Fake News

--Originally published at TC2027SWSecurity

We could define fake news as falsely descriptive information that seeks to manipulate the audience regardless of its purpose.

Although using fake news to manipulate the public is a thousand year old practice, this new iteration we call fake news is much more powerful because of its speed, power and low production cost. The fake news is a kind of cancer of the web that is born as a result of the business models of Google and Facebook, in conjunction with the decline of traditional media.

Resultado de imagen para Fake news

To face it, then, what we need are better professional means that inspire confidence and seriousness, that win over the audience with courageous and objective coverage, taking advantage of both technology and historical journalistic techniques. If we can not value journalistic work seriously, making both readers and platforms pay for good content, then we will end up hurting ourselves, living in a less informed society and therefore less free.

Source: fakenews source

Gilberto Rogel García A01630171 #tc2027

Spyware

--Originally published at TC2027SWSecurity

Spyware is a sofware that gets information from a computer and then transfers that information to an extern entity without the knowledge or consent of that computer’s owner.

A typical spyware is autoinstalled in the afected system in a way that it executes itself everytime the system is running, and works all the time, controlling the use of Internet and showing related ads.

However, unlike other viruses, it does not try to replicate to other computers, so it works like a parasite.

The consecuences of an infection of spyware generaly include a considerable loss in the system’s performance, and stability issues. It also causes problems when trying to connect to the Internet.

Spy Sweeper is an anti spyware program which is considered one of the best programs for the elimination of spyware but its purchase provides a one year license, it also has a free trial version.

Gilberto Rogel García A01630171 #TC2027

WiFi Pineapple

--Originally published at TC2027SWSecurity

WiFi Pineapple is a device that allow sto make DNS Spoofing attacks, check on web searches, make man-in-the-middle attacks in Wi-Fi networks, allowing to spy all the trafic. Basically WiFi Pineapple is what is known as a Honeypot Hot-spot which atracts devices that are looking to connect to WiFi. When devices are on they look for a WiFi connection from a list of known WiFi networks that the device has memorized. This device disguises as being one of the WiFi networks that the user’s device is looking for.

With the WiFi Pineapple you can:

Resultado de imagen para pineapple router

Scan: Command the WiFi landscape and direct attacks from a live recon dashboard, passively monitoring all devices in the vicinity.

Target: Limit the audit to specified clients and access points within the scope of engagement and ensure zero collateral damage.

Intercept: Acquire clients with a comprehensive suite of WiFi man-in-the-middle tools specializing in targeted asset collection.

Report: Record and analyze logs, generate emailed reports at set intervals, and identify vulnerable devices in your organization.

If a hacker unleashes the Wi-Fi Pineapple in a public place, even after taking steps to secure yourself, you could still be vulnerable.

Sources:

https://www.wifi-online.es/blog_wifi-online/que-es-pineapple-wifi-la-pina-wifi-2/

https://www.wifipineapple.com/

https://www.makeuseof.com/tag/wifi-pineapple-protect/

Gilberto Rogel García A01630171 #TC2027

Facebook & Cambridge Analytica

--Originally published at TC2027SWSecurity

As many as 87 million users may have had their information improperly obtained and used by the data mining firm Cambridge Analytica

Facebook revealed the information at the bottom of a substantial blog post penned by chief technology officer Mike Schroepfer, who is among the highest ranking executives at the company behind CEO Mark Zuckerberg and COO Sheryl Sandberg. The post outlines plans to restrict the use of its many application programming interfaces, or APIs, that allow developers to plug into the service and extract user data from it.

Facebook says it will no longer allow developers to use the Events API to access the guest list or event wall of a concert, gathering, or similarly scheduled event on Facebook. “Only apps we approve that agree to strict requirements will be allowed to use the Events API,” writes Schroepfer. Facebook is also requiring third-party app developers who use the Groups API to get approval from Facebook and a group administrator “to ensure they benefit the group” with whatever product or service is accessing the group list and its members’ data.

“Apps will no longer be able to access the member list of a group. And we’re also removing personal information, such as names and profile photos, attached to posts or comments that approved apps can access,” writes Schroepfer. Facebook is also limiting the use of the Pages API by requiring all future access to the entire access layer be approved by the company. Prior to the change, any app could use the Pages API to read posts or comments from any public-facing Facebook page.

