Category: Alvosec

Free WiFi is now widely available in many places like airports, hotels, and coffee shops. This can be convenient for people who need to access the internet on the go, such as business travelers who need to check their work emails or share documents online. However, using public WiFi hotspots also carries risks, particularly in regards to Man in the Middle (MitM) attacks.

A MitM attack is when a malicious party intercepts the communication between two parties. One common type of MitM attack is when a user’s request to access a website is intercepted and a fraudulent webpage is sent back instead. This can happen on any website, including online banking, file sharing, and email providers. For example, if a hacker intercepts the communication between a user and their email provider, they could lure the user into a fake website and potentially gain access to their login and password. The hacker could then use the user’s email to send phishing emails to their contact list.

In a MitM attack, the third party intercepts the data being sent between two points and acts as a legitimate intermediary. These attacks are often used to trick users into entering their sensitive information on a fake website, but they can also be used to simply intercept a private conversation.

WiFi eavesdropping is a type of Man in the Middle (MitM) attack in which a hacker uses a public WiFi network to monitor the activities of anyone who connects to it. The information intercepted may include personal data and patterns in internet traffic and browsing. Hackers often use this technique by creating a fake WiFi network with a name that seems legitimate, a method known as the Evil Twin. For example, a consumer may enter a coffee shop and see three WiFi networks with similar names: CoffeeShop, CoffeeShop1, and CoffeeShop2. At least one of these is likely to be a fake created by a hacker. By collecting data from any device that connects to the fake network, the hacker can steal login credentials, credit card information, and other sensitive data.

Packet sniffing is another way that criminals can intercept data. These are computer programs that record digital network traffic, which IT professionals use to detect and analyze problems. However, packet sniffers can also be used by cybercriminals to gather sensitive data and perform illegal activities. Even if nothing appears to happen at first, victims may later discover that someone has committed identity fraud against them or that their company’s confidential information has been leaked.

Cookies theft and session hijacking are related risks when using public WiFi networks. Cookies are small packets of data that web browsers collect from websites as a way to retain some browsing information. These packets are usually stored locally on a user’s computer, allowing websites to recognize the user when they return. While cookies cannot carry malware, they can be dangerous for privacy and are often used in MitM attacks. If a malicious actor is able to intercept and steal the cookies a user is using to communicate with websites, they can use that information against the user in a process called cookies theft. This can lead to session hijacking, in which an attacker can impersonate the victim and communicate with websites on their behalf. Session hijacking is more common at public WiFi hotspots because they are easier to monitor and more vulnerable to MitM attacks.

There are several ways you can protect yourself from Man in the Middle (MitM) attacks while using public WiFi networks:

1. Turn off any setting that allows your device to connect automatically to available WiFi networks.
2. Turn off file sharing and log out of accounts you are not using.
3. Use password-protected WiFi networks wherever possible, and avoid sending or accessing sensitive information on public networks.
4. Keep your operating system and antivirus software up to date.
5. Avoid conducting financial activities, including cryptocurrency transactions, while using public networks.
6. Use websites that use the HTTPS protocol, but be aware that some hackers can perform HTTPS spoofing.
7. Consider using a Virtual Private Network (VPN) for added security, especially when accessing sensitive or business-related data.
8. Be cautious of fake WiFi networks, and confirm the authenticity of the network with staff before connecting.
9. Turn off your WiFi and Bluetooth when not in use, and avoid connecting to public networks if possible.

Hashcat is a password recovery tool that uses brute-force or dictionary attacks to recover passwords from hashes. It is a popular tool among cybersecurity professionals and researchers, as it is capable of cracking a wide variety of hashes and supports many different algorithms.

Hashcat is a powerful tool for cracking various types of hashes and can be used to recover password-protected zip files, documents, and WPA .pcap files. It supports over 250 different encryption modes and offers features like mask attacks, which allow users to customize their attacks. Hashcat is easy to use and can decrypt hundreds of hash types in just a few steps. It is also a multi-platform tool.

