is out of date but also which vulnerabilities are associated with your particular version.

Secondly is the importance of keeping your scanning software up to date. If you are using a desktop based scanner, make sure you’re using a version with the most recently updated vulnerability library — cloud-based vulnerability scanners will be automatically updated.

Know What’s Happening On Your Web Application

Finally, one security measure that is often overlooked is the process of monitoring and logging user activity. Web application logs provide a multitude of benefits. The most important of which is the ability to help improve your web application security.

Monitoring user activity is often one of the first steps in determining when an attack might be underway. Even though only a very small percentage of users are malicious, logging can help to identify those users and block them from taking any further action.

Logging user actions can also help to identify ways in which your web application might be vulnerable or for identifying potential misuse. If you are able to identify, track, record and alert administrators of suspicious activity, it is often possible to make changes to your application before an attack occurs or even halt a malicious user before it becomes a major security issue.

Manage Web Application Security From a Holistic Standpoint

Managing web application security is a complicated process. There are many moving parts that need to be managed concurrently. Unfortunately, the vast number of systems that require attention for even a basic web application, often result in one aspect of security being overlooked.

When assessing overall security posture, we often default to the technical aspects of security — scanning for and patching web application vulnerabilities. However equally important is the ability to manage the most obvious elements that are often the source of our problems. This includes things such as web server security, limiting user privileges, properly maintaining software and being aware of how users are interacting with your application. Your web application security posture is only as strong as the weakest link.

Read more

by Malik korrich ~ samedi 28 mai 2016 0 commentaires

Required Technical Skills to be a Hacker

Hacking without any technical skill and knowledge is a dream that can't come true, but what kind of technical knowledge is required to become a hacker is the real question. The intangible skills alone can't give you success in the field of information security, you need to have the in depth understanding of how technology is actually working; you need to understand the systems and processes, from electrical pulses to radio frequency, from bits to bytes and from Windows OS to Linux OS. There are many computer languages are required your attention but to follow the right direction is the real deal that will lead you to your destination.

Computer Networking

There are so many things to discuss under the single heading of computer networking, but as you can't be an expert on everything so the recommendation is to know everything a little, at least.

You should understand the OSI layer model and it protocols (HTTP, FTP, IP, TCP, BGP, NAT, DHCP etc etc) – protocols depend on the layer of the OSI model. Learn the art of routing, how router and switches work, understands the wireless protocols for WiFI hacking (oh come on, learn something with the intention of learning).

There are many books are available on the aforementioned topics but it is always recommended to get a mentor who guide you throughout your journey. You have done or if you are doing any degree in computer science (or related field) then you are most likely to learn all these topics, however if you want self study then start your study now because each topic may cover an entire book.

Operating System Skills

To understand the operating system is very crucial to be succeed in infosec world. Understanding the OS does not mean to install/configure and use the OS efficiently; it means to understand the concept, the flow and the architecture of an operating system. You should not limit yourself to any specific OS, learn as much possible as you can including mobile OS (Android, iOS etc.).

Programming & Scripting Languages 

 

There is a saying that, “Programming is not necessarily required to become a hacker/infosec professional”. Let's break it and try to understand this saying, it is true that most of the successful penetration testers don’t write code but it does not mean that they can't write or they don't understand the coding. So understanding is the KEY, you should understand the tool you are using for your test and don't forget the importance of manual penetration testing and code review.

Learn the programming languages for example: C, C++, Java etc. The scripting languages are also important, including but not limited to: Perl, Ruby, bash etc.

Conclusion

 

At the end of this article,we can conclude that learning is the key and learning is the most important aspect to survive in the field of information security, keep in mind that technology is changing everyday and you need to change your mind at the same speed else you will be kept behind. Learn the existing, previous and upcoming technology infrastructure and languages; as you are more likely to break the code you understand fully.

Must Read

• Required Intangible Skills to become a hacker
• How to become a hacker?
• Becoming a Hacker - What, How and Why 

Read more

by Malik korrich ~ samedi 1 novembre 2014 0 commentaires

Bluetooth is Watching: Detect the Surveillance Systems

Bluetooth is watching; as The Guardian reports:

Tens of thousands of Britons are being covertly tracked without their consent in a technology experiment which has installed scanners at secret locations in offices, campuses, streets and pubs to pinpoint people's whereabouts.

The scanners, the first 10 of which were installed in Bath three years ago, are capturing Bluetooth radio signals transmitted from devices such as mobile phones, laptops and digital cameras, and using the data to follow unwitting targets without their permission.

