Monthly Archives: January 2017

  • 0
hacking your voice

Hacking your voice to perform social engineering attack

Category : Blog

hacking your voice

Hacking your voice to perform social engineering attack

Hacking you voice is real and possible as Hackers can use photoshopping voiceover . An engineer’s dream is “project voco” where the software allows the controller to edit and insert words into an audio recording without bringing back the original vocalist back to the studio. Hacking your voice and fooling the other person to perform the social engineering attack can be done by just recording the 20-min speech of the person. Now the attacker can change, edit text and do whatever he wants.

 

Watch out the video of the demo presentation of ADOBE “project voco”

 

Clearly, lots of people are excited about the prospect of being able to alter audio recordings. But not everyone is jumping on the bandwagon. Dr. Eddy Borges Rey, a lecturer in media and technology at the University of Stirling, is concerned by the development. He revealed as much to BBC News.

An attacker can record the CEOs voice and can use this software the fool the accounts head and can perform fraud at its will.

It’s unclear when Photoshopping Voiceovers will become publicly available. When it does, it’ll take even more time to determine how easy it is for people to identify an audio recording that someone’s modified using the technology. With that in mind, organizations’ best hope of preventing attacks such as those described above is to train their employees to be on the lookout for vishing and spear-phishing attacks. If an attacker can’t build a pretext, they won’t be able to leverage VoCo to make fraudulent wire transfers or steal sensitive information.

 

Most Demanded Courses at Indian Cyber Security Solutions

 

Ethical Hacking Training – Get a Certified Ethical Hacking Professional Certificate from us which is valid in all over India and all MNCs recognises it.

 

C | EH – Certified Ethical Hacker certification from EC-Council. This certificate is highly demanded by all organizations across the globe. This certificate is globally recognized and more than 160 countries recognises it.

 

Android Penetration Testing – Best way to secure your own application. This is the future, where you need to teste the real world android applications and find out vulnerabilities for the organization



  • 0
mongo db databases

Mongo DB Databases hijacked

Category : Blog

Mongo DB Databases wiped out

Mongo DB databases had been kidnapped by the hackers. The hackers have deleted mongo DB databases from the company servers and are demanding ransom for safely return of the information. The victims are hospitals, small businesses and educational institutes. Nearing 27,000 database could be hacked.

There are security measures built into Mongo DB databases, it’s just that some users don’t bother to use them. For instance, some MongoDB administrators have been leaving their systems accessible to the open internet, without having so much as an admin password in place.

Even though there is security people are very reluctant to use and implement this. It is very frustrating for the companies who had been the victim. It is very obvious for the admin to have the minimum knowledge.

mongo db databases

What is the company behind MongoDB doing about it?

I imagine it is feeling pretty frustrated that some of their users are being so careless with the software.

 

MongoDB Inc clearly needs to reach out to the community and underline the importance of not having unsecured instances of MongoDB running openly on the net. It has posted some advice for users on its website.

 

Of course, the damage is somewhat lessened if you had taken the precaution of backing up your database. If that’s the case then you only have the embarrassing problem of explaining to your customers that their data has been stolen and personal information exposed, rather than be utterly incapable of doing any business.

 

However, if you’re the kind of outfit that doesn’t have an admin password for your database and leaves it open to the internet then I don’t hold out much hope that you’ve been making backups.

 

 

Most Demanded Courses at Indian Cyber Security Solutions

 

Ethical Hacking Training – Get a Certified Ethical Hacking Professional Certificate from us which is valid in all over India and all MNCs recognises it.

 

C | EH – Certified Ethical Hacker certification from EC-Council. This certificate is highly demanded by all organizations across the globe. This certificate is globally recognized and more than 160 countries recognises it.

 

Android Penetration Testing – Best way to secure your own application. This is the future, where you need to teste the real world android applications and find out vulnerabilities for the organization


  • 0

WiFi phishing attack

Category : Blog

WiFi phishing attack – You can be the next target?

