31 May 2023

One Reason Why InfoSec Sucked In The Past 20 Years - The "Security Tips" Myth

From time to time, I get disappointed how much effort and money is put into securing computers, networks, mobile phones, ... and yet in 2016 here we are, where not much has changed on the defensive side. There are many things I personally blame for this situation, and one of them is the security tips.

The goal of these security tips is that if the average user follows these easy to remember rules, their computer will be safe. Unfortunately, by the time people integrate these rules into their daily life, these rules either become outdated, or these rules were so oversimplified that it was never true in the first place. Some of these security tips might sound ridiculous to people in InfoSec nowadays, but this is exactly what people still remember because we told them so for years.

PDF is safe to open

This is an oldie. I think this started at the time of macro viruses. Still, people think opening a PDF from an untrusted source is safer than opening a Word file. For details why this is not true, check: https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html
On an unrelated note, people still believe PDF is integrity protected because the content cannot be changed (compared to a Word document).
Image stolen from Kaspersky

Java is secure

One of the best ones. Oracle started marketing Java as a safe language, where buffer overflows, format strings and pointer-based vulnerabilities are gone. Unfortunately, they forgot to tell the world that instead of "unsafe programs developed by others" they installed their unsafe program on 3 billion devices. 

Stay away from rogue websites and you will be safe

This is a very common belief I hear from average people. "I only visit some trusted news sites and social media, I never visit those shady sites." I have some bad news. At the time of malvertising and infected websites, you don't have to visit those shady sites anymore to get infected.

Don't use open WiFi

I have a very long explanation of why this makes no sense, see here. Actually, the whole recommendation makes no sense as people will connect to public WiFis, no matter what we (InfoSec) recommend.

The password policy nightmare

Actually, this topic has been covered by myself in two blog posts, see here and here. Long story short: use a password manager and 2-factor authentication wherever possible. Let the password manager choose the password for you. And last but not least, corporate password policy sux.

Sites with a padlock are safe

We tell people for years that the communication with HTTPS sites are safe, and you can be sure it is HTTPS by finding a randomly changing padlock icon somewhere next to the URL. What people hear is that sites with padlocks are safe. Whatever that means. The same goes for WiFi - a network with a padlock is safe.

Use Linux, it is free from malware

For years people told to Windows users that only if they would use Linux they won't have so much malware. Thanks to Android, now everyone in the world can enjoy malware on his/her Linux machine.

OSX is free from malware

It is true that there is significantly less malware on OSX than on Windows, but this is an "economical" question rather than a "security" one. The more people use OSX, the better target it will become. Some people even believe they are safe from phishing because they are using a Mac!

Updated AV + firewall makes me 100% safe

There is no such thing as 100% safe, and unfortunately, nowadays most malware is written for PROFIT, which means it can bypass these basic protections for days (or weeks, months, years). The more proactive protection is built into the product, the better!

How to backup data

Although this is one of the most important security tips which is not followed by people, my problem here is not the backup data advise, but how we as a community failed to provide easy to use ways to do that. Now that crypto-ransomware is a real threat to every Windows (and some OSX) users, even those people who have backups on their NAS can find their backups lost. The only hope is that at least OSX has Time Machine which is not targeted yet, and the only backup solution which really works.
The worst part is that we even created NAS devices which can be infected via worms ...

Disconnect your computer from the Internet when not used

There is no need to comment on this. Whoever recommends things like that, clearly has a problem.

Use (free) VPN to protect your anonimity

First of all. There is no such thing as free service. If it is free, you are the service. On another hand, a non-free VPN can introduce new vulnerablities, and they won't protect your anonymity. It replaces one ISP with another (your VPN provider). Even TOR cannot guarantee anonymity by itself, and VPNs are much worse.

The corporate "security tips" myth

"Luckily" these toxic security tips have infected the enterprise environment as well, not just the home users.

Use robots.txt to hide secret information on public websites

It is 2016 and somehow web developers still believe in this nonsense. And this is why this is usually the first to check on a website for penetration testers or attackers.

My password policy is safer than ever

As previously discussed, passwords are bad. Very bad. And they will stick with us for decades ...

Use WAF, IDS, IPS, Nextgen APT detection hibber-gibber and you will be safe

Companies should invest more in people and less into magic blinking devices.

Instead of shipping computers with bloatware, ship computers with exploit protection software
Teach people how to use a password safe
Teach people how to use 2FA
Teach people how to use common-sense

Conclusion

Computer security is complex, hard and the risks change every year. Is this our fault? Probably. But these kinds of security tips won't help us save the world. 

