Your facebook data

--Originally published at Lord Security

Recently, there has been seeing in the news that the information facebook gathers of its users has been used by private companies, like Cambridge Analytica, more specifically in the use of information for electoral purposes in many countries, like USA.

After that scandal, Facebook has been the center of the atenttion on all the media, because Facebook’s users has realized all the information it keeps from them. if you would like to know all they have about you, it is posible to download that data.

Steps:

First you go to the drop-down menu at the rightest part of the navigation bar and select settings.

It will open the General Account Settings, where below the account info you can find a link to download a copy of your facebook data.

It will take some time to download a kind of heavy zip file with the data. After downloading it, it’s time to extract it and see all they have about you.

If you would like to go a little step further you can check de script by Dylan Mckay on Ruby to collect phone statitics from your facebook user data. To use this script you need Ruby 2.1 or greater and the Nokogiri library.

To run the script you put in in your facebook folder alongside hrml, messages, and photos folder and run ruby facebook-contact-info-summary.rb

In my case I am glad I didn’t give the permissions in my cellphone, but it is interesting to look at all the could get from me if I had.

References: https://gist.github.com/dylanmckay/2b191a10068bd87d0fffba242db44b52

Facebook & Cambridge Analytica

--Originally published at TC2027SWSecurity

As many as 87 million users may have had their information improperly obtained and used by the data mining firm Cambridge Analytica

Facebook revealed the information at the bottom of a substantial blog post penned by chief technology officer Mike Schroepfer, who is among the highest ranking executives at the company behind CEO Mark Zuckerberg and COO Sheryl Sandberg. The post outlines plans to restrict the use of its many application programming interfaces, or APIs, that allow developers to plug into the service and extract user data from it.

Facebook says it will no longer allow developers to use the Events API to access the guest list or event wall of a concert, gathering, or similarly scheduled event on Facebook. “Only apps we approve that agree to strict requirements will be allowed to use the Events API,” writes Schroepfer. Facebook is also requiring third-party app developers who use the Groups API to get approval from Facebook and a group administrator “to ensure they benefit the group” with whatever product or service is accessing the group list and its members’ data.

“Apps will no longer be able to access the member list of a group. And we’re also removing personal information, such as names and profile photos, attached to posts or comments that approved apps can access,” writes Schroepfer. Facebook is also limiting the use of the Pages API by requiring all future access to the entire access layer be approved by the company. Prior to the change, any app could use the Pages API to read posts or comments from any public-facing Facebook page.

In addition to the API changes, Facebook will no longer let anyone input a user’s phone number or email address to find them on the social network, which is a big change in how the product Continue reading "Facebook & Cambridge Analytica" →

Aaron Swarts

--Originally published at Tc2017-security

Aaron Swarts was born in Chicago in the year of 1986.

At the age of 12 years he developed open source systems for Oracle. At age 14 he co-authored RSS 1.0, making XML to share internet content.

He studied at Stanford University. In his early years he created Infogami, a way to create attractive websites. He collaborated with the founders of Reddit and Y Combinator to support the Open Library project. Later it was merged with Reddit. Later he created a company called Jottit, a markdown system to generate content.

In 2008 Watchdog.net was launched on the web, where information about politicians was released. He also wrote a circular called “Guerrilla Open Access Manifesto” where he created a famous quote that says “There is no justice in complying with unjust.” It is time to come to light and, following the tradition of civil disobedience, to oppose this theft deprived of public culture. ” Deaddrop development, a secure communication platform between journalists and information sources.

He created Demand Progress in 2010, a group to take action and positively influence political leaders and Congress. He developed studies on political corruption.

Stop the online Hacking Act is one of the main activists against the SOPA law. He was an active member of wikiLeaks, possibly filtering information. In 2011 he was arrested for downloading files from an MIT Open database. With the months the federal crimes against him were added, for charges and violations in the line and “Act of Fraud and Computational Abuse”. On January 11, 2013, he had a fine of 4 million dollars and was sentenced to 50 years in prison. That day he committed suicide by hanging himself in his room.

