Monday, 11 October 2010

My Recent Wardrive

Following my report on my Wardrives around Bristol, Cardiff, London, Birmingham and Manchester I came to an interesting – and frightening – conclusion. And there were two points to this conclusion: firstly people rely on WEP or its derivatives far too much, and secondly the great misconception that people have about hotspots being secure.

To my first point then...WEP encryption is not the security measure people think it is. Most do not know that cracking the encryption can be ridiculously easy; all you need is a gadget, some free software, wi-fi and a little patience. From there it’s just a matter of capturing users’ data – their username, password and details of the website they’re accessing.

And regarding the second point – with users’ assuming they’ll be secure when using a hotspot I’m afraid they could have a nasty surprise one day. A lot of hotspots have said encryption above and as well as cracking that encryption, there are other ways to ‘snoop’ on what people are doing – again enabling the criminal to capture their usernames and passwords.

Also, do you notice that I keep mentioning that in each case above it’s the hotspot user who is the one losing their identities? While the proliferation of free wi-fi, hotspots and criminals will not be letting up any time soon, there is one thing people can do to protect themselves – and the applications they access: and that is to have better password protection. For the user it could be a longer, stronger password and for businesses who want to protect their digital assets, it could be equipping your employees with two-factor authentication.

Sunday, 1 August 2010

My response to a recent article in the Telegraph

Man who published details of 100m Facebook users 'learning how to break passwords'

With regards to the Facebook security fears after 'private details of 100m users leaked to web'.

I wanted to very definite responded to this……nothing makes a password truly secure!

Static passwords are fundamentally insecure and signify the biggest security threat facing organisations today. Readily available software such as invisible keyloggers allows hackers to capture every name and password of any user on a network.

Invisible keyloggers have the capability to override the latest security software in order to steal user names and passwords, no matter how long or complex the user makes them. Hackers can and do use this software to extract and manipulate information from user’s e-mail addresses, social media accounts and even IT networks protected by a secure encryption protocol.

Passwords are the softest security target and until people and organisations start adopting strong authentication in the form of for instance two-factor authentication this problem won’t go away

Worrying only a small per cent of businesses use 2FA.

Business of all Sizes have to starting getting there heads of of the clouds and replace static Passwords with Two Factor Authentication

Friday, 18 June 2010

Tutorial 1 - Hacking The Email Password of a Pop Account

Tutorial 1 - Hacking The Email Password of a Pop Account

I'm going to get straight into the first, and simplest attack you can carry out with Cain: Acquiring someone's email pop account password.

1. You need to be on the wireless network of the computer you are targeting.

2. You need to have Cain's configuration set up as in Tutorial 1.

3. The target must not be using ssl-pop (this is very unusual so you should be fine).

The following is a step by step guide to capturing the pop password (a lot of the early steps will be used for further tutorials):
Open Cain and go to the 'Sniffer' tab along the top row. Make sure you also turn on the sniffer, using the icon in the top left which looks like a little network card.
Right click in the empty grid below and select 'Scan Mac Addresses'. Choose 'All hosts in my subnet'.
A list of IPs, MAC addresses, computer names and (empty) user names will appear. If you know the computer name you want to target, great. If you need the user name however, simply right click on the computer you are interested in and select 'Resolve Host Name'.
Now you are ready to begin ARP poisoning your target. There are many explanations of poisoning but I will not go into it in detail here as it will detract from the tutorial. Essentially, you are telling the server that you are the target's computer, while telling the target that you are the server. In this way all traffic from the target is passed through you before reaching the server...and vice versa.
Click on the APR tab along the bottom left row of icons.
Make sure your mouse cursor clicks in the top one of the two empty grids. Then click on the blue plus arrow on the top row of icons.
You will be presented with a list of IPs, MACs and names in the left grid. Select the one which corresponds to your server, usually called 'Home' or the name of your internet provider's router. It should stand out.
Then in the right hand grid, select the computer you want to target. Click OK.
To begin ARP poisoning your target, click on the radiation type symbol in the top left, next to the sniffer symbol - which you will have turned on a while back.
You should now see traffic begin to accumulate in the grid underneath - if there isn't any then either your target is on a sneaky break and turned off their computer, or perhaps you have not selected the correct device as in Tutorial 1.
All that now remains is to wait until your target either checks their email through Outlook (or similar like thunderbird etc) or sends an email.
Now click on the tab called 'Passwords' on the bottom row. You will probably see lots of http entries popping up - don't worry about these for now.
Watch the 'pop3' and 'smtp' entries (you don't have to sit and watch constantly, you might get a bit bored!).
Sooner or later an entry will appear in one or both of those fields. It will contain the username and password of the pop email account.
This method has been tried and tested on many occasions as part of our network security probes. It's worked every time, and usually very fast, as people like to check their emails often.

As with any of these posts, if you are having trouble, leave a comment here and I will reply to you as soon as possible.

Jason Hart - his live 'hack me' challenge!

Jason Hart - his live 'hack me' challenge! from e-Crime Wales on Vimeo.

Thursday, 17 June 2010

An insight into work of the hacker.

With recent news that hackers’ have attacked the German e-crime site resulting in members details being posted online, now seems a good time to look at just how hackers go about their business…

In a desire to reduce risk and meet compliance and audit requirements, companies invest in security technologies including firewalls, anti-virus and anti-spy/spam. The smart ones also implement security policies and controls in an effort to protect their network, assets, and business. Unfortunately all this can be defeated instantly because hackers too are harnessing new methodologies, technologies and resources. Hackers will try the easy route first, looking for the weakest links in your network, such as an out of date OS, an un-patched web server, or default configurations. But the easiest by far is getting your password.