More info


  1. Hack Tool Apk
  2. Pentest Tools Find Subdomains
  3. Hack Apps
  4. Pentest Tools Framework
  5. Best Hacking Tools 2019
  6. Hack Tools Pc
  7. Pentest Tools Bluekeep
  8. Pentest Tools Url Fuzzer
  9. Best Hacking Tools 2020
  10. Pentest Tools Nmap
  11. Hack Tools Online
  12. Hack Rom Tools
  13. Hacking Tools 2020
  14. Hacker Security Tools
  15. Hacking Tools For Games
  16. Bluetooth Hacking Tools Kali
  17. Pentest Tools Website Vulnerability
  18. Pentest Reporting Tools
  19. Pentest Reporting Tools
  20. Hacker Tools Mac
  21. Pentest Tools Windows
  22. Hacker Tools 2020
  23. Hacking Tools For Games
  24. Pentest Tools Open Source
  25. Growth Hacker Tools
  26. Pentest Tools For Android
  27. Pentest Tools For Windows
  28. Hackrf Tools
  29. Pentest Tools Website
  30. Growth Hacker Tools
  31. Hacking Tools 2019
  32. Black Hat Hacker Tools
  33. Pentest Tools For Android
  34. New Hacker Tools
  35. Hacker Tools For Mac
  36. Hack Rom Tools
  37. Best Hacking Tools 2020
  38. Hacking Tools For Kali Linux
  39. Pentest Recon Tools
  40. Hack Tools Download
  41. Hacker Tools Github
  42. Hacker Tools For Pc
  43. Hacker Tools Apk Download
  44. Hack Tools Mac
  45. Hack Tool Apk No Root
  46. Pentest Tools Windows
  47. Hacker Tools Software
  48. What Is Hacking Tools
  49. Pentest Tools Tcp Port Scanner
  50. Pentest Tools Alternative
  51. Hacker Tools For Ios
  52. Hacking Apps
  53. Hacking Tools
  54. Pentest Tools List
  55. What Are Hacking Tools
  56. Hack Tools 2019
  57. Top Pentest Tools
  58. Hack App
  59. Android Hack Tools Github
  60. Pentest Tools For Android
  61. Hacker Tools Software
  62. What Are Hacking Tools
  63. Hack Tools Pc
  64. Hacking Tools Hardware
  65. World No 1 Hacker Software
  66. Hack And Tools
  67. Hacker
  68. Pentest Tools Windows
  69. Underground Hacker Sites
  70. Hacking App
  71. New Hack Tools
  72. Game Hacking
  73. Hack Tools 2019
  74. Hacker
  75. Pentest Tools Free
  76. Hacker Tools 2020
  77. Easy Hack Tools
  78. Pentest Tools Linux
  79. Computer Hacker
  80. Pentest Tools Linux
  81. Hack Tools For Windows
  82. Hack Tools Pc
  83. Hacking Tools For Windows Free Download
  84. Ethical Hacker Tools
  85. Hacking Tools And Software
  86. Hacker Tools Software
  87. Bluetooth Hacking Tools Kali
  88. Hak5 Tools
  89. Wifi Hacker Tools For Windows
  90. How To Install Pentest Tools In Ubuntu
  91. Hacking Tools Online
  92. Top Pentest Tools
  93. Beginner Hacker Tools
  94. Pentest Tools Free
  95. Hacker Tools 2019
  96. World No 1 Hacker Software
  97. Best Hacking Tools 2019
  98. Hack Tools Github
  99. Pentest Tools Apk
  100. Hack Tools Download
  101. Hacking Tools For Pc
  102. Top Pentest Tools
  103. Best Hacking Tools 2019
  104. Hacking Tools Pc
  105. Wifi Hacker Tools For Windows
  106. How To Hack
  107. Hack Tools Download
  108. Hacks And Tools
  109. Bluetooth Hacking Tools Kali
  110. Pentest Tools Port Scanner
  111. Hack Tools Download
  112. Hacker Tool Kit
  113. Computer Hacker
  114. Hacker Tools List
  115. Hack And Tools
  116. Pentest Tools Alternative
  117. Hack Tools For Pc
  118. Hacking Tools 2019
  119. Hacking Tools Software
  120. Hacker Tools
  121. Pentest Recon Tools
  122. Hacker Tools Windows
  123. Hack Tools Pc
  124. Hack Tools Github
  125. Pentest Tools Online
  126. Pentest Reporting Tools
  127. Pentest Tools For Mac
  128. Hacker Tools Software
  129. Hack Tools Github
  130. Pentest Tools Url Fuzzer
  131. Nsa Hacker Tools
  132. How To Hack
  133. Hack Website Online Tool
  134. Computer Hacker
  135. Hacking Tools Windows 10
  136. Hack Tools Download
  137. World No 1 Hacker Software
  138. Nsa Hack Tools
  139. Physical Pentest Tools
  140. Blackhat Hacker Tools
  141. Hackers Toolbox
  142. Hacker Search Tools
  143. Pentest Tools For Windows
  144. Usb Pentest Tools
  145. Pentest Tools For Windows
  146. Hacks And Tools
  147. Hack Tools Download
  148. Hackrf Tools
  149. Hack Tools For Mac
  150. Pentest Tools Framework
  151. Hacker Tools
  152. Pentest Tools For Mac
  153. Wifi Hacker Tools For Windows
  154. Hack Tools For Mac
  155. Hacking Apps
  156. Hacker Tools Hardware
  157. Growth Hacker Tools
  158. Hack Tools Mac
  159. Pentest Recon Tools
  160. Pentest Tools Website Vulnerability
  161. Hacker Tools For Pc
Posted by at No comments:

BurpSuite Introduction & Installation



What is BurpSuite?
Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.

In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed.











Everyone has their favorite security tools, but when it comes to mobile and web applications I've always found myself looking BurpSuite . It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I'm just going to go through the installation to paint a good picture of how to get it up quickly.

BurpSuite is freely available with everything you need to get started and when you're ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I'll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we'll get into that a little later.

Requirements and assumptions:

Mozilla Firefox 3.1 or Later Knowledge of Firefox Add-ons and installation The Java Runtime Environment installed

Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.

on for Firefox from   https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/


If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait.


Video for setup and installation.




You need to install compatible version of java , So that you can run BurpSuite.
More information

Posted by at No comments:

APPLE IPHONE X FACE ID CAN BE HACKED WITH SILICON MASK

Just a week after Apple released its brand new iPhone X on November 3, a team of researchers has claimed to successfully hack Apple's Face ID facial recognition technology with a mask that costs less than $150. They said Apple iPhone x face id can be hacked with silicon mask easily.

apple iPhone x face id hacked
Yes, Apple's "ultra-secure" Face ID security for the iPhone X is not as secure as the company claimed during its launch event in September this year.

"Apple engineering teams have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID," Apple's senior VP of worldwide marketing Phil Schiller said about Face ID system during the event.

"These are actual masks used by the engineering team to train the neural network to protect against them in Face ID."

However, the bad news is that researchers from Vietnamese cybersecurity firm Bkav were able to unlock the iPhone X using a mask.

Yes, Bkav researchers have a better option than holding it up to your face while you sleep. Bkav researchers re-created the owner's face through a combination of 3D printed mask, makeup, and 2D images with some "special processing done on the cheeks and around the face, where there are large skin areas" and the nose is created from silicone.

The researchers have also published a proof-of-concept video, showing the brand-new iPhone X first being unlocked using the specially constructed mask, and then using the Bkav researcher's face, in just one go.

"Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it," an FAQ on the Bkav website said.

"You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID's AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought."

Researchers explain that their "proof-of-concept" demo took about five days after they got iPhone X on November 5th. They also said the demo was performed against one of their team member's face without training iPhone X to recognize any components of the mask.

"We used a popular 3D printer. The nose was made by a handmade artist. We use 2D printing for other parts (similar to how we tricked Face Recognition 9 years ago). The skin was also hand-made to trick Apple's AI," the firm said.

The security firm said it cost the company around $150 for parts (which did not include a 3D printer), though it did not specify how many attempts its researchers took them to bypass the security of Apple's Face ID.

It should be noted that creating such a mask to unlock someone's iPhone is a time-consuming process and it is not possible to hack into a random person's iPhone.

However, if you prefer privacy and security over convenience, we highly recommend you to use a passcode instead of fingerprint or Face ID to unlock your phone.

Continue reading


Posted by at No comments:

30 May 2023

Hackerhubb.blogspot.com

Hackerhubb.blogspot.comRelated links
  1. Tools For Hacker
  2. Tools 4 Hack
  3. Hacker Tools 2019
  4. Hacking Tools Mac
  5. Tools For Hacker
  6. Hacker Tools Github
  7. Hacking Tools And Software
  8. Pentest Tools
  9. Hacking Tools Usb
  10. Hacker Tools For Pc
  11. Pentest Tools For Mac
  12. Beginner Hacker Tools
  13. Hack Tools Mac
  14. Pentest Tools For Mac
  15. Hacker Tools 2019
  16. Hacker Techniques Tools And Incident Handling
  17. Pentest Tools Download
  18. Hacker Tools Windows
  19. Pentest Tools Review
  20. Pentest Tools Website
  21. Hacking Tools Name
  22. Pentest Tools Github
  23. Pentest Box Tools Download
  24. Hacking Tools Download
  25. Hack Tools
  26. Pentest Tools Github
  27. Hacker Tools For Pc
  28. Hack App
  29. Best Pentesting Tools 2018
  30. Pentest Tools For Mac
  31. Hacking Tools Download
  32. Hack Rom Tools
  33. Hacking Tools Free Download
  34. Hacking Tools Free Download
  35. Pentest Tools Free
  36. Hacking Tools For Windows 7
  37. Hack Tools For Mac
  38. Pentest Tools For Ubuntu
  39. Hack Tools Pc
  40. Hacking Tools Windows
  41. Physical Pentest Tools
  42. Physical Pentest Tools
  43. Nsa Hack Tools Download
  44. Hacker Tools Software
  45. Hacker Hardware Tools
  46. Pentest Tools Online
  47. Github Hacking Tools
  48. What Are Hacking Tools
  49. Hacking Tools Github
  50. Hack Tools Pc
  51. Hacking Tools Github
  52. What Is Hacking Tools
  53. What Is Hacking Tools
  54. Hacking Tools Kit
  55. Blackhat Hacker Tools
  56. Hacker Tools Apk
  57. Hak5 Tools
  58. Hacking Tools For Windows
  59. Hacker Tools For Windows
  60. Hak5 Tools
  61. Pentest Tools Subdomain
  62. Hacker Search Tools
  63. Hack Tools Pc
  64. New Hacker Tools
  65. Hacking Tools For Beginners
  66. New Hacker Tools
  67. Hack Website Online Tool
  68. Hack Tools Mac
  69. Hack Tools Mac
  70. Hack Tools For Mac
  71. Best Hacking Tools 2019
  72. Pentest Recon Tools
  73. Beginner Hacker Tools
  74. Hacker Tools Github
  75. Hacking Tools For Pc
  76. Hack Website Online Tool
  77. What Is Hacking Tools
  78. Hacking Tools For Windows
  79. Black Hat Hacker Tools
  80. Tools Used For Hacking
  81. Hacker Tools
  82. New Hacker Tools
  83. Pentest Tools Online
  84. Hacker
  85. Android Hack Tools Github
  86. Pentest Tools Windows
  87. Physical Pentest Tools
  88. Hacking Tools
  89. Hacking Tools 2019
  90. Beginner Hacker Tools
  91. Hacking Tools Software
  92. Kik Hack Tools
  93. Hack App
  94. Hacking Tools Download
  95. How To Make Hacking Tools
  96. Hack Tools Pc
  97. Pentest Tools For Mac
  98. Hack Tools
  99. New Hack Tools
  100. Hacking Tools 2019
  101. Hacking Tools For Pc
  102. Nsa Hack Tools Download
  103. Hack Tools Github
  104. Tools 4 Hack
  105. Pentest Tools Port Scanner
  106. How To Install Pentest Tools In Ubuntu
  107. Hack Tools For Mac
  108. Hack Tools Mac
  109. Hacking Tools Software
  110. Hacker Security Tools
  111. Nsa Hack Tools Download
  112. Tools 4 Hack
  113. Top Pentest Tools
  114. Hacking Tools For Windows 7
  115. Hacker Security Tools
  116. Usb Pentest Tools
  117. How To Hack
  118. Pentest Tools Port Scanner
  119. Hacker Security Tools
  120. Hack Tools For Windows
  121. New Hack Tools
  122. Hacking App
  123. Hacker Tools Apk Download
  124. Hacking Tools Windows
  125. Free Pentest Tools For Windows
  126. Pentest Tools Framework
  127. Pentest Box Tools Download
  128. Hacking App
  129. Pentest Tools Download
  130. Hack Tools For Windows
  131. What Are Hacking Tools
  132. Hack And Tools
  133. Pentest Tools Website
  134. Pentest Tools Github
  135. Hacking Tools For Mac
  136. Pentest Tools Apk
  137. New Hack Tools
  138. Easy Hack Tools
  139. Hack Website Online Tool
  140. New Hacker Tools
  141. Computer Hacker
  142. Hacking Tools For Games
  143. Hacking Tools Name
  144. Hacking Tools 2019
  145. Pentest Tools Nmap
  146. Physical Pentest Tools
  147. Pentest Tools Android
  148. Pentest Recon Tools
  149. Hacking Tools Windows 10
  150. Pentest Tools Subdomain
  151. Hacker Tools Software
  152. Pentest Tools For Mac
  153. Black Hat Hacker Tools
  154. Hacking Tools 2019
  155. Hacker Tools 2019
  156. Nsa Hack Tools Download
  157. Hacks And Tools
Posted by at No comments:
Subscribe to: Posts (Atom)