The above mentioned is the United Kingdom (UK) situation, now look at the United States(US) situation:

Departments of Transportation around the United States have deployed "little white boxes" -- Bluetooth detectors used to monitor traffic speeds and activity. While they're supposedly anonymous, they detect a nearly-unique ID from every car, phone, and PC that passes by.

"In this presentation, I explore the documentation on these surveillance systems and their capabilities, then build a Bluetooth detector, analyzer, and spoofer with less than $200 of open-source hardware and software. Finally, I turn my own surveillance system on the DOT's and try to detect and map the detectors." - Grant Bugher

Source Defcon

Read more

by Malik korrich ~ dimanche 26 octobre 2014 0 commentaires

Becoming a Hacker - What, How and Why

To be a hacker penetration tester is not a single day process at all, it requires time, effort and skills. The discussed intangible skills (attitude, culture, values, freedom etc) have gathered immense interest of infosec professionals, and I have been asked to write on requiring technical skills, I will share the story soon but the agenda of this story is to share an infographic created by schools.com

What type of hacker do you want to be? What does hacker do? Hacking as a career. How much money could a hacker earn (hacker salary)? The answers of the asked questions are discussed on the following infographic.


How to Become a Hacker? 
Becoming a Hacker – Intangible Skills

How to Become a Hacker ?

Read more

by Malik korrich ~ lundi 6 octobre 2014 0 commentaires

Becoming a Hacker – Intangible Skills

How to become a hacker has created a buzz among IT security students and professionals, people have selected ehacking.net (via email, comment, Tweets etc.) as their mentor and we will surely help you out till time. In the previous episode of this series, we have discussed the objective of this guide, education and skills that required and the method to become the master; and in this episode we will take a look into philosophical & Psychological side of a Penetration tester.

You might be thinking that hacking process has nothing to do with philosophy & psychology but believe me it has; apart from the technical skills,the success of any hacking attack is also depends on the psyche of the attacker. 

Intangible Skills

“Focus” is the key to get success in every aspect of life, be focused on what you want to achieve. Let's consider an example, you want to find a vulnerability in Facebook; you tried your level best, you were trying to achieve the objective but you failed. The word failure shows your weakness, so please hide it or destroy it; you can't fail until you keep trying.

“You only fail when you accept your defeat” The foremost skill to become a penetration tester is never ever give-up and be focused in achieving your objective. If you will be able to develop this skill then take my word, “nobody can stop you to become a hacker/IT security expert”. Let's get back to the example; finding a vulnerability in Facebook takes time, patience, persistence, attention and believe me it is possible. Keep try until and unless you will get success, the same suggestion for this guide too; don't show impatience, read and implement. Are you developing the skills discussed in the first episode ? Have the mentor been selected yet ? Are you trying to become (focus) a hacker ? We have discussed many important points so far that could lead you to get the success, if you can understand these points.

Attitude, Values, Culture

Winning, success and achieving the objective are all the attitude of a hacker mindset; the value is to care and learn. Learning is very essential, you need to learn new skills, latest technology and everything, make reading your habit.

Limited resources and unlimited wants; in hacking culture you have to believe that everything is possible, you yes you, the master of your own. Increase your capacity of learning, develop problem solving skills; start with basic mathematics, move to algorithm, functions and so on. Remember resources are limited but your wants are unlimited you need to fulfill your wants either by limiting your needs (not recommending) or increasing your capacity (highly recommended).

Don't ever indulge yourself in the repetitive tasks which you will soon find boring, your attitude should show that you are creative; because you have the creativity to understand the working and process of everything and yes you can make amendment to enhance or destruct the system (this is your attitude).

Freedom & Competency

You need freedom, you want freedom and you love freedom; act this and demonstrate this. You are competent and you need to prove it; select your benchmark, work and achieve higher than this, judge and rate yourself. Make yourself prepared for the real competition, you should not afraid of competition; you are creative, you are competent (this is your value, and you have to prove). Develop and sharpen your core competency, your core competency is the one you do best and nobody can beat you. Make this world to believe in you by showing your competency, and you will become the mentor of many.

Conclusion

Lets close another chapter, I need your feedback; also I need to know how are you performing, are you getting the right direction ? Share your words.

Incorporate the aforementioned skills in your daily life, if you just read and forget then you will achieve nothing; as discussed be focused, learn and implement. In the next article we will discuss the technical skills that required to become a hacker/information security professional.

