• Been hacked? What to do next

    • General
    • by Jacob Riggs
    • 12-05-2020
    3.86 of 36 votes

    Please note, the advice below is tailored for online accounts of a personal nature. Any online accounts with existing or potential access to work related data in the context of employment will usually need to follow a more refined internally sanctioned incident response process (likely in accordance with the NIST industry standard). In such circumstances, please refer to your company information security and data privacy guidelines. You’ve just realised one or more of your online accounts has been compromised. Panic sets in. Time is of the essence. You must reassert control. What do you do now? Steps to take Triage – If multiple accounts are involved, you need to quickly self-evaluate risk based on what existing and potential data each account has access to. Things like sensitive pictures and private messages need to be considered. This will enable you to triage according to each account risk profile and prioritise mitigation efforts in order of risk impact. Contain – Firstly, and perhaps most obviously, you want to isolate the attack. Your primary objective should be to cut off the attacker and prevent further unauthorised access or misuse. For this, simply follow the necessary steps to reset your account password. In most cases, successfully resetting your account password will immediately invalidate any actively logged-in sessions being used by the attacker. Once complete, enable soft-token 2FA (Two-Factor Authentication) where possible. Soft-token apps (such as Gauth or Authy) generate authentication codes locally on your mobile device and are preferable to SMS. Harvest – Where possible, harvest screenshots of any new account activities, such as posts, messages, or interactions (likes, follows, etc). Many prominent online websites (such as Twitter, Facebook, and Instagram) offer options to download your full account data in a structured format locally. This evidence will help you assess the full extent of damages and may prove helpful if you later decide to report the incident to the authorities or the web service itself. Discover – Now you want to look at your attack surface by finding any other accounts that may have also been compromised. Searching your email inbox for email subject lines matching keywords such as register, registering, registration will give you insight into many of the online services you have accounts with. For any additional accounts you identify as compromised along the way, repeat steps 2 – 3. Investigate – Now you want to perform some post-incident analysis. Any evidence you harvested in steps 3 – 4 may be helpful. How did this happen? If more than one account was compromised, what security properties did they have in common? Did those accounts share the same or similar passwords? Did you leave those accounts logged in on a missing or potentially compromised device? If you want to understand the attack in detail, building a timeline of events and account activities will help you understand the attack scope and objectives. Recover – Only once the above steps are complete should you assume it is safe to continue using your account normally again. Now you can clean up and delete any bad posts or account interactions. If your account exhibited any anomalous behaviour (abuse/misuse), you may wish to address the circumstances in a public statement. Your findings from step 5 should help you make an informed decision on how best to communicate this to your online following. Prevent – How can you prevent this happening again? Ensure any future passwords you use are long and complex enough. Where possible, enable 2FA. Consider using a password manager such as LastPass or KeePass. Password managers can also help you catalogue your online presence so that you better understand your attack surface in the future. If after following these steps you notice the same accounts are still being compromised, the attacker may have established what we call persistence. This is where an attacker maintains persistent control over a specific device, system, or network that you’re using to login to the affected online accounts. From here they may be able to monitor, intercept, and block your mitigation efforts. In such circumstances, I recommend temporarily moving over to a completely new network and using a clean device to revisit the steps above. I'll focus on how to deal with compromised networks and devices in another blog post. If you are the victim of cyber crime, you reserve the right to report the incident to your local authorities. Below I've included some references that direct to the online reporting forms for each respective country. UK EU US AU Please note, the open nature of the Internet means the law surrounding cyber crime can differ greatly between countries. Duties may be owed within both the presiding jurisdiction of the victim, and that of wherever the attack may have originated.