Wifi phishing attack is the next level attack even though the wifi in modern days are secured with wifi Protected Access II (WPA2) a security protocol which has a strong cryptographic hash function to protect the pre-shared key (PSK).

During a penetration testing it is quite a tough task to break into WPA-2 network. A modern GPU that is able to calculate an average of 80,000 hashes per second will require maximum 30 days to crack an 8 character PSK. This kind of situation WiFI phishing attack comes in handy.

 

WiFi Phishing can be conducted in two simple steps

  • The first step involves the process of associating with Wi-Fi clients unknowingly
  • The second step involves presenting to the victim user a familiar authentication interface.

 

Making the authentication interface look legitimate will greatly increase the success rate of the attack.

In this respect, the interface should be generated on the basis of something that is appropriate for a certain user (e.g. an interface that is similar to the one used by the legitimate Access Point (AP)). This, of course, involves gathering information from the target environment and victim user.

 

Even with no knowledge of the technologies or services used by the user, it is possible to collect the required information from:

 

Beacon frame (physical layer): One of the management frames in IEEE 802.11 that is transmitted periodically by the AP. It contains all the information about the network, such as i) the ESSID, ii) the encryption type, and iii) the BSSID (MAC address) of the AP.

User-Agent header (application layer): An HTTP header that contains a characteristic string with details regarding the network peer. By redirecting the victim’s HTTP requests to a website controlled by us, we are able to retrieve useful information from this header, such as i) the web browser and ii) the operating system of the victim.

The interesting thing about the BSSID (found in the beacon frame) is that it can be used to determine the router manufacturer. For example, if the first digits of the MAC address are “00:12:17”, we can be pretty confident that the beacon frame was broadcasted by a Linksys router.

 

By knowing the router manufacturer, we can craft fake router configuration pages accordingly as illustrated in the image below.

wifi phishing

In this image, both the BSSID of the victim’s AP and the encryption type of the target network are used to craft a victim-customized phishing page asking for the PSK. This trick became quite popular in the past few years, surpassing the traditional brute-forcing of the 4-way handshake.

 

However, this attack raises suspicion and advanced users will hardly fall for this.

 

But look at the following image.

Wifi Phishing

In this phishing attack, we first make the victim believe he is not having any connectivity to the Internet by showing the “No Internet Connection” page in his browser. We display Google Chrome’s “Unable to Connect to the Internet” page because the HTTP User-Agent header assured us that the victim is using that specific browser.

 

The same header told us that the victim is running Windows, giving us the chance to display a web-based imitation of Windows network manager. We make this much more realistic by showing the valid networks that are in the victim’s neigh borhood.

 

In this case, the victim can hardly tell if the network manager is part of the Operating System UI or the web page he is visiting. In the following image, we compare the Mac OS network manager with an HTML-lookalike of ours. At the top is the fake network manager while the one displayed at the bottom is the real one.

wifi phishing

Phishing attacks like the above can be performed using the latest version of Wifi phisher (v1.2) that was released a month ago. Wifi phisher is an open-source project, and all this functionality wouldn’t be possible without the contributions of the community.

 

Popular training in courses at Indian Cyber Security Solutions


  • 0
virtual reality

Virtual Reality – Are we thinking of Security?

Category : Blog

Virtual Reality and its security

Virtual Reality making it big in the market and every individual is keen to use it.  What we need to worry is its security? It is not a big target for hackers still now. Bulky prototype virtual reality devices were being tested in labs as early as 1960, but there were few, if any, computer hackers or even an internet to speak of back then. A bit later in the pre-internet 90s, Nintendo and Sega tried to bring virtual reality to the gaming masses by developing Virtual Reality platforms and games. However, Sega’s system never made it to market, and when Nintendo’s Virtual Boy launched, it flopped due to lack of consumer interest.