To use Hashcat, you will need to obtain a hash of the password you wish to crack and then run Hashcat with the appropriate options to perform the cracking process. Hashcat supports a wide range of options and algorithms, so it is important to familiarize yourself with the tool and its documentation before attempting to use it.

How to Install Hashcat

To install it in Ubuntu / Debian-based systems, use the following command:

apt install hashcat

Once the installation is done, we can check Hashcat’s help menu using this command:

hashcat -h

How to Work with Hashcat

Now that we know what hashing and Hashcat are, let’s start cracking some passwords.

Let’s create two hashes: A MD5 hash and a SHA1 hash for the string “password”.

MD5 hash -> 5f4dcc3b5aa765d61d8327deb882cf99

SHA1 hash -> 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

We can store these hashes under the names md5.txt and sha1.txt to use them when working with Hashcat.

To crack a password using Hashcat, here is the general syntax.

hashcat -m value -a value hashfile wordlist

Let’s dissect the syntax. We have used two flags, -m and -a . The -m flag is used to specify the hash type and the -a flag is to specify the attack mode. You can find the list of hash types and attack modes here.

Attack modes:

      0 = Straight
      1 = Combination
      3 = Brute-force
      6 = Hybrid Wordlist + Mask
      7 = Hybrid Mask + Wordlist

Straight Attack, also known as a dictionary or wordlist attack.

Combinator Attack involves the combination of two wordlists to obtain a password guess.

Brute-force Attack Brute-force attacks use masks (built-in charsets) to set the range and type of characters to be combined and used for attacks. The image below show the masks. Masks are more efficiently used after some sort of social engineering or if you have an idea of what the password could look like.

 ? | Charset
===+=========
 l | abcdefghijklmnopqrstuvwxyz
 u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
 d | 0123456789
 h | 0123456789abcdef
 H | 0123456789ABCDEF
 s |  !”#$%&'()*+,-./:;<=>?@[\]^_`{|}~
 a | ?l?u?d?s
 b | 0x00 – 0xff

Mask attack is a type of password cracking technique that allows you to specify a pattern for the password being sought, rather than providing a list of possible passwords to try. This can be particularly useful when you have some information about the structure of the password but not the actual password itself.

For example, suppose you know that the password is 8 characters long and consists of only lowercase letters and numbers. You could specify a mask of “?l?l?l?l?l?l?l?l” to tell hashcat to try all possible combinations of 8 lowercase letters and numbers. This can be much more efficient than trying all possible combinations of 8 characters, because it reduces the search space by only considering passwords that match the specified pattern.

To use a mask attack in hashcat, you would specify the “-a 3” option followed by the mask pattern. For example:

hashcat -a 3 ?l?l?l?l?l?l?l?l hash.txt

This would tell hashcat to perform a mask attack using the specified mask pattern, and to try to crack the hashes in the “hash.txt” file.

Note that you can also specify possibly known characters of password, so if you remember that password was started with “alice” but you forgot for example the year or number after that password, you can use following command:

hashcat -m 0 hash.txt -a 3 alice?d?d?d?d –force

Summary

Hashing is a technique used to secure data, such as passwords, by converting it into a random string using a mathematical function. This function is irreversible, meaning that the original data cannot be obtained from the generated string. Hashcat is a tool that can be used to try to recover the original data by attempting to crack the generated string, also known as a hash.

In this scenario, the attacker creates a vanity address that is similar to the victim’s address in order to trick them into sending funds to the wrong account. The attacker sends small amounts of cryptocurrency, such as USDT, to the victim’s address in order to lure them into checking their balance on a block explorer. When the victim checks their balance, they may be tempted to copy and paste the address of the historical transaction, but they may accidentally copy the attacker’s address instead. If the victim then sends funds to the attacker’s address, they will inadvertently transfer their funds to the wrong account. This type of attack relies on the victim’s carelessness and can be difficult to defend against.

