ICTsecurities: 2015

Sunday, 6 December 2015

E-mail spoofing

E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source. Distributors of spam often use spoofing in an attempt to get recipients to open, and possibly even respond to, their solicitations. Spoofing can be used legitimately. Classic examples of senders who might prefer to disguise the source of the e-mail include a sender reporting mistreatment by a spouse to a welfare agency or a "whistle-blower" who fears retaliation. However, spoofing anyone other than yourself is illegal in some jurisdictions.

E-mail spoofing is possible because Simple Mail Transfer Protocol (SMTP), the main protocol used in sending e-mail, does not include anauthentication mechanism. Although an SMTP service extension (specified in IETF RFC 2554) allows an SMTP client to negotiate a security level with a mail server, this precaution is not often taken. If the precaution is not taken, anyone with the requisite knowledge can connect to the server and use it to send messages. To send spoofed e-mail, senders insert commands in headers that will alter message information. It is possible to send a message that appears to be from anyone, anywhere, saying whatever the sender wants it to say. Thus, someone could send spoofed e-mail that appears to be from you with a message that you didn't write.

Although most spoofed e-mail falls into the "nuisance" category and requires little action other than deletion, the more malicious varieties can cause serious problems and security risks. For example, spoofed e-mail may purport to be from someone in a position of authority, asking for sensitive data, such as passwords, credit card numbers, or other personal information -- any of which can be used for a variety of criminal purposes. The Bank of America, eBay, and Wells Fargo are among the companies recently spoofed in mass spam mailings. One type of e-mail spoofing, self-sending spam, involves messages that appear to be both to and from the recipient.

Tuesday, 29 September 2015

E-mail spoofing

Monday, 21 September 2015

BECOME A COMPUTER WIZARD

How to Become a Computer Wizard

We all have them. Heck, I'm one of them. The computer genius. The power user. The geek. The nerd. The one you call when something goes wrong. The one that will sit down, and in the time it takes to go to the fridge and get a root beer, fixes the problem thats plagued you for weeks.

And here's how to be just like them.

There are very few requirements to learn how to be a computing wizard. They are:

A working computer

A mouse

A keyboard

A working internet connection

A fifth grade reading level

If you've got that, you can learn too.

I've learned almost everything I know about computers from either trial and error, Google, or the gawker network.

Really.

No secret nerd cult, no innate level of awesome geekiness, and no inborn ability to know everything about computers. Just two hands, ten fingers, the ability to read and the ability to learn from my mistakes.

Explore

Explore your surroundings. Find yourself on a geek website? Go to the homepage. Look around. Follow links. Bored and have nothing to do in Windows? Play with options. Click buttons, and see what they do. See something interesting? Poke it with a stick. Change the options to see what happens.Exploration and trial and error will teach you more than you know.

Google is Your Friend.

The one thing I wish I could teach everyone. In 99.999999999999% of cases, a quick Google search will fix your problems. Or rather, tell you how to fix them. Google will take you places. Have a question or problem? Google it. Want to know how to do something? Google it. Don't know what a word or phrase means? Google it. If your curious, Google it. Google can tell you anything. Why does my computer have yellow lines on it? Why did my laptop shut down all of a sudden? How do I stop procrastinating? How do I ask a boy/girl out? How do I make friends? How do I make a good impression? How do I convince people to like me? How do I persuade people to help me? What not to do when taking over the world? Google can solve all your problems, because, chances are, someone else has had it too, and they probably asked about it. But don't always click the first link you see. Browse through them, till one catches your interest.

Read

There are plenty of blogs out there that deal with computers. Find them. Places like Gizmodo, How-To Geek, Lifehacker, and a thousand others. Often times, they will link to other sites. Click those links. Look at the highlights. Learn.

Easy enough right? Go on. Google something. Tech blogs. How to do this. How to do that. Computer blogs. Google Chrome error 104. Ubuntu. Lifehacker. Minecraft. Rainmeter. Click links. See something interesting? Click it. There is no better teacher than experience, but the internet is pretty good at it too.

Monday, 14 September 2015

Security challenges in Nigeria : What can ICT do?

