Category Archives: Cyber security posts

CyberSecurity: DNS Spoofing attack. Google DNS-over-TLS security solution.

Let’s take a quick glance at how client & server communication starts. When you browse any websites & you type a human-readable domain name (i.e followcybersecurity.com) but behind the scene, Two computers (i.e client & server) do not understand the domain. They communicate by IP (Internet protocol) & MAC (Medium access control) address. DNS Service is used to find out the IP address of your domain, and once the browser finds the destination (i.e server) address, it starts communicating.

What is the concern in DNS Service?

When a device makes DNS request to find out the IP address of some domain, DNS request is made in plain text & that is readable over the network. There is no encryption used in DNS request or response. This plain text communication is vulnerable & dangerous as well. The most common attack in DNS service is DNS spoofing attack.

Traditional DNS queries and responses are sent over UDP or TCP without encryption. This is vulnerable to eavesdropping and spoofing (including DNS-based Internet filtering). Responses from recursive resolvers to clients are the most vulnerable to undesired or malicious changes, while communications between recursive resolvers and authoritative name servers often incorporate additional protection.

– Google

So, What is Spoofing Attacks?

spoofing attack is when a malicious party impersonates another device or user on a network in order to launch attacks against network hosts, steal data, spread malware or bypass access controls. There are several different types of spoofing attacks that malicious parties can use to accomplish this.

Take a look below references for more details on spoofing attacks & DNS TLS security.

References

CyberSecurity: Security Importance of etc host file

You might be surprised to know how critical etc host file could be. I learned the importance of it and thought about sharing some of the details. 

Use of etc Host File

We all are familiar with host file & information in it. Most basic use of the etc host is to map to a hostname to IP (i.e 127.0.0.1 ) like localhost. There are other uses as well, let’s understand by an example.

Let’s see how things work when you type google.com in any web browser. 

Browser as a client would make a DNS request that is what we know. But, In reality, Operating System (OS) checks host file entry first before making a DNS request to resolve IP of the domain. If local DNS found in the local host file then OS picks the local DNS. Then OS uses ARP (Address Resolution Protocol ) to find out destination MAC (media access control) or Physical address.

Then OS handshake begins with destination host through TCP/IP Protocol & start sending the data. Will explain working knowledge of data packets & OSI model in some other posts. For now, just for host file.

Security Aspect of etc Host File

Used by Hackers: Hackers use this file when they wish to redirect traffic of the application to the proxy server. Hackers set up the proxy server before they modify host file. This technique called active network traffic capturing. Basically, Hackers get all the network traffic from your server or machine. It helps hackers to run an analysis & understand insights of application. Even they can decode the actual application logs. And, server network traffic helps hackers a lot in breaking the application further.

Used by Anti-virus & Security Products: Some antivirus & security products track changes to the system’s hosts because changes are a sign of malware. You might need to disable the product’s protection if you want to change the host file.

Note: A suggestion would be have proper privilege on host file.

CyberSecurity: Finished Threat Intelligence (Security Intelligence) book

Just finished another very good book on cybersecurity: Threat Intelligence. Threat intelligence is a component of security intelligence and it is way how you use tools, knowledge, risk (External or internal), security threads on your overall business.

This books answers many questions & gives a big perspective on many problems currently faces by organizations. And, Why there is no security remedy on time. Information in this book is very good organized. It starts with simple knowledge chapters to the security operations to the dark web.

My Favourite parts are:

  • About Security Threats & Risk Analysis.
  • About the security operation center. And how resources are under stress to deal with thousands of operation alerts. And most of them are false positive (i.e not valid alerts).
  • About Dark web & organized crime. And How organized crime hires hackers, execute projects etc. Little info but got some sense out of it.