In addition to the API changes, Facebook will no longer let anyone input a user’s phone number or email address to find them on the social network, which is a big change in how the product Continue reading "Facebook & Cambridge Analytica" →

Rubber Ducky

--Originally published at TC2027SWSecurity

Resultado de imagen para rubber ducky code

The USB Rubber Ducky is a keystroke injection tool disguised as a generic flash drive. Computers recognize it as a regular keyboard and accept pre-programmed keystroke payloads at over 1000 words per minute.

Payloads are crafted using a simple scripting language and can be used to drop reverse shells, inject binaries, brute force pin codes, and many other automated functions for the penetration tester and systems administrator.

Since 2010 the USB Rubber Ducky has been a favorite among hackers, penetration testers and IT professionals. With origins as the first IT automation HID using an embedded dev-board, it has since grown into a full fledged commercial Keystroke Injection Attack Platform. The USB Rubber Ducky captured the imagination of hackers with its simple scripting language, formidable hardware, and covert design.

Rubber Ducky Ad: https://www.youtube.com/watch?time_continue=30&v=sbKN8FhGnqg

The USB Rubber Ducky’s scripting language is focused on ease-of use. Writing payloads is as simple as writing a text file in notepad, textedit, vi or emacs.

Type “Hello World” with STRING Hello World
Add pauses between commands with DELAY. Use DELAY 100 for short 100 milliseconds pauses or DELAY 1000 for longer 1 second pauses.
Combine specials keys. ALT F4, CONTROL ESCAPE, WINDOWS R, SHIFT TAB. They all do exactly as expected.
Use REM to comment your code before sharing it.
That’s it! You just learned Ducky Script!

Nearly every device from desktop to smartphone accepts human input from keyboards. The ubiquitous USB HID standard makes this possible. When the USB Rubber Ducky is plugged it, it’s detected as a keyboard and it’s pre-programmed keystrokes are accepted by modern operating systems. From Windows and Mac to Linux and Android – the Keyboard is King.

By taking advantage of this inherent trust, the USB Rubber Ducky executes scripted keystrokes at over 1000 Continue reading "Rubber Ducky" →

Caesar Cipher

--Originally published at TC2027SWSecurity

The code was named after Julius Caesar who was born in 100 bc. the first man which has testimonys (like Suetonius) proving that he used this type of subtitution to protect his military communications. The exact date of creation and its real author are unknown.

Caesar Cipher is one of the earliest known and simplest ciphers. Caesar used this technique for some correspondences, especially military, for example with Cicerone (shift of 3). It is a shift cipher, one of the most easy and most famous encryption systems. It uses the substitution of a letter by another one further in the alphabet.

Encryption with Caesar code is a simple substitution (one letter replaces another). Caesar code replaces each letter with an alphabet shift: a letter further in the alphabet.

For example: To encrypt D, take the alphabet and look 3 letters after : G. So D is crypted with G.
To encrypt X, loop the alphabet: after X : Y, after Y : Z, after Z : A. So X is coded A.

Another way to crypt, more mathematical, note A=0, B=1, …, Z=25, and add a constant (the shift), then the result module26 (alphabet length) is the coded text.

For example: To crypt D (of value 3), add the shift 3: 3+3=6 and find the letter for 6 : 6=G, so D is crypted with G.
To crypt X=23, 23+3=26 and 26 mod 26 = 0, 0=A, so X is crypted with A, etc.

Decrypting Caesar Cipher:

Caesar code decryption replaces a letter with another with an inverse alphabet shift : a previous letter in the alphabet.

For example: To decrypt G, take the alphabet and look 3 letters before : D. So G is decrypted with D.
Continue reading "Caesar Cipher" →

VPN TC2027

--Originally published at TC2027SWSecurity

With growing censorship and regulations threatening global internet freedom and security, in turn, we’ve seen an increasing number of services become available to protect your online web browsing.

What is a VPN?

Virtual Private Networks (or VPNs) have become increasingly popular in recent years for their ability to bypass government censorship and geo-blocked websites and services, and do so without giving away who is doing the bypassing.

For a VPN to do this, it creates what is known as a tunnel between you and the internet, encrypting your internet connection and stopping ISPs, hackers, and even the government from nosing through your browsing activity.

