Category Archives: customer data breach

CyberSecurity: Holy Shit! Hashcat tool cracks 55 Character Passwords

Holy shit! That’s exactly I felt when I read about Hashcat tool which is a freely available tool. Also, available in Kali Linux applications set. A fastest & reliable to crack the password up to 55 chars. Tools like this always have two sides:

  1. Cybercriminals to steal the data & use this tool to crack the password.
  2. Another benefit is that Companies can do the stress testing on their user passwords & password policy.

Scared & Still looking for answer? Keep reading…

You might be thinking that All security experts suggest to the normal people to use a strong password but if a tool can crack any password no matter how big it is then how strong password any human being can set & remember that. Does the password has become useless in advance technology? 

Length is still important; but rather than just a combination of words or phrases, it should be a mix of characters, numbers and punctuation symbols & everybody should try to keep password strong & unique to the single application. Not re-using of the password is a good way to keep yourself safe. 

All you can do is to keep password strong enough to make harder for the hackers to crack it. Making their job tough is one way to buy sometime before they hit you.

So, How does HashCat break the password?

Hashcat tool basically needs hashcode to crack the password. Any criminals or penetration tester needs to know hashcode. There are multiple ways of obtaining these hashes, such as .dll injection in Windows systems or capturing the hash in transit. Kali Linux has this tool in their applications. You can explore more on that if you are interested to know.

Is password manager a solution?

I think not a bad idea to start using a password manager like keepass. however, only fear you might have that password manager become a single failure point for all your digital accounts. Some security experts do recommend a password manager software. 

My personal opinion is that we should enable 2FA & biometric authentication in your digital accounts. Like Google authenticator, app-based 2FA etc. Since everything has become crackable, Our objective should be, Let’s make life harder for criminals.

CyberSecurity: Click Here to Kill Everyone – By Bruce Schneier

This article is the most detailed one & have a full summary of cybersecurity stuff. As per Bruce Schneier, With the Internet of Things, we’re building a world-size robot. How are we going to control it? 

Abstract

Last year, on October 21, your digital video recorder — or at least a DVR like yours — knocked Twitter off the internet. Someone used your DVR, along with millions of insecure webcams, routers, and other connected devices, to launch an attack that started a chain reaction, resulting in Twitter, Reddit, Netflix, and many sites going off the internet.

The internet is no longer a web that we connect to. Instead, it’s a computerized, networked, and interconnected world that we live in. This is the future, and what we’re calling the Internet of Things.

Take a concrete example: modern cars, those computers on wheels. The steering wheel no longer turns the axles, nor does the accelerator pedal change the speed. Every move you make in a car is processed by a computer, which does the actual controlling. A central computer controls the dashboard. There’s another in the radio. The engine has 20 or so computers. These are all networked, and increasingly autonomous.

Security is an arms race between attacker and defender. Technology perturbs that arms race by changing the balance between attacker and defender. Understanding how this arms race has unfolded on the internet is essential to understanding why the world-size robot we’re building is so insecure, and how we might secure it. To that end, I have five truisms, born from what we’ve already learned about computer and internet security. They will soon affect the security arms race everywhere.

Truism No. 1: On the internet, the attack is easier than defense.

Truism No. 2: Most software is poorly written and insecure.

Truism No. 3: Connecting everything to each other via the internet will expose new vulnerabilities.

Truism No. 4: Everybody has to stop the best attackers in the world.

Truism No. 5: Laws inhibit security research.

To read full article.. Check below link.

https://nymag.com/intelligencer/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html

CyberSecurity:D-Link Home Camera security problem

There has been growing concern about securities in home appliances. Recent news came from D-Link’s manufacturing company from Taiwan on home camera.

Consumer Reports finds that D-Link’s home camera sends unencrypted video without unique passwords

https://boingboing.net/2018/10/30/d-link-dcs-2630l.html

Home Camera is a new gadget everybody like to have it at home. I remember, in my childhood, people had craze of the radio and love listening to old songs. As technology advances, now people like to have IOT (Internet of things) devices at home. Even if someone wants Radio, they would prefer to have Radio as IoT devices. More connectivity port available in the devices, the better it is now. Bluetooth, WIFI, hotspot enablement etc are the basic features in any device.