While usernames are used in conjunction with passwords, they cannot realistically protect your data or business. Companies assign usernames systematically, often using standard first name/last name formats, making it a breeze for a hacker to find or guess a username. All that is left to protect your system is a vulnerable password and as such entry is ‘authorised’ there will be no sign of forced entry, and little chance of an alarm being raised; the biggest and most invisible threat facing us all. So, how exactly do hackers go about getting passwords?

The methods range from the ridiculously simple to highly technical. Guessing the password is ridiculously simple. A recent study of 32 million passwords showed just how ‘guessable’ passwords can be. ‘123456’ was in first position with ‘Password’ at fourth and nearly 50% of users, used names, slang words, dictionary words, or trivial passwords using consecutive digits, adjacent keyboard keys etc. A quick web search will present a hacker with a handy list.

Hackers rely on continued use of the password because it is so weak. Phishing and phasing attacks use “dummy” web sites to trick users into providing passwords and personal details. Social networks are now firmly established as a great resource for hackers who see them as the best Social Engineering Hacking tool.

A more technical approach may involve the use of traditional keyloggers, and sniffing programs, and all are available free on the internet. Typing ‘Password Hacking’ into Youtube will return over six-thousand videos demonstrating the password hack and so even the novice is off to work. With passwords so discredited, there are three key things to consider in response.

1. Password best practices state:

• They should contain at least eight characters
• They should contain a mix of four different types of characters - upper case letters, lower case letters, numbers, and special characters. If there is only one letter or special character, it should not be either the first or last character in the password.
• It should not be a name, a slang word, or a dictionary word. Neither should it include part of your name or e-mail address.
• Passwords should be changed every 30 – 90 days

2. Check your infrastructure for unnecessary or out of date bug-riddled network devices, services, or applications? Conduct a regular network audit.

3. Educate users on password security, social engineering threats and some of the latest trends. They are users not security specialists. Do they know all of the above? Do they know not to use the same password across their social and business applications? You have a duty of care.

Good password practice will help, but two-factor authentication takes it to a new, much more secure level. Providing users with a PIN and a token which generates a one-time password, valid for a single use, will deprive hackers of their quiet and invisible entry into your network. Through a combination of implementing best practice, keeping your network infrastructure robust, and employees educated, the hacker risk can be mitigated and your confidentiality and integrity maintained.

Thursday, 18 February 2010

Cloud Security

Cloud computing is one of the most significant buzzwords in technology today. It provides organisations with access to applications and infrastructure, as and when it is needed, and without having to make upfront investments in software, or indeed the hardware to run it on. It provides the benefits of paying a predictable monthly charge (Opex) and makes access to technology services infinitely easier for organisations that may otherwise have struggled with the implementation, ongoing management and scalability problems, let alone the capital investment (Capex).

There is however a but; many Cloud-based services available today, can often lack the appropriate level and type of security protection required to prevent hackers accessing sensitive data stored, accessed, and transported through the Cloud. Even organisations that have shown a reluctance to take up Cloud computing may actually be using services based in the Cloud without realising it. For example, applications such as Salesforce and Google apps are Cloud-based, as are social networking services, including Twitter and LinkedIn.

Industry experts express concern that businesses joining the Cloud computing bandwagon to benefit from its impressive repertoire of benefits, may not be making an appropriate and necessary review of its impact on existing security policies. As one who focuses on security and was once and ethical hacker, I am concerned that moves to a virtual world, using Cloud-based technologies could end up being a disaster, unless businesses act fast. My concern centres on the number of vendors and providers who frankly are only paying lip service to security and are more caught up in the hype than the reality. Every service or platform I look at is still only secured by a traditional password, and that is just not sufficient to keep hackers at bay, and to guarantee confidentiality or integrity; consider the recent attacks on Twitter…

Because Cloud computing represents a revolution in IT management, it is a paradigm shift and this makes it even more critical that businesses review their security policies again. With more than 223 million records containing sensitive material compromised since 2005, according to Data Breach DB, a clearing house for data breach information, and the more recent attacks on Twitter in July 2009, businesses must make Cloud security a new priority.

The easiest way to conduct fraud online is through stealing a valid user name and password using tools like key loggers or old fashioned social engineering. You wouldn’t even know it had happened. Organisations need to review security policies and ensure that they are adequately protected. On average it takes less then a minute to gain someone’s username and password. There are many technology tools available today, as well as complementary services to boost security. We need to remember that business is about people, processes and technology and it is essential that all users are aware of the dangers and how to mitigate them. I strongly recommend that businesses take some simple and immediate steps to counter the threat of identity theft and hacking, and go through a process to ensure its data, its business, and its future is as secure in the Cloud as it should be in the Enterprise.

My recommendations for improving cloud security

1. Teach all end users safe internet skills
2. Perform a detailed vulnerability assessment
3. Ensure anti-virus protection is current and kept up to date on all devices
4. Use a firewall to protect every point in the organisation
5. Use VPN technology for secure connections and encryption for all information on portable devices
6. Deploy strong authentication for remote users, requiring a strong password, PIN, and separate token

Thursday, 21 January 2010

Maximising Margins in Security and Convergence

123456 why Passwords don't work and why customers are moving to services and 2FA and Living Hacking Demo

Sandown Park Race Course, 23rd February
York Race Course, 25th February

Friday, 1 January 2010

Wecolme to my Master Class Series.

Please feel free to download and read my Master Class Series that go's beyond technology and product.

In this edition I Sees if an SSL VPN is Really Secure?

Looking at the increasing buzz around federated ID

Looking at identities at risk.

My Recent Articles in the Press

What do you need to do today to achieve security?


Please click on the Link Below to see a list of all the events that I am due to present at:
Copyright 2009 Jason Hart. Powered by Blogger Blogger Templates create by Deluxe Templates. WP by Masterplan