Must Read 

• How to become a hacker?
• Required Technical Skills to be a Hacker
• Becoming a Hacker - What, How and Why 

Image Credit

Read more

by Malik korrich ~ samedi 13 septembre 2014 0 commentaires

How to Become a Hacker?

It was a lovely evening when I opened the contact form of ehacking.net and I found several emails asking the said question; this event is not once in a blue moon at all, it seems a regular habit of beginners or may be intermediate level too. They keep asking the same question, so I should say that “How to become a hacker” is a million dollar question.

There was a time in 90's when movies were creating and showing hacker culture, their personalities and lifestyle; some of these movies have shown hackers as a hero and some made them villain. At the end, movies have created a mindset of our generation to become a hacker in order to achieve their objectives, whether they are good or bad.

When someone ask this question, I used to float a counter question; “Why do you want to become a hacker ? Why not IT security professional or penetration tester ?” And believe me most of the time people say that it sounds good to be a hacker. My simple is point is that:

“Media has created this mentality to be a hacker instead of professional penetration tester”

Neither I will define the word hacker here, nor I will differentiate between penetration tester and hacker but in this series of “to be a hacker” I will show a pathway to become an IT security professional. 

If you cannot handle the difficulties and challenges then leave this field at your earliest, IT security is a dynamic field which requires education, certification, human skills and impatient while learning something. So you should be waiting to handle loads of challenges coming your way to become a hacker Penetration tester.

Education & Skill Set

Any degree related to computer sciences is highly recommended because while studying computer science you get to know about the programming, scripting, networking (wired & wireless), web,database, cryptography and many other things that will help you throughout your IT security career. Apart from computer sciences, engineering degrees like Telecommunication and electronic degree are also a good option; these degrees enhance your networking and hardware skills, and you may learn the software side while working :)

If you don't have any degree, then come on you need not to worry about it; in history many outstanding professionals did not complete their degree. A little difference is that you need to learn those skills by yourself, believe me you can learn everything free online that a university could teach you.

The Bottom line is that, you need a particular skill set; it does not matter from where you acquired those skills.

Follow the Master, Become the Master

You have got the suitable education now what; have you become the hacker ? No! As I said challenges, it starts from here. To become the master, you need to follow the master; you need a mentor who can show you the path, direction and who share his/her experiences and the one who make you what you wanted yourself to be made.

Be wise while selecting the mentor, it defines your future. Here master can be anyone, it could be a human being, a blog or website and group or place of discussion; you may have as many mentors as you want. Be focused, plan your action to achieve the objectives (but first you need to define your objectives).

Conclusion

No no no, this is not enough to become a hacker but let me conclude the first part of this series. We have discussed the essential parts that play their important roles while making a professional IT security expert. In the next articles, we will discuss the values, culture, certification and many other things that you should have to become a hacker.

Next to Read

• Required Intangible Skills to become a hacker
• Required Technical Skills to be a Hacker
• Becoming a Hacker - What, How and Why 

Image credit

Read more

by Malik korrich ~ mercredi 3 septembre 2014 0 commentaires

The Secret Life of SIM Cards

SIM or subscriber identity module is essential in mobile communication, SIM is a microchip or an electronic circuit that stores IMSI and other authentication and identification code. The foremost objective of SIM is to give the identification of its owner in the mobile communication network, it also carries the network signals that can hacked to control a mobile phone. How to hack into a SIM card is not the primary objective of this article, however we will study the structure of a SIM and exploitation process.

At DEFCON 21 talk, Karl Koscher and Eric Butler have presented their research and understanding regarding the said topic. Following is the abstract of what's discussed there:

Abstract

SIM cards can do more than just authenticate your phone with your carrier. Small apps can be installed and run directly on the SIM separate from and without knowledge of the phone OS. Although SIM Applications are common in many parts of the world, they are mostly unknown in the U.S. and the closed nature of the ecosystem makes it difficult for hobbyists to find information and experiment.

 This talk, based on our experience building SIM apps for the Toorcamp GSM network, explains what (U)SIM Toolkit Applications are, how they work, and how to develop them. We will explain the various pieces of technology involved, including the Java Card standard, which lets you write smart card applications using a subset of Java, and the GlobalPlatform standard, which is used to load and manage applications on a card. We will also talk about how these applications can be silently loaded, updated, and interacted with remotely over-the-air.