IoT is more about connectivity and how people like to control their own stuff. As per wiki IoT definition:

“The Internet of things (IoT) is the network of physical devices, vehicles, home appliances, and other items embedded with electronicssoftwaresensorsactuators, and connectivity which enables these things to connect, collect and exchange data.”

These home appliances are slowly becoming spy devices. Would share in some other posts what are the spy devices & how are they spying on?. There are lots of guidelines & standard to implement them and use them in a way they are supposed to be used. But this thought is applied to everything. Like application security, data security, cloud security etc.

For more readings about IOT guidelines. The GSMA IoT Security Guidelines: 

GSMA IoT Security Guidelines and Assessment

Thoughts:

It is time for the consumer to ask for the security & basic questions. And, have an agreement with the vendor.  The following basic question must be asked:

  • What is the procedure they have to secure my data?
  • What is the information they are capturing? Does home appliance listen to the private conversation as well?
  • What if the consumer wants to delete the records?
  • Whom these videos or audios are being shared? How private info is secured?

Cyber Security: Lesson to be learned

Below is the reference of the paper which is one of the finest paper i have read in recent time. Here is the glimpse of the paper & Reference.

https://www.thirdway.org/report/to-catch-a-hacker-toward-a-comprehensive-strategy-to-identify-pursue-and-punish-malicious-cyber-actors

In this paper, the author argues that the United States currently lacks a comprehensive overarching strategic approach to identify, stop and punish cyberattackers.Header-For-Cyber-Report

  1. There is a burgeoning cybercrime wave: A rising and often unseen crime wave is mushrooming in America. There are approximately 300,000 reported malicious cyber incidents per year, including up to 194,000 that could credibly be called individual or system-wide breaches or attempted breaches.9 This is likely a vast undercount since many victims don’t report break-ins to begin with.10 Attacks cost the US economy anywhere from $57 billion to $109 billion annually and these costs are increasing.11
  2. There is a stunning cyber enforcement gap: Our analysis of publicly available data shows that cybercriminals can operate with near impunity compared to their real-world counterparts. We estimate that cyber enforcement efforts are so scattered that less than 1% of malicious cyber incidents see an enforcement action taken against the attackers.
  3. There is no comprehensive US cyber enforcement strategy aimed at the human attacker: Despite the recent release of a National Cyber Strategy, the United States still lacks a comprehensive strategic approach to how it identifies, pursues, and punishes malicious human cyberattackers and the organizations and countries often behind them.

My takeaway & View:

Despite so many levels of effort by security experts & organizations and putting million dollars on security, it is a pretty scary situation. And the big question comes to my mind is that what about countries like India, Sri Lanka, Bangladesh or developing countries many others. These countries have not realized the threats yet and do not have an infrastructure to deal with such a horrible situation. However, cyber threat is real.

China bulldozes all their neighbours & In the cyber world, China is much advanced than anyone else. They are capable of listening to Mr Trump phone call as well. If President of United State phone isn’t considered as safe then what we can expect from the technology which many countries trying to adopt. What if China starts targeting their rivals. Does India has the power to hold himself in such attacks?

With given situation in the cyber world & technological advancement. The Lesson from all above can be learned. I won’t say it is too late for countries like India to learn and adapt the technology which could be safer to use. OR, enforce organizations to keep their services secure. Everything must be viewed now from the security perspective. Every digitalization must have security as their first priority.

Indian govt has been very pro-active in digitalization of their services however there are many services/portals which are vulnerable. And a lesson must be learned otherwise it would be very damaging & developing countries can’t afford it. Good stuff, however, has been identified but only on paper so far. For instance, GDPR.

I don’t want to sound like an expert here but truth to be told. Indian IT service companies must learn & realize the threat. Make our service more secure and deliver what it could make your client safer. Have security in mind when designing an application. Invest in training, skill newcomer to develop more secure applications. In reality, the issue is more of a mindset than a skill gap. People never understand what info to be exposed or hidden. As long as the application works, it is great. Here are the few instances:

  1. A simple example is that allowing users to change the password without checking the current password.
  2. Support Changing password, email or profile info using GET method in web service.
  3. If you check application, the application shows more insights. Don’t want to review any application but that is how software is developed.

Final words: Keep yourself aware of things which could impact you directly or indirectly.