Recovered from:

https://es.wikipedia.org/wiki/Aaron_Swartz

https://hipertextual.com/2015/09/aaron-swartz-perseguido

http://www.bbc.com/mundo/noticias/2013/01/130113_aaron_swartz

Rubber Ducky

--Originally published at TC2027SWSecurity

Resultado de imagen para rubber ducky code

The USB Rubber Ducky is a keystroke injection tool disguised as a generic flash drive. Computers recognize it as a regular keyboard and accept pre-programmed keystroke payloads at over 1000 words per minute.

Payloads are crafted using a simple scripting language and can be used to drop reverse shells, inject binaries, brute force pin codes, and many other automated functions for the penetration tester and systems administrator.

Since 2010 the USB Rubber Ducky has been a favorite among hackers, penetration testers and IT professionals. With origins as the first IT automation HID using an embedded dev-board, it has since grown into a full fledged commercial Keystroke Injection Attack Platform. The USB Rubber Ducky captured the imagination of hackers with its simple scripting language, formidable hardware, and covert design.

Rubber Ducky Ad: https://www.youtube.com/watch?time_continue=30&v=sbKN8FhGnqg

The USB Rubber Ducky’s scripting language is focused on ease-of use. Writing payloads is as simple as writing a text file in notepad, textedit, vi or emacs.

Type “Hello World” with STRING Hello World
Add pauses between commands with DELAY. Use DELAY 100 for short 100 milliseconds pauses or DELAY 1000 for longer 1 second pauses.
Combine specials keys. ALT F4, CONTROL ESCAPE, WINDOWS R, SHIFT TAB. They all do exactly as expected.
Use REM to comment your code before sharing it.
That’s it! You just learned Ducky Script!

Nearly every device from desktop to smartphone accepts human input from keyboards. The ubiquitous USB HID standard makes this possible. When the USB Rubber Ducky is plugged it, it’s detected as a keyboard and it’s pre-programmed keystrokes are accepted by modern operating systems. From Windows and Mac to Linux and Android – the Keyboard is King.

By taking advantage of this inherent trust, the USB Rubber Ducky executes scripted keystrokes at over 1000 Continue reading "Rubber Ducky" →

Rubber Ducky

--Originally published at Tc2017-security

So most of us don’t know what a ruuber ducky is. A rubber ducky is a malicious code hiden in a USB and when pluged it runs a code that could give the Hacker acess to your computer and all your information.

There have been various companies that have been hacked with a rubber duckie. Companies and users shoud be causious on what they insert into their computers. For precausion you should do the following:

Don’t insert any USB found on the floor.
Don’t insert any USB by a stranger or someone you don’t know.
Don’t buy any USB from someone that isn’t certified to sell you this stuff

Being hacked by a USB is really easy. For example, I could just leave a USB laying around and I’m sure that someone would grab it and insert it into their computer or even worst their company computer.

Caesar Cipher

--Originally published at TC2027SWSecurity

The code was named after Julius Caesar who was born in 100 bc. the first man which has testimonys (like Suetonius) proving that he used this type of subtitution to protect his military communications. The exact date of creation and its real author are unknown.

Caesar Cipher is one of the earliest known and simplest ciphers. Caesar used this technique for some correspondences, especially military, for example with Cicerone (shift of 3). It is a shift cipher, one of the most easy and most famous encryption systems. It uses the substitution of a letter by another one further in the alphabet.

Encryption with Caesar code is a simple substitution (one letter replaces another). Caesar code replaces each letter with an alphabet shift: a letter further in the alphabet.

For example: To encrypt D, take the alphabet and look 3 letters after : G. So D is crypted with G.
To encrypt X, loop the alphabet: after X : Y, after Y : Z, after Z : A. So X is coded A.

Another way to crypt, more mathematical, note A=0, B=1, …, Z=25, and add a constant (the shift), then the result module26 (alphabet length) is the coded text.

For example: To crypt D (of value 3), add the shift 3: 3+3=6 and find the letter for 6 : 6=G, so D is crypted with G.
To crypt X=23, 23+3=26 and 26 mod 26 = 0, 0=A, so X is crypted with A, etc.

Decrypting Caesar Cipher:

Caesar code decryption replaces a letter with another with an inverse alphabet shift : a previous letter in the alphabet.

For example: To decrypt G, take the alphabet and look 3 letters before : D. So G is decrypted with D.
Continue reading "Caesar Cipher" →

Talent Land

--Originally published at Tc2017-security

So this week I participated in a hackathon in one of the biggest events of technology in Mexico. The hackathon was organized by BOSCH and they wanted us to create something creative and inovative way to optimize the public transport and help the environment. I love the idea that many companies are starting to find some way to help society by creating an enterprise. I trully believe that busnisses should be both sostainable and sustainable to be able to work and give back to society.