Presentation

Source, defcon 21

Read more

by Malik korrich ~ samedi 30 août 2014 0 commentaires

Open Source Intelligence (OSINT) - Practicle Approach

Information is a processed data that contains some meaning, data is any raw facts and figure but when you arrange or process data to make it meaningful it becomes information. Information is the key of success for many operation specially Intelligence operation; consider 9/11 scenario what was the weakness of security agencies ? Obviously they did not have the information regarding the attack (remember information). So lack of information could be a weakness, but at the same if you have the right information then it might become your strength. Hacking & penetration testing process is also depends on the information that you collect from information gathering process, the more information that you have the more chances of success are.

Question arises regarding the techniques and sources from where the information can be gathered, Govt has its own way to gather information and intelligence agencies also has their own. But what about a common man ? Yes infosec and business community have worked in this direction now we have enough sources and techniques to gather required information.

What is OSINT ?

Open source INTelligence (OSINT) is the process to collect information from publicly available sources. Here open source does not mean the open-source software or community, open-source in OSINT means publicly available sources.

Usage of OSINT

• Business intelligence
• Govt intelligence
• Individual intelligence

Business intelligence is required set of information acquired through multiple sources, on the basis of this data business decisions used to be made. Since the decisions are based on the collected information so the process should be fair enough to gather the right information. Competitor analysis and self corporate analysis can be done on the basis of publicly available information.

Govt can use the information (available publicly) for various purposes, for example the can read/understand public opinion regarding the Govt policies. In election they can understand public needs so that they can deliver what public want (clever move :P)

Individual intelligence; if you really want to know about yourself, I mean you know yourself but in some cases you want to know that what other people think about you. So you can gather information about yourself and then you can analysis your reputation, marketer and public speakers are doing it to manipulate the information available. Besides your own information you can look into the life of other person (cyber stalking) ohh yes.

Conclusion

So far we have discussed the basis of open source intelligence but this is not enough, the tools and techniques to gather information need to be discussed. We have previously discussed many tools and their usage to find information from different sources, in the next article of this series we will discuss the tools (free tools) that can be used to gather information from Internet.

Read more

by Malik korrich ~ mercredi 5 février 2014 0 commentaires

Top 5 Cyber Scams of Christmas

We are heading towards the Christmas of this year, you might be very excited and happy for your holiday, Christmas celebration and of-course your shopping. The advent of modern Internet has changed the way of shopping and many of us will use computers, smart phones, tablets and other gadgets for online shopping. Users like us are preparing themselves for shopping but we should not forget that cyber criminals are also preparing their tools and techniques to use scams.

McAfee has spotlights the "12 Scams of Christmas" to keep consumers digital lives safe, and in this article we will discuss some of them (which are very important and you may face them).

Fake gift cards

Social media specially twitter and facebook are likely the best platform for these scammers to steal money from consumers, and gift card (fake or bogus) are the easiest way to target innocent people. Safe yourself from the deceptive advertisement that ask your personal information.

SMS Scam “Smishing”

Smishing is the phishing technique that done through a text message, here I am not mentioning sms because now a days scammers are using android / iOS apps to target consumer. You might get a text message from your bank or even an consumer website, the SMS might not be originated from the pretended source. So always confirm before going to share your information and do not open any URL

Deceptive Online Games
“Before your kids are glued to their newly downloaded games, be wary of the games’ sources. Many sites offering full-version downloads of Grand Theft Auto, for example, are often laden with malware, and integrated social media pages can expose gamers, too. “ Says McAfee

Fake Charity

Donation is the common practice of Christmas and most of us are planning to donate some amount of money to the needy one, but do not trust the fake charities on the basis of their claims. They might create fake charity websites and ask your donation, email marketing, social media marketing and even google advertisement may be use to grab your attention and to play with human psyche.

Fake Application

Do not install the fake applications that look like the famous online shopping portals, they might be malicious.


So above are the top 5 scams the everyone of us might face. McAfee has created their list if top 12 scams. The number of scams is not the matter at all because scammers always use different techniques that used to be the mixture of various tricks, you need to aware regarding the situation that is going on. Do not download any application from third party website, do not check promotional emails that you received from an unknown source and same goes with SMS.

Financial sector never ask personal information through SMS or even email, so do not share your information. 

Also, if you find any malicious activity or scam then do share it with us. So that we can investigate and publish the right thing for the protection of other users.

Happy shopping and enjoy your holiday.

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.

Read more

by Malik korrich ~ jeudi 12 décembre 2013 0 commentaires