  • How to validate file integrity with checksums

    4.63 of 38 votes

    A checksum is a unique string derived from a block of digital data for the purpose of detecting any changes which may have been introduced during its transmission or storage. In short, checksums are a file integrity validation measure. If you download a file from an untrusted source, a checksum can help you validate that the file you have downloaded perfectly matches that which the file issuer intended. In practice, this helps identify any files which have been corrupted or maliciously altered in transit. Checksums are commonly seen on websites alongside downloadable software binaries, patches, hotfixes, and updates. Due to their low computational overhead, they are also useful in security operations for fingerprinting malware and can be added to anti-virus signature databases or stored as artifacts for future reference.   Windows: HashTab is a free shell extension for Windows which integrates itself within Windows Explorer as a property page for files with a context menu to generate and compare hashes. Once installed, HashTab can be accessed by right-clicking a target file and navigating to Properties and selecting the File Hashes tab. HashTab will then automatically attempt to hash the target file and report the relevant values. Alternatively, Windows comes with a pre-installed utility called CertUtil, which can be used to generate hashes. To generate a hash for a particular file using CertUtil, open CMD (Command Prompt) and type the following: CertUtil -hashfile [TARGET FILE LOCATION] [DESIRED HASH ALGORTHM] For example: This will generate a SHA256 hash string which can then be compared against the checksum provided by the file issuer to verify the file integrity.   Linux: Linux comes with a number of pre-installed checksum utilities. To generate a hash for a particular file using these, open terminal and type the following: [DESIRED HASH ALGORITHM]sum [TARGET FILE LOCATION] For example: This will generate a SHA256 hash string which can then be compared against the checksum provided by the file issuer to verify the file integrity.

  • How to generate PGP keys

    4.55 of 33 votes

    To receive PGP encrypted emails and sign your own messages, you will need to generate your own key pair. There are both easy and advanced (best practice) ways to go about doing this. Here I will try to guide you through the process. The easy method Use an online third party web service such as PGPKeyGen or Sela. This is simply an application layer representation of the advanced method below, where a third-party web server hosts the necessary libraries and backend functionality to generate PGP keys for you. The natural risk associated with this, however, is that relying on a third-party online web service offers no guarantee a copy of the keys you receive will not be stored, sold, or shared elsewhere. Some web-based services generate keys client-side by using specific JavaScript libraries (such as OpenPGP.js) within your browser. Whilst this mechanism is still not as secure as the best practice methods detailed below, it provides a good balance between PGP security and day-to-day usability. The advanced method (best practice)   Windows: To generate PGP keys on Windows we require the latest version of the GnuPG software package Gpg4win. This is a free implementation of the OpenPGP standard which enables local key generation, encryption, and signing operations. Once installed, run the Kleopatra application. Navigate to File > New Key Pair and then choose the key format you want to create. For this example we will be creating a personal OpenPGP key pair. Now we need to input our name and email address values. Then click Advanced Settings and ensure the following fields are completed as shown in the image below. Now we can click OK and check that our key configuration is correct. We can now click Create to generate the key pair. We are now presented with a prompt requiring we input our desired passphrase. We must input the secure passphrase we wish to use. This is the password we will need to use each time we wish to decrypt or sign a PGP message using these keys in the future. Our key pair has now successfully been generated.   Linux: To generate PGP keys on a Linux distribution we require the latest version of GPG (GnuPG). This is a free implementation of the OpenPGP standard which enables local key generation, encryption, and signing operations. To get started, we run the install command. sudo apt install gnupg Once installed, we can move on to generating our key pair. For this we use the --full-generate-key parameter. We will then be prompted to specify the type of key we want to create. We can press the Enter key to accept the default (RSA and RSA). We must then select our desired key size, which I recommend (at the time of this blog post) is at least 4096 bits to conform with best practice. We then have the option to choose how long the keys should be valid for. In practice, this means the amount of time someone intending to communicate with you via PGP should consider that particular key pair safe for use. For this example, we do not want our keys to expire, so we press Enter as that is already selected as the default. We will then be prompted to input specific identifier values which will reside within the core structure of the keys themselves. We must then input the secure passphrase we wish to use. This is the password we will need to use each time we wish to decrypt or sign a PGP message using these keys in the future. Depending on our hardware processing capabilities, we may then be prompted to generate entropy using the mouse or keyboard. Once this process is complete, the newly generated keys will be stored internally on our GnuPG keyring. This is a location within the filesystem where PGP keys generated locally using GnuPG naturally reside. If we want to view the public keys within our keyring, we can use the --list-keys parameter. If we want to view the private keys within our keyring, we can use the --list-secret-keys parameter. If we want to view the fingerprint of the public keys within our keyring, we can use the --fingerprint parameter. Existing PGP keys can be exported out of the keyring using the --export parameter. This will write our newly generated public key to a plaintext .key file which we can publish and share online. Other parties can then use this public key to encrypt messages and send them to us securely.To learn more about PGP keys, consider checking out my previous blog post on how PGP keys work.