Although the adoption of the VR technology in the work place is on a slower side but some sectors like construction, retail and engineering are more active in adopting virtual reality to make their work more effective and efficient. “Future of IT” a report by Spicework shows that only 5% of the engineering and construction industry is using the virtual reality today in their workplace it is expected to grow to 27% within five years.

It is quite evident from the growth of Virtual Reality that it is the future where more organizations will adopt this to increase their productivity. What we might have to worry about in terms of security and privacy once more organizations starts adopting this.

virtual reality

 

Security & Privacy Concern

Virtual Reality platforms can be an easy target for hackers. If you remember about the mirai malware that made millions of connected cameras part of a botnet. It can be the repeat attack on Virtual Reality devices it they are connected over IP. More over communication between Virtual Reality devices and servers might be sent without any encryption

We all know smartphones can surreptitiously collect information on where we’ve been and when, who we’re talking to, and what we’re interested in. In the future, if VR headsets become ubiquitous, everyday devices (perhaps like a slimmer Google Glass), then someone might be able to track what you’re watching at any time. For example, one day it could be possible for auto insurance companies to deny you coverage if the sensors in a VR device suggest you suffer from slow reaction times.What happens if someone hacks VR headsets and launches a visual attack that could cause adverse real-world reactions? There could be various ways hackers put individuals into harm’s way if desired.

 

Security Advice to VR platform adopters

Precautionary steps organizations can take to improve security of VR devices. For example, before adopting Virtual Reality or any new IoT technology, companies should examine the track record of the manufacturer and ask questions about whether the device’s firmware and software have been hardened to protect against prying eyes or malicious actors. Additionally, companies might want to wait a bit if there’s no immediate need to adopt VR technology, so the early bugs can get worked out to reduce security risks.

 

 

Most Popular training’s by Indian Cyber Security Solutions:


  • 0

Dark Web

Category : Blog

dark webDark Web – The internet beyond Google

 

Dark Web which is indeed a very interesting topic to talk about as due to recent hacks and terrorist activities which took place took the help of the dark web. In this article, we will explain how one novice interest and curiosity can be dangerous in the underworld network of dark web.

The Underground Web is traditionally being the buzz word in the media. Numerous documents and articles on this dark web had made the common people very curious about this underworld network. To be very frank due to rise of internet users in the recent past there is a significant growth of deep web user and its underworld network had grown rapidly.

The deep web had gained its popularity as many news channels and media houses focus on the black market and hackers community functioning through dark web. One can easily gain more knowledge trough search engines like google and from YouTube.  Due to this huge vibe people get excited and  wants to know more. Due their curiosity they may be a victim.

 

Steps to be followed while exploring the Dark Web

 

Step 1:

Privacy should be maintained. A new user in the deep web should be cautious about their identity which should not be revealed. You should use random name which will never relate with your actual identity. It is really very easy to track one with the actual name and email id. One should be very careful while making payment using credit cards and debit cards while they are purchasing any item or service. Bitcoins are the standard payment method use for payment in the dark web.

 

Step 2:

The dark web is one of the main places where computer hackers, security experts, and other interested parties meet to discover, learn about, trade in, launch, and put a stop to digital attacks and crime. With that in mind, do not ever download binary files from untrusted sources, as they could be a conduit for dangerous new strains of malware. Some of the most popular and damaging malware have infected thousands of computers through the dark web before spreading to other machines via other networks and distribution methods.

As a result it is very important to either be aware and use the deep web safely or stay away as the dander of virus using Java Script extension looms in the deep web.

 

Step 3:

The Tor Browser is the most popular application used to access the dark web and the underground network but to be very frank over the years we have seen numerous vulnerabilities in the Tor. So it is quite evident that it cant be the sole browser that can protect your identity from being revealed.

Criminal activity, drugs, pornography that makes the underworld network of dark web so if you are caught using it there is no legislation that can protect you if you conduct the crime.

 

Most Popular Training’s at Indian Cyber Security Solutions:


Show Buttons
Hide Buttons