Resultado de imagen para VPN

There are many types of VPN tunneling protocols that offer varying levels of security and other features. The most commonly used tunneling protocols in the VPN industry are PPTP, L2TP/IPSec, SSTP, and OpenVPN.

Which tunneling protocol should i use?

Even though it’s the fastest, you should steer clear of PPTP if you want to keep your internet data secure. L2TP/IPSec provides 256-bit encryption but is slower and struggles with firewalls given its fixed ports. SSTP, while very secure, is only available on Windows, and closed off from security checks for built-in backdoors.

OpenVPN, with its open source code, strong encryption, and ability to bypass firewalls, is the best tunneling protocol to keep your internet data secure. While it requires third-party software that isn’t available on all operating systems, for the most secure VPN connection to the internet, you’ll want to use the OpenVPN protocol.

Resultado de imagen para OPENVPN Here’s a website claiming which are the top 5 VPNs: http://top5-vpn.com/hp-id-2/?gclid=CjwKCAiAtorUBRBnEiwAfcp_Yzhx0VZrS3fABj3i8hYXMzgf_q6SHw9-WNUm_BEtsx1Zh239O0M9EBoC_IoQAvD_BwE

Resultado de imagen para hotspot shield

Personally, i’ve only used Hotspot Shield and TunnelBear (which isn’t on the above link) for entertaining purposes, both work smoothly and haven’t given me any problems, on the contrary, they’ve helped me play videogames and watch movies that aren’t on my

Continue reading →

Phishing TC2027

--Originally published at TC2027SWSecurity

What’s Phishing? Resultado de imagen para phishing

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communcation.

Phishing can be done through:

E-mail
Phone call
MSM
Fake websites
etc..

How to spot phishing?

Poor spelling, typos and overall bad presentation.
Threats and urgent deadlines.
Wrong url, phone number or email.
Impersonal introduction.
Companies usually don’t ask for pin numbers, tokens, passwords or other kinds of personal data.

In conclusion, every time you get asked personal info by a website check if that website is 100% legit. It’s mostly common sense, don’t just give your information away, maybe a site looks legit but if it asks for important information such as a password or credit card number it looks kind of suspicious so TLDR (too long didn’t read): don’t give away your personal info without verifying the legitimacy of a website or else you will most probably regret it.

References:

Dredge, Stuart. (fri Jun 6, 2014). How to protect yourself from phishing. The Guardian, website: https://www.theguardian.com/technology/2014/jun/06/how-to-protect-yourself-from-phishing-attacks
N.A. (N.D.). Phishing. Wikipedia, website: https://en.wikipedia.org/wiki/Phishing

Gilberto Rogel García A01630171

Bitcoin TC2027

--Originally published at TC2027SWSecurity

¿What is Bitcoin?

It’s a cryptocurrency and worldwide payment System, also the first decentralized digital currency, as the system works without a central bank or single administrator.

Peer-to-peer transactions which take place between users directly, without an intermediary.

It was invented by an unknow person or group of people under the name of Satoshi Nakamoto.

Released as an open-source software in 2009.

Video explaining how does bitcoin work:

TLDW (Too long didn’t watch): Transactions between users are verified by network nodes through the use of cryptography and recorded in a public distributed ledger called a blockchain.

I highly recommend watching the previous video to understand how bitcoin really works because the TLDW is very summarized and some of the words might be unknown for a first timer in this topic.

Careful! Bitcoin is NOT anonymous:

All Bitcoin transactions are public, traceable, and permanently stored in the Bitcoin network. Bitcoin addresses are the only information used to define where bitcoins are allocated and where they are sent.
Because the Bitcoin network is a peer-to-peer network, it is possible to listen for transactions’ relays and log their IP addresses.
To protect your privacy, you should use a new Bitcoin address each time you receive a new payment. Doing so allows you to isolate each of your transactions in such a way that is not possible to associate them all together.

Bitcoin price is VOLATILE

Bitcoin should be seen like a high risk asset, and you should never store money that you cannot afford to lose with Bitcoin. If you receive payments with Bitcoin, many service providers can convert them to your local currency.

I personally would not invest in Bitcoin for two reasons:

As mentioned above its price changes alot so it is unpredictable if you are actually going to make any Continue reading "Bitcoin TC2027" →

TC2027 First Post

--Originally published at TC2027SWSecurity

Test post for the TC2027 Software Security course.