  • How do PGP keys work

    4.55 of 40 votes

    PGP (Pretty Good Privacy) encryption has become a long-standing pillar for protection and security for one primary reason: it permits you to send a coded message to somebody without sharing a key in advance.Suppose you wanted to send a sensitive message to someone without anyone else being able to access the content. Perhaps the best arrangement would be to encrypt it to a symmetric key that only you and the recipient know. If an attacker intercepts your message, nothing can be deciphered. Systems like this work well, but there is one major flaw – how can you send an encrypted message to somebody without an already-established secure channel to share keys? Public Key Cryptography This is a problem that PGP solves with something referred to as public key cryptography, which permits the secure sharing of information irrespective of physical distance or boundaries and without the need for establishing secure prior contact. Encryption / Decryption In public key cryptography, encryption and decryption processes rely on a mathematically unique key pair. This consists of two keys, one termed a public key and the other a private key, both keys being capable of encrypting and decrypting one another. A public key represents a one-way function similar to that of an open padlock – a security property that any individual can easily lock, but only the private key holder can open. Crucial to the nature of this operation is that the private key to decrypt a public key encrypted message must always remain secret, known only to the key pair owner.The image below illustrates an example of the encryption and decryption process. If Jacob wants to send Julian an encrypted message, he requires Julian’s public key. This means Julian must share his public key with Jacob. Jacob can then take Julian’s public key, use it to encrypt a message, and send the encrypted cipher text to Julian. Upon receipt, Julian can then use his private key to decrypt the message. Fingerprinting One issue with public keys is impersonation. There is no easy way to guarantee that a particular public key published online actually belongs to a specific individual. This means an attacker could generate their own key pair and publish their own public key impersonating a specific target. To get around this, PGP users tend to publish fingerprints of their public keys on multiple platforms. This usually includes social media and key directories, but can also include other media such as email signatures and business cards. Fingerprints can be thought of like a barcode – a unique identifier for a specific property. Fingerprints are the result of a mathematical one-way function termed hashing, which converts the public key block property into an input value, then compresses it into a fixed length numerical string output. This is conveniently easier to read and appropriately referred to in cryptography as a digest. Publishing a fingerprint through multiple channels increases an impersonation attack cost, as for an attacker to effectively impersonate a PGP user in practice, they would need to compromise every platform the legitimate fingerprint was published on. This also makes impersonation attacks easier to identify in practice. Message Signing Another core component of PGP is message signing. This is the process of signing a message with a unique digital signature. The image below illustrates an example of the signing process. If Jacob wants to send a signed message to prove it came from him and has not been modified in transit, he hashes it first, then encrypts it using his own private key. If a recipient can decrypt the message using Jacob’s public key, they know that it must have been encrypted using Jacob’s private key, which only Jacob has access to, and can therefore conclude that the message must have originated from Jacob. By hashing the message again and comparing it to the expected hash value, a recipient can also conclude whether or not the message has been modified in any way during transit. Combining signing with encryption provides the following assurances: Confidentiality – the guarantee that no party other than the intended recipient can access the message content. Integrity – the guarantee that the message was not modified in transit. Authentication – the guarantee that the identity of the sender can be verified. Non repudiation – the guarantee that the sender cannot reasonably deny having sent it. In my next blog post I'll cover the key pair generation process and provide guidance on how to set up and manage your own PGP keychain.