Things to learn from Threat Intelligence book

  • How Threat Intelligence can help in dealing with every aspect of security?
  • How SOC (Security operation center) mitigate the risk & identify problems? And SOC can easily handle so many false positive alerts?
  • How to get to know treads, current vulnerabilities & risk analysis of fixing critical vulnerabilities?
  • How to know if threat criminals are already breached the sensitive information? In most of the cases, Organizations get to know after months or so about data breached. Book details out how national vulnerability database does not provide vulnerability info on time & how thread Intelligence tools can help you on that.
  • Some information about the dark web, deep web & organized crime. Little detail about how organized crimes are done?

Final Thought:

Every security professional should read about threat intelligence & understand the overall process. it is a must-read book.

NOTE: I can share the downloaded version but I think it would be unfair to the people who have done all the hard & good work on this books. So here is the reference & you can help yourself.

Reference

CyberSecurity: All about mobile sim swap attack!

SIM Swap attack (aka SIM intercept attack ) is an identity theft where someone could impersonate your digital life & received all text messages etc in their own SIM. Just to clarify, Sim swap attack isn’t about swapping your physical sim.

How attacker achieve this?

In cybersecurity chain, The weakest link is human factor & attacker knows how easy it is to convince with someone. By nature, we trust other people or system as well. How hackers convince customer representative is called social engineering. Social engineering is all about pretending to be someone & convince to the person who can trust & provide valuable information. With the same technique, SIM swap could happen. In very simple terms, Attacker would pretend to be you & would convince to your telecom carriers to switching your SIM number to new SIM which owns by the attacker.

How dangerous it could be?

It is very bad for the victims when all your OTP, messages etc are received by someone. Lots of things could be done. most dangerous is when an attacker can gain access to your bank accounts, credit cards, all other sensitive information which depends on OTP & messages. Recent examples here. SIM swap! Man charged after million dollar cryptocurrency theft

What is the solution?

Well, In such cases, nothing much can be done except taking extra precaution. There are a few solutions like App-based two-factor authentication just like Text/Message based authentication. Your bank has two-factor authentication & OTP goes to your message. You could enable app based two-factor authentication like Google authenticator, Authy etc. App-based authentication generates an OTP & that OTP would be within the apps so someone needs to steal your device to get that OTP. 

Problem with app-based two-factor authentication is that it may not possible with every bank & still rely on text-based two-factor authentication.

Final Thought

Anything which is linked to your banking system needs security. If any loose point is vulnerable then the whole thing could be vulnerable. In cybersecurity, it is said that every vulnerability is exploitable.

“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” 

― Stephane Nappo

CyberSecurity: EMV enabled credit cards does not stop fraud!

State bank of India asked their customer to get rid of a conventional swipe card and replace with EMV enabled chip cards. EMV Chips are considered to be safer & prevent credit/Debit cards fraud.

FYI: EMV stands for ‘Europay MasterCard Visa’ while the PIN is an acronym for the personal identification number.

Purpose of EMV

In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant’s point-of-sale terminal. EMV is meant to replace conventional swipe transactions that rely on magnetic strips, which contain data that is relatively easy for criminals to intercept and then copy on to a new card.

Reality of EVM

new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology.

This represents a major setback for the technology, known as the EMV standard, which is named after the companies (Europay, Mastercard and Visa) that created it.

“45.8 million…records [were] likely compromised through card-sniffing and point-of-sale (POS) breaches of businesses such as Saks, Lord & Taylor, Jason’s Deli, Cheddar’s Scratch Kitchen, Forever 21, and Whole Foods. To break it down even further, 90% or 41.6 million of those records were EMV chip-enabled,” states the report.

How fraud is still possible?

While the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems. This is the problem where banks & merchants are not configuring their systems and keep the system vulnerable.

What is the use of stolen Data?

There are multiple ways cybercriminals use stolen data. First & easy way is to sell these credit cards number in the dark web. A market full of criminals & isn’t public web or apps. The second method is that They create the replica of these cards & use it to withdraw money.

Reference:

http://fortune.com/2018/11/05/credit-card-chips-fail-to-halt-fraud-survey-says/