In the last two years or so, Nigeria has been faced with severe security challenges that have threatened the soul of the nation. Places of worship have been desecrated; homes, media houses, national and international institutions have been torched; and lives have been wasted, the recent being the murder of 29 harmless school children in Yobe State.

Like all Nigerians, I’m worried too. Therefore, this week, I will highlight what ICT can do to help deal with the security challenges the nation is grappling with.

ICT has made living and work a lot easier. Security experts say it is possible to see through security breaches and nip them in the bud with ICT-enabled gadgets and software before they blossom.

Here are some ways that ICT-based technologies can assist security agencies in achieving more efficiency and effectiveness in their operations.

Surveillance: Surveillance is a deliberate system of keeping a close watch on the behaviours or activities of persons, groups, organisations and institutions suspected of doing something illegal or warehousing information capable of causing a breach of security by government’s security agencies.

This could be done electronically with Closed Circuit Television cameras or interception of electronically transmitted information (such as Internet traffic or phone calls) or by means of low-technology methods such as human intelligence agents and postal interception.

Other means include: surveillance cameras, social network analysis, biometric surveillance, data mining and profiling, corporate surveillance, satellite imagery, radio-frequency identification and geo-location devices to mount surveillance on suspected targets.

Intelligence Gathering: Intelligence gathering helps security agencies to keep tabs on the activities of suspected groups, organisations or persons likely to breach the peace. Today, such ICT tools as the internet, mobile telephony system, social media networks and the media have become veritable platforms for intelligence gathering efforts of our security agencies, so long as they observe the ethics of using these technologies for intelligence gathering purposes.

Communication: Intercepting communication between terror groups and enhancing intelligence sharing and other collaborative measures between security agencies is now absolutely possible through ICT. We now have electronic devices and gadgets with in-built unique identification numbers that makes them electronically traceable regardless of location. So it’s no longer impossible to track communication devices or gadgets used by criminal gangs or groups.

Financing: ICT is a vital tool for tracking, tracing and investigating suspected financial transactions funnelled to criminal activities. With the recent introduction of cash-less society, transactions will be done on electronic platforms where suspicious cash movements can be identified and questioned. This would go a long way in curbing the financing of activities that constitute a threat to national security because no terrorist group or gang can operate without funding.

Coordination: Security agencies can minimise duplication of efforts, guard against the mishandling of information as well as enhance information sharing among them for a better management of our national security through ICT. This involves pulling the nation’s data into a coordinated and centralised database as a proactive means of combating insecurity.

In his paper titled: Information Communication Technology and National Security in Nigeria, the Director-General, Nigeria Governors’ Forum Secretariat, A.B Okauru, suggested the development of a Central Intelligence Unit or Counter Terrorism Unit with a robust, dynamic, vibrant and updated central database for the country.

According to him, the centralised database should contain every data and details of the nation. An example is the conversion of the National Identification Card into an electronic form as well as making all the identification (drivers’ licence, SIM card registration, National ID etc.) into a single digital electronic form and uploaded on a central database.

Identification: In advanced countries of the world, birth and death registration, in addition to unifying various identification initiatives, plays significant roles in national security, especially when combined with DNA, facial recognition and finger printing technologies which operate on platforms provided by ICT. That is why it is easier in those climes to easily track down criminals.

Public enlightenment: Recently, a church unveiled its e-portal system that computerised membership registration and other ancillary services. Managers of this e-portal send regular precautionary SMS alerts that assist members to be at alert and take precautionary measures. Sensitisation and advocacy on security enlightenment issues using ICT-driven solutions, therefore, can play significant roles in tackling insecurity in the country.

I am aware that a lot of seminars and conferences have been held on security issue on many occasions in Nigeria. This is good, but I think that it is time to ‘walk the talk’ because the recent killing of school children in Yobe State tells one story – the perpetrators are not done yet. In fact, they are becoming deadlier and more sophisticated by the day.

Reports show that the United States and some countries in Europe, Asia, Middle East and even in Africa are taking proactive steps at checkmating threats to their national security by latching onto revolutions in ICT. Besides its speed, technology-driven surveillance and intelligence gathering cost less in terms of men and logistics. That is why terrorists’ attacks in the magnitude of 9/11 may never happen again.