A vanity address is a cryptocurrency address that has been customized to include a specific word or phrase. For example, a person’s name, a company name, or a message of their choice. Vanity addresses are typically created using special tools that allow the user to generate an address with a specific pattern of characters. These addresses are not inherently more secure than regular addresses, but they can be more memorable and can be used to create a personal brand or identity within the cryptocurrency community.

While seemingly simple and similar to the Dusting Attack, this is a completely new thing closer to social engineering/vanity attacks/phishing!

Analysis:

• SlowMist: Another Airdrop Scam, but with a twist
• Address Poisoning Attack, A continuing Threat
• ‘Spoof’ Tokens on Ethereum

Attack vector

Users who encounter this situation do not need to be scared, everyone’s assets are safe, the private key is not leaked or compromised, you just need to carefully confirm the address and not transfer to the wrong address.

Always double check full address, before sending crypto assets.

In this attack, the hacker monitors the transfer information of several stablecoins on the blockchain and captures the information related to transactions that a victim (A) typically sends to another user (B). The hacker then creates a new address (C) that has the same first and last digits as B’s address, and uses this address to send small amounts of stablecoin to A. The goal is to trick A into copying the wrong address and sending funds to C by mistake. This attack is similar to a dusting attack, but it is more focused on social engineering and phishing. It is important for users to carefully confirm the addresses of their transactions in order to avoid falling victim to this type of attack.

Here is an example of legit ETH address:

0xe096886ef8f595a26f2a00314e11149d619d9734

This one is vanity address, which can be confused for the real one:

0x3923e0289Ed93eD6Bfcea1a1F72e392Cd1Ad9734

Here is one way of creating vanity addresses with desired prefix and suffix.

Before you send any assets to other crypto address make sure to whitelist that address and double check full address (not only last digits)!

How do ransom­ware attacks work?

Ransom­ware encrypts all the files on your device so that you can’t access them with­out a decryption key. It can also lock your device completely. Because of this, these different types of ransom­ware are referred to as crypto-ransom­ware and locker ransom­ware. After infecting your files or device with ransom­ware, criminals demand a ransom of typically $1000 to $5000 in Bitcoin per device. The ransom is paid in exchange for the ransom­ware decryption key that returns the files or the device — or at least that is what the criminals tell their victims.

How can ransom­ware infect my device?

Computer viruses, what different ransom­ware and trojan types are, have to be down­loaded manually by accident or automatically by another malware. Ransom­ware can be down­loaded from email attachments, compromised or malicious web­sites and ads, or unsafe Wi‑Fi net­works. Phishing is one common method of sneaking ransom­ware into a victim’s device. Other malware can also down­load ransom­ware with­out you knowing.

Can ransom­ware infect my mobile phone?

Yes. Mobile ransom­ware exists for both iOS and Android devices. What’s worse, it’s a growing threat because of the huge amount of people using smart devices. On top of that, so-called smishing attacks are a common way for criminals to infect mobile devices. Fortunately, there are mobile anti­virus apps that help you to protect your Android or iOS device.

Can I remove a ransom­ware infection?

Ransom­ware removal can be tricky and some­times even impossible after it’s on your device. That’s why ransom­ware protection starts with trust­worthy anti­virus soft­ware that prevents ransom­ware from infecting your device. You can also prepare by taking regular backups so if you get attacked, you can restore from backups.

How can I get my encrypted files back?

Paying the ransom does not guarantee that you will get your files back. You can check if there is a decryption tool for the ransom­ware you’ve been attacked with.

Should I pay the ransom?

In case you have become a victim of a ransom­ware attack, paying the ransom can feel like the easiest solution to getting back your encrypted files or control over your locked device. How­ever, you cannot be certain that the criminals behind the ransom­ware attack are going to do as they say once the ransom is paid. On top of that, paying the ransom encourages criminals to seek more targets who are willing to pay the ransom and comply with the criminals’ demands.