  • A simple way to view documents safely

    4.75 of 40 votes

    Working in the media industry has shown me that the weakness of many journalists is their desire to click on and open things that promise something they want. This presents a security risk, one often compounded by the demanding speed at which reporters must compete to ingest information and make rapid editorial decisions. The reality is that journalism commands a commitment to discovery, fact-finding, and meeting strict publishing deadlines. Because of this, many non-technical journalists consider a habitual routine of basic security rituals a wasteful employment of their already limited time, which means I am often relied on, by those I know, to validate if particular files are safe to open.Validating whether or not a file is malicious in nature requires a more laborious approach than simply viewing the content safely (it’s important to understand the distinction here). Like malware, legitimate files naturally differ in size and format, and attackers are always adapting their exploitation techniques to maximise the efficiency of their payloads evading detection. If the volume of data is significant, malware analysis can occupy a considerable amount of time. In most cases, simply being able to open a document in a safe and readable format is sufficient to satisfy the necessary security balance, and there are tools that can help facilitate this. Enter dangerzone Dangerzone is a simple open-source application that can safely open a variety of documents (PDFs, Microsoft Office, LibreOffice, images, etc) in a sandbox environment. This is a tool I have used on the fly in substitution of Qubes, and something I would recommend for non-technical audiences aiming to safely view the contents of common files themselves. In short, dangerzone leverages Linux containers to sandbox files, flattens the content into images, then uses optical character recognition (OCR) to produce a safe searchable text layer which is output into a safe-to-view PDF. Dangerzone can be installed on Windows, Mac, and Linux, and is capable of converting the following document formats: .pdf, .docx, .doc, xlsx, .xls, .pptx, .ppt, .odt, .ods, .odg, .jpg, .jpeg, .gif, .png, .tif, .tiff Download WindowsMacLinux Please note, dangerzone is only a file converter. It does not perform malware analysis and is not a detection utility. Using dangerzone to convert a suspect file into a document you can view safely does not mean the original source file is clean.   How does it work? Dangerzone uses Linux containers (two of them), which are sort of like quick, lightweight virtual machines that share the Linux kernel with their host. The easiest way to get containers running on Mac and Windows is by using Docker Desktop. So when you first install dangerzone, if you don’t already have Docker Desktop installed, it helps you download and install it. When dangerzone starts containers, it disables networking, and the only file it mounts is the suspicious document itself. So if a malicious document hacks the container, it doesn’t have access to your data and it can’t use the internet.The first container: Mounts a volume with the original document Uses LibreOffice or GraphicsMagick to convert original document to a PDF Uses poppler to split PDF into individual pages, and to convert those to PNGs Uses GraphicsMagick to convert PNG pages to RGB pixel data Stores RGB pixel data in separate volume Then that container quits. A second container starts and: Mounts a volume with the RGB pixel data If OCR is enabled, GraphicsMagick converts RGB pixel data to PNGs, and Tesseract converts PNGs to searchable PDFs Otherwise uses GraphicsMagick to convert RGB pixel data into flat PDFs Uses poppler to merge PDF pages into a single multipage PDF Uses ghostscript to compress final save PDF Stores safe PDF in separate volume Then that container quits, and the user can open the newly created safe PDF. Credit: Micah Lee, Further points to consider Converting a file can damage the integrity of any original file content. Relying on the availability and expertise of third-party analysis could be unnecessarily exposing them to potentially confidential information. Encrypted, password protected, or compressed files are naturally obfuscated, which attackers may rely on to circumvent network, application, and anti-virus security controls. Uploading potentially sensitive files to cloud-based file scanning services such as VirusTotal may risk loss of confidentiality. Such services automatically index file signatures into public databases as ‘artifacts’, which APTs may correlate against known signatures (such as leaked documents) to identify what source material you possess.