Our government, therefore, needs to do more than talking by acting now.

Tuesday, 25 August 2015

How to stop Wi-Fi hackers cold

Recently a neighbor told me she was getting cease-and-desist warnings about downloading copyrighted material. She was confident that she had never downloaded anything of the kind.

I checked her computer, and it did not contain any malware. She had not given anyone else her Wi-FI access code, and she had changed the default Wi-Fi access point admin password. But when I turned on auditing on her Wi-Fi router, we could see that someone else in her neighborhood was using her Wi-Fi network to illegally download copyrighted material using Tor.

[ Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

I reset the Wi-Fi router to its defaults, downloaded the latest firmware, established a new SSID, and created even longer Wi-Fi and admin passwords. The illegal downloading stopped -- or so we thought. Within a few weeks, my friend received more warning emails from her Internet provider, this time threatening to turn off her Internet without prior notice and recommending that she obtain legal counsel.

I went back on her router and it showed that the same computer (identified by MAC address) had gained access to her Wi-Fi router and was again downloading illegal material. Although there are many ways to hack Wi-Fi routers, I was convinced that it had to do with WPS (Wi-Fi Protected Setup) hacking.

The WPS saga

Nearly every new feature intended to make computer security easier is bound to open up new vulnerabilities. Such is the case with WPS.

A Wi-Fi router typically requires either a digital certificate or a long and complex series of characters to protect Wi-FI channels against unauthorized access. WPS is a feature that allows anyone to push a button or enable a software mechanism that will automatically connect your computing device to your Wi-Fi router without onerous security prerequisites.

WPS comes in a few flavors. The most common method is where someone pushes the WPS button on the Wi-Fi router, and for a limited time anyone in the range of the Wi-Fi network can enable WPS on their device and connect. Alternatively, you can use a USB-storage device to transfer information between the device and the router.

But there's a third method that most people don't use: Located on the outside of most Wi-Fi routers is a sticker containing a PIN. Users can enable WPS and enter the PIN to authenticate to the Wi-Fi router. The thinking is that unauthorized hackers lack physical access to the Wi-Fi router and can't see the sticker.

An easy brute-force hack

A few years ago, however, hackers discovered that WPS is vulnerable to brute-force password guessing. All (unfixed) versions of WPS come with a (randomly selected) 8-byte PIN, which if guessed, essentially lets the guesser connect as an authorized device. Think about the inherent weakness of 8-byte protection: Today, the bare minimum number of acceptable bits of symmetric cryptographic protection is 128 bits (16 bytes).

But it's much worse. The 8-byte PIN is really only seven bytes long; the last byte is a checksum byte for the first seven characters. Moreover, the first seven characters are broken down into two sections: one four bytes long, and the other only three bytes. This means WPS is protected by a maximum of four bytes of protection! (And you thought LAN Manager hashes were weak.)

Attackers literally have to make only a few thousand guesses (which usually takes four to eight hours). Most WPS-enabled routers do not have a guess-attempt lockout protection. Many newer Wi-Fi routers come with some sort of protection, like guess-attempt lockouts for a preset period of time, but often, this isn't enabled by default. Worse yet, on some routers, even if you disable WPS, the vulnerability stays active. It's insane!

WPS-guessing attack tools are readily available. Reaver was one of the first and most popularly used. With these tools pointed toward a typical Wi-FI router, the router coughs up its protection in less than a day, which in today's password-guessing world is ridiculously quick. In 2014, another method, dubbed Pixie Dust, attacked WPS and claimed to be able to break it in less than 30 minutes (though I haven't verified this method).

WPS-cracking was a big deal back in December 2011, when it was first announced, and was used a lot in 2012, when all the Linux hacking distros added the necessary programs to their Wi-FI hacking toolsets. Since then, the attack has languished in media circles even though it remained possible on most Wi-Fi routers. You'll still occasionally read stories where gangs of hackers used the method to compromise a bunch of Wi-Fi routers in the service some larger evil.