Paying the ransom is also a way of financing the criminals and enabling them to aim higher in their criminal exploits. How­ever, large companies have been found to be very willing to comply with the ransom­ware attackers’ demands and end up paying the ransom. For these organizations and companies, the costs and inconvenience of not being able to operate are too high, so they rather pay the ransom.

Why do ransom­ware attackers want bitcoin?

Payment in the crypto­currency bitcoin is a common way to ask for the ransom in a ransom­ware attack. Other crypto­currencies may be used as well. But why is that? Why do ransom­ware attackers demand payment using crypto­currency? The primary reason for this is that payments in bitcoin and other crypto­currencies cannot be easily traced, offering anonymity to the criminals.

What is ransom­ware-as-a-service (RaaS)?

In addition to crypto-ransom­ware that encrypts your files and locker ransom­ware that locks the devices it infects, there is one more form of ransom­ware to consider: ransom­ware-as-a-service, or RaaS for short. With RaaS, cyber criminals are able to offer their services to those who do not have the required technical skills to develop ransom­ware programs of their own. In a setup like this, the entity providing the ransom­ware program is referred to as a RaaS operator. The person, or persons, paying for the operator’s service is called the RaaS affiliate.

What are some recent ransom­ware examples?

Unfortunately, the number of ransom­ware attacks and different kinds of ransom­ware has been increasing. The most wide­spread and impactful ones often make their way into national and global news as well. Here are some examples of recent ransom­ware attacks.

Wanna­Cry: Ransom­ware attack on the NHS

One notable ransom­ware attack that took place in the UK in 2017 was the Wanna­Cry ransom­ware attack on the National Health Service (NHS). The estimated costs to NHS were 92 million pounds after the attack caused 19,000 appointments to be canceled. Unfortunately, the NHS was hardly the only large organization to be affected by the Wanna­Cry ransom­ware: the global costs of Wanna­Cry have been estimated at 4 billion dollars.

The Wanna­Cry ransom­ware encrypted data on the computers it infected. The ransom­ware attackers then demanded to be paid in bitcoin if the victim wanted their data to be returned. As the example of Wanna­Cry shows, ransom­ware attacks often target large organizations, such as health­care services, or sizeable companies.

Other well-known ransom­ware attacks

• Crypto­Locker
• Ryuk
• Petya and NotPetya
• Bad Rabbit
• Locky
• GoldenEye

5 simple anti-ransom­ware tips

• Make sure you’re running an effective internet security program on all your devices.
• Take regular backups of your data. Store them offline so they can’t get infected.
• Keep your soft­ware and operating systems up to date. Enable automatic updates to always have them updated.
• Be skeptical of email links and attachments. Type links into your browser rather than clicking from the email. Be extra careful with attachments requesting you to enable or allow some­thing — macros, editing, content, etc.
• Disable commonly exploited browser plugins such as Flash Player and Silver­light when you’re not using them. You can do this through your web browser under the plugin settings.

There are several ways to protect files from accidental deletion on Linux. One approach is to use the chmod command to change the permissions on the file so that only the owner has permission to delete the file. For example, you can use the following command to remove the write permission for the group and others for a file called myfile:

chmod go-w myfile

This will prevent anyone other than the owner of the file from deleting it. However, this approach has some limitations, as it only works for files and doesn’t protect against intentional deletion by the owner of the file.

Another way to protect files from accidental deletion on Linux is to use the chattr command to set the i attribute on the file, which makes it immutable. This means that the file cannot be deleted, even by the owner, unless the attribute is first removed. To set the i attribute on a file called myfile, you can use the following command:

chattr +i myfile

To remove the i attribute, you can use the following command:

chattr -i myfile

Keep in mind that the chattr command can only be used on ext2, ext3, and ext4 file systems, and only by users with root privileges.