We had an idea of more or less an idea of what we wanted to do, but if it weren’t for Francisco from Kio, we wouldn’t even be able to find the client, jaja. He helped us create a valor proposition, he helped us find our client and helped us to empathies with them. I loved my experience with this hackathon, and I loved learning new things. I never thought I could learn that much in a week from various diferent companies, and I’m relly thankful.

Blockchain

--Originally published at Tc2017-security

Now a lot of us understand what bitcoin is, but most of use don’t know what is blockchain.

Blockchain is a way to secure your network. Basically what it does is it encrypts your data and sends it to everybody in the network. This means that everybody has a copy of what you’ve just send. So when sombody else tries to modify that information and send it. Everybody knows in the network knows that the information is not rue and will restore the correct data to that computer.

Blockchain is trully a great way to identify a person and really see if the person you are talking to is him or her.

Here is a short video that explains what blockchain is:

SQL INJECTION

--Originally published at Tc2017-security

So the first thing is what is sql injection. For does people that don’t know what sql is, sql is a programming language to help you save up information, for example:

The banks save up all customer information about their names, ssn, credit cards, etc.. in a sql table, which is kind of like excel.

SQL injection happens when a company dind’t sanities data and are able to get into the compañies data base.

$Resultado de imagen para sql injection png$

What a hacker does is find the vulnerabilities and when they have they can either:

Control the application’s behavior that’s based on data:
- For example, show information that the company doesn’t want others to know.
Alter data in the database:
- For example, erase or create new users that don’t exist.
Access data without authorization:
- For example, give a user access to personal data of other people.

What can you do to defend yourself from this vulnerability:

Discover SQLi vulnerabilities, you can do so by using a special software to check how secure your code is.
Avoid and repair SQLi vulnerabilities by using parameterized queries.
Remediate SQLi vulnerabilities
Mitigate the impact of SQLi vulnerabilities, you can do so by only allowin certain access to user to a certain part of the data base or by using certificates.

Here is a really cool video of an example of this vulnerability:

VPN TC2027

--Originally published at TC2027SWSecurity

With growing censorship and regulations threatening global internet freedom and security, in turn, we’ve seen an increasing number of services become available to protect your online web browsing.

What is a VPN?

Virtual Private Networks (or VPNs) have become increasingly popular in recent years for their ability to bypass government censorship and geo-blocked websites and services, and do so without giving away who is doing the bypassing.

For a VPN to do this, it creates what is known as a tunnel between you and the internet, encrypting your internet connection and stopping ISPs, hackers, and even the government from nosing through your browsing activity.

Resultado de imagen para VPN

There are many types of VPN tunneling protocols that offer varying levels of security and other features. The most commonly used tunneling protocols in the VPN industry are PPTP, L2TP/IPSec, SSTP, and OpenVPN.

Which tunneling protocol should i use?

Even though it’s the fastest, you should steer clear of PPTP if you want to keep your internet data secure. L2TP/IPSec provides 256-bit encryption but is slower and struggles with firewalls given its fixed ports. SSTP, while very secure, is only available on Windows, and closed off from security checks for built-in backdoors.

OpenVPN, with its open source code, strong encryption, and ability to bypass firewalls, is the best tunneling protocol to keep your internet data secure. While it requires third-party software that isn’t available on all operating systems, for the most secure VPN connection to the internet, you’ll want to use the OpenVPN protocol.

Resultado de imagen para OPENVPN Here’s a website claiming which are the top 5 VPNs: http://top5-vpn.com/hp-id-2/?gclid=CjwKCAiAtorUBRBnEiwAfcp_Yzhx0VZrS3fABj3i8hYXMzgf_q6SHw9-WNUm_BEtsx1Zh239O0M9EBoC_IoQAvD_BwE

Resultado de imagen para hotspot shield

Personally, i’ve only used Hotspot Shield and TunnelBear (which isn’t on the above link) for entertaining purposes, both work smoothly and haven’t given me any problems, on the contrary, they’ve helped me play videogames and watch movies that aren’t on my

Continue reading →