  • How to perform SQL injection attacks

    4.33 of 40 votes

    SQL injections are one of the most popular server-side injection attacks. During an SQL injection attack, the attacker injects a malicious SQL query input. If the web application fails to sanitise that input, the query will be successfully executed on the server database and trigger an output response. These responses can vary, but most consist of error syntax leading to information leakage. Once an attacker possesses enough knowledge about the backend database table structure, they can inject specific commands to insert, update, and delete data within the database. If elements of an application communicate with a SQL database for authentication (such as login forms), a malicious query can also be leveraged to subvert the application logic. How SQL injection attacks work To explain how SQL injections work, I will use an example of a web application configured to require a username and password for authentication. This is typical of most web applications that have an SQL database on the backend. When a username and password is submitted via this login form, the web application takes this user input and queries the backend database to see if those credentials exist. The SQL query this user input generates will look something like this: This query commands the database to select any number of rows that match our conditions from users (where users is the table name), and then check the username and password columns for the user supplied input values. If the user supplied input values match those within the database, the SQL statement will be TRUE and the user will be logged in successfully. If any user supplied input values are incorrect, missing, or invalid, the SQL statement will be FALSE and the login will fail. It is important to remember that the SQL query is always generated by the web application and that the only control the user ever has (in this example) is over the username and password input values within it. This means an attacker is limited to what those fields accept when crafting a malicious string in effort to manipulate an SQL query. In this example, the objective of the attacker is to login successfully without knowing the user credentials. This means the focus of the attack will be to trick the SQL database into issuing a TRUE response to an attacker crafted query when attempting to login. OR logic gates To achieve this, an attacker can rely on an OR logic gate. An OR logic is a basic function that takes certain inputs and produces an output. The way this works can be illustrated via the simple A/B table below. This table shows that when rows A and B meet certain boolean conditions, the logic gate will produce a specific output. What is shown in this example is that the output TRUE is always consistent with TRUE inputs in any given row. This is irrespective of whether or not inputs within those rows also reflect FALSE. Putting it simply, the function of this logic gate defines any TRUE input as an overriding value which results in a TRUE output. Example To illustrate how this works in practice, I will be using the logic of this OR function in my SQL injection attack by amending the username value to the following: This query will return TRUE. The reason for this is because the first apostrophe closes the string parameter, and then the database takes the OR function and applies the 1=1 statement. As 1 is equal to 1, the database considers this part of the SQL statement TRUE. The purpose of the double hyphens is to comment out the rest of the SQL query, resulting in the database believing the conditions of the login are TRUE. This will result in the login being successful. Whilst this example demonstrates a single SQL injection string, it is important to remember that there is no universal string an attacker can leverage to craft a working malicious query. SQL databases typically differ greatly in format, size, and content, as do the defensive measures some web applications adopt to validate user input. The conditions that need to be satisfied for an SQL injection to be successful will depend entirely on how any target web application is built. Different SQL injection attack types There are two primary types of SQL injection attacks, error based and blind based. Error based attacks rely on inferences an attacker can make from specific errors produced by a web server whenever specific SQL statements are submitted to it. Blind based attacks are a form of indiscriminate fuzzing, where the expected application output is usually unknown. Responses (or lack thereof) produced by a web server to blind based attacks can enable an attacker to make informed determinations about the database structure, which – when combined with a carefully crafted SQL query, can amount to exploitation.   Prevention To prevent SQL injection attacks, the following layers of defence can be adopted: Special characters submitted as input such as \' and \'\' should be encoded before the web application passes them into an SQL query and special string characters used within input parameters should be escaped. Suspicious user inputs submitted should be checked against a predefined blacklist of strings and rejected wherever the same values are shared.