Another way to protect files from accidental deletion on Linux is to use a version control system, such as Git, to track changes to your files. This allows you to revert any changes, including accidental deletions, by restoring an older version of the file from the version control history.

You can also create an alias to confirm deletion in Linux. To create an alias, you can use the alias command in your shell configuration file. This will allow you to create a custom command that will be run whenever you type the alias in the terminal.

First, open your shell configuration file in a text editor. This is typically either .bashrc or .zshrc, depending on the shell you are using.

nano ~/.bashrc

Then, add the following line to the end of file:

alias rm=’rm -i’

This will create an alias called rm that runs the rm command with the -i flag, which causes rm to prompt for confirmation before deleting each file.

Next, save the file and reload your shell configuration using the following command:

source ~/.bashrc

Overall, there are several ways to protect files from accidental deletion on Linux, and the best approach will depend on your specific needs and requirements.

Cryptocurrencies, such as Bitcoin and Ethereum, have gained a lot of popularity in recent years due to their potential for high returns on investment. However, with the rise of cryptocurrencies has come a rise in cryptocurrency scams, which can take many different forms. In this article, we will discuss some tips on how to avoid falling victim to these scams.

Important!

First and foremost, it’s important to be cautious when dealing with cryptocurrencies. If an offer seems too good to be true, it probably is. Always do your research and make sure that you fully understand what you’re getting into before investing any money.

One common type of cryptocurrency scam is the “fake ICO,” in which scammers create a fake initial coin offering (ICO) in order to trick investors into giving them money. These scams often use fake websites and social media accounts to promote the ICO and make it seem legitimate. To avoid falling victim to a fake ICO, always do your research and make sure that the ICO is legitimate before investing any money. Look for information about the company behind the ICO, such as its history and track record, and make sure that it has a valid website and contact information.

Another type of cryptocurrency scam is the “fake wallet,” in which scammers create fake cryptocurrency wallets in order to steal people’s funds. These scams often use fake websites and social media accounts to promote the fake wallet and make it seem legitimate. To avoid falling victim to a fake wallet, always do your research and make sure that the wallet is legitimate before downloading it. Look for information about the company behind the wallet, such as its history and track record, and make sure that it has a valid website and contact information.

In addition to being cautious and doing your research, there are a few other steps you can take to protect yourself from cryptocurrency scams.

Here are a few additional tips on how to avoid cryptocurrency scams:

• Be wary of unsolicited offers or promotions for cryptocurrencies. Scammers often use spam emails and social media messages to promote their scams, so be cautious if you receive an offer for a cryptocurrency investment out of the blue.

• Don’t trust anyone who claims to have inside information about the price of a cryptocurrency. The price of cryptocurrencies can be volatile, and no one can predict the future with certainty. If someone claims to have inside information about the price of a cryptocurrency, it’s likely a scam.

• Don’t give out your personal information, such as your wallet address or private keys, to anyone you don’t trust. Scammers can use this information to steal your funds, so be careful who you share it with.

• Don’t send money to anyone you don’t know. If someone claims to be able to provide you with a high return on your investment, but you don’t know them personally, it’s likely a scam.

• Be cautious of websites that promise guaranteed returns on your investment. There are no guarantees in the world of cryptocurrency investing, and if a website promises guaranteed returns, it’s likely a scam.

• Use common sense and trust your instincts. If something seems too good to be true, it probably is. If you have any doubts about the legitimacy of an offer or promotion, it’s best to avoid it altogether.

You can also use a hardware wallet, such as a Trezor or Ledger Nano, to store your cryptocurrencies. These devices are physical devices that store your cryptocurrencies offline, which makes them more secure than online wallets.

In conclusion, while cryptocurrencies can be a great investment opportunity, they can also be the target of scams. By being cautious, doing your research, and using secure and reputable exchanges and wallets, you can protect yourself from cryptocurrency scams and enjoy the benefits of investing in cryptocurrencies.