Hacking the neighbors

I had disabled my WPS feature a few years ago on my own home router, and I don't do a lot of Wi-Fi penetration testing, so I had mostly forgotten about this attack vector. But with this recent event, I decided to test most of my neighborhood. Living on an island, I know most of my neighbors. They all have Wi-Fi routers. I contacted each of them, explained the situation, and asked if I could hack their Wi-Fi routers. They all gave me permission. Within the day, I was able to break into all but one.

Being the friendly computer security guy that I am, I updated everyone's router firmware code (none were even remotely up to date), changed any default passwords I found, and either disabled their WPS-feature or made sure that guessing lockout feature was enabled. The lockout feature essentially locks out WPS connections for a preset period of time and then automatically re-enables it. The feature locks out WPS for only a few minutes, but it's enough to stymie WPS PIN guessing.

Initially, I wasn't a 100 percent sure my friend's Wi-Fi router was being compromised by the WPS PIN guessing method, but after we disabled the WPS feature, the neighborhood hacker wasn't able to get back in. I'm guessing they were pretty frustrated. After all, I had locked up the whole neighborhood at the same time.

My advice to you? Update your Wi-Fi firmware to the latest version possible. Use a long and complex Wi-Fi network passphrase and admin password -- and disable WPS. That way you'll be less likely to be accused of downloading something illegally or doing something maliciously if it wasn't you.

How to stop Wi-Fi hackers cold

Recently a neighbor told me she was getting cease-and-desist warnings about downloading copyrighted material. She was confident that she had never downloaded anything of the kind.

The WPS saga

Nearly every new feature intended to make computer security easier is bound to open up new vulnerabilities. Such is the case with WPS.

An easy brute-force hack

Hacking the neighbors

Monday, 24 August 2015

What is Information Security?

According to the UK Government, Information security is:

"the practice of ensuring information is only read, heard, changed, broadcast and otherwise used by people who have the right to do so" (Source: UK Online for Business)

Information systems need to be secure if they are to be reliable. Since many businesses are critically reliant on their information systems for key business processes (e.g. webs ites, production scheduling, transaction processing), security can be seen to be a very important area for management to get right.

What can go wrong?

Data and information in any information system is at risk from:

Human error: e.g. entering incorrect transctions; failing to spot and correct errors; processing the wrong information; accidentally deleting data

Technical errors: e.g. hardware that fails or software that crashes during transaction processing

Accidents and disasters: e.g. floods, fire

Fraud - deliberate attempts to corrupt or amend previously legitimate data and information

Commercial espionage: e.g. competitors deliberately gaining access to commercially-sensitive data (e.g. customer details; pricing and profit margin data, designs)

Malicious damage: where an employee or other person deliberately sets out to destroy or damage data and systems (e.g. hackers, creators of viruses)

How Can Information Systems be Made More Secure?

There is no such thing as failsafe security for information systems. When designing security controls, a business needs to address the following factors;

Prevention: What can be done to prevent security accidents, errors and breaches? Physical security controls (see more detailed revision note) are a key part of prevention techniques, as are controls designing to ensure the integrity of data (again - see more detailed revision note)

Detection: Spotting when things have gone wrong is crucial; detection needs to be done as soon as possible - particularly if the information is commercially sensitive. Detection controls are often combined with prevention controls (e.g. a log of all attempts to achieve unauthorised access to a network).

Deterrence: deterrence controls are about discouraging potential security breaches.

Data recovery - If something goes wrong (e.g. data is corrupted or hardware breaks down) it is important to be able to recover lost data and information.

Business benefits of good information security

Managing information security is often viewed as a headache by management. It is often perceived as adding costs to a business by focusing on "negatives" - i.e what might go wrong.

However, there are many potential business benefits from getting information system security right: for example:

- If systems are more up-to-date and secure - they are also more likely to be accurate and efficient
- Security can be used to "differentiate" a business – it helps build confidence with customers and suppliers
- Better information systems can increase the capacity of a business. For example, adding secure
online ordering to a web site can boost sales enabling customers to buy 24 hours a day, 7 days a week
- By managing risk more effectively – a business can cut down on losses and potential legal liabilities

Direct-access attacks

An unauthorized user gaining physical access to a computer is often able to compromise security by making operating system modifications, installing software worms, keyloggers, or covert listening devices. They may be able to easily download data. Even when the system is protected by standard security measures, these may be able to be by passed by booting another operating system or tool from a CD-ROM or other bootable media. Disk encryption and Trusted Platform Module are designed to prevent these attacks.

Eavesdropping[edit]

Eavesdropping is the act of surreptitiously listening to a private conversation, typically between hosts on a network. For instance, programs such as Carnivore and NarusInsight have been used by the FBI and NSA to eavesdrop on the systems of internet service providers. Even machines that operate as a closed system (i.e., with no contact to the outside world) can be eavesdropped upon via monitoring the faint electro-magnetic transmissions generated by the hardware; TEMPEST is a specification by the NSA referring to these attacks.

Spoofing[edit]

Spoofing of user identity describes a situation in which one person or program successfully masquerades as another by falsifying data.

Tampering[edit]

Tampering describes an malicious modification of products. So-called "Evil Maid" attacks and security services planting of surveillance capability into routers^[3]are examples.

Repudiation[edit]

Repudiation describes a situation where the authenticity of a signature is being challenged.

Information disclosure[edit]

Information disclosure (privacy breach or data leak) describes a situation where information, thought to be secure, is released in an untrusted environment.

Privilege escalation[edit]

Privilege escalation describes a situation where an attacker gains elevated privileges or access to resources that were once restricted to them.

Exploits[edit]

Main article: Exploit (computer security)

An exploit is a software tool designed to take advantage of a flaw in a computer system. This frequently includes gaining control of a computer system, allowingprivilege escalation, or creating a denial of service attack. The code from exploits is frequently reused in trojan horses and computer viruses. In some cases, a vulnerability can lie in certain programs' processing of a specific file type, such as a non-executable media file. Some security web sites maintain lists of currently known unpatched vulnerabilities found in common programs.

Social engineering and trojans[edit]

Main article: Social engineering (security)

social engineering aims to convince a user to disclose secrets such as passwords, card numbers, etc. by, for example, impersonating a bank, a contractor, or a customer.^[4]

Indirect attacks[edit]

An indirect attack is an attack launched by a third-party computer. By using someone else's computer to launch an attack, it becomes far more difficult to track down the actual attacker. There have also been cases where attackers took advantage of public anonymizing systems, such as the Tor onion router system.

cybersecurity or IT security,

Computer security, also known as cybersecurity or IT security, is security applied to computers, computer networks, and the data stored and transmitted over them.

The field is of growing importance due to the increasing reliance of computer systems in most societies.^[1]Computer systems now include a very wide variety of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things, and networks include not only the Internet and private data networks, but also Bluetooth, Wi-Fi and other wireless networks.

Computer security covers all the processes and mechanisms by which digital equipment, information and services are protected from unintended or unauthorized access, change or destruction and the process of applying security measures to ensure confidentiality, integrity, and availability of data both in transit and at rest.^[

Vulnerabilities

Main article: Vulnerability (computing)

A vulnerability is a system susceptibility or flaw, and an exploitable vulnerability is one for which at least one working attack exists. Many vulnerabilities are documented in the Common Vulnerabilities and Exposures (CVE) database and vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities.

To understand the techniques for securing a computer system, it is important to first understand the various types of "attacks" that can be made against it, and these threats can typically be classified into one of the categories in the sections below:

Backdoors

A backdoor in a computer system, a cryptosystem or an algorithm, is any secret method of bypassing normal authentication or security controls.

Denial-of-service attack

Main article: Denial-of-service attack

Denial of service attacks are designed to make a machine or network resource unavailable to its intended users. Attackers can deny service to individual victims, such as by deliberately entering a wrong password enough consecutive times to cause the victim account to be locked, or they may overload the capabilities of a machine or network and block all users at once.

An attack from a single IP address can be blocked by adding a new firewall rule, but many forms of Distributed denial of service (DDoS) attacks are possible, where the attack comes from a large number of points - and defending is much more difficult. Such attacks can originate from the zombie computers of abotnet, but a range of other techniques are possible including reflection and amplification attacks, where innocent systems are fooled into sending traffic to the victim.