A lesson on Cyber Security

[AngryBeaver]

This isn't going to be in depth, but I see enough people making these mistakes here and elsewhere that I wanted to take a few minutes to give a real life example of something.

 

So I see people using Virus Total as an ultimate source to see if a website is safe or not. This is a good practice, but has some glaring holes. Now it does do well for analyzing a file assuming it isn't a zero day (too new for most AV to catch). Now I won't post the exact URL in here, but here is the link to a VT page.

 

https://www.virustotal.com/gui/url/e9eefff943479aa91126b0994306e310bd3838e4d7e9bfa243913638aee5bf0a/detection

 

On this page you will notice that VT has this site as safe. Now if you were to use a sandbox tool like Any.run to see what is really there we get the following.

 

https://app.any.run/tasks/fea99e71-84c4-4bfd-bee6-1b607f62a9ed/

 

So let me explain a little on what you are seeing. The URL for this particular item contains a username that is automatically populated on this fake Microsoft (O365) login portal. The account I have input is obviously fake and the password I provided was difference each time (random characters). So what this particular site was doing is waiting for 2 inputs and logging them to a database. This is a typical cred harvester and very popular these days.

 

So why am I making this post? I think too many people are putting too much faith in just using one tool to verify things. Virus total can be great for files and even websites in some cases, but the sandbox it does is very limited. So if you are ever in doubt always use a second resource. It doesn't need to be any.run, but the free interactive model it provides is much better than the other automated options. 

 

If you think  these little posts are useful and would like something further let me know. If people show interest I will do more of these time to time moving on to more advanced items.

[AngryBeaver]

1 minute ago, Genwyn said:

99% of people’s problems with viruses and malware or information theft and what not are due to people being dumb as all hell.

Common sense 2003 edition is all you need to not give your PC every virtual STD on the planet and not give some guy in Africa your email and password to every account you own.

 

Does it look like untrustworthy bullshit? If yes, don’t use it.

 

I would have to disagree with this. Common sense is a HUGE part of it, but a single malicious Ad on a popular website that is using an Ad service can compromise your machine. I mean I can create a spoofed email that looks like it is from your ISP (Dmarc still isn't as prevalent as it should be). I can even fool some of the most advanced security tools into thinking it is going to a legitimate trusted site via Domain Fronting techniques. The only true way to actually see the attack would be with very deep packet inspection that is actually decryption all of the secure connections then re-encrypting and forwarding them on. Which btw is very expensive to implement depending on the size of the company.

 

Then you have places like these forums were people are constantly posting links and other people visiting them. If someone was wanting to be malicious they could easily compromise a handful of people before anyone noticed the link was bad. So it isn't all about common sense, but understanding information security and defense in layers. Your average end user is going to make mistakes so having more knowledge to prevent those mistakes or even help setting up free or low cost solutions to protect their household still has value. 

 

Do you have kids? If so once they get old enough to google and youtube be prepared to either wipe their machine constantly or have measures in place to safe guard them.

[Metallus97]

YES! And way to less peeps care about general security like good and DIFFERENT PWs and 2FA!

[AngryBeaver]

1 minute ago, Metallus97 said:

YES! And way to less peeps care about general security like good and DIFFERENT PWs and 2FA!

Pretty much all of my passwords are now 32+ characters and vaulted. My vault uses biometric 2FA. So while in some cases someone can clone a sim card and get access to your 2fa on a phone... they cannot fake the biometric scan needed unless they have access to my finger prints.

 

So I would argue that depending on the implementation 2FA isn't even enough. A lot of 2FA setups let you use an email to receive a code and in most cases the email being compromised is where it starts. They get your email like the one example above... then use those creds on popular sites (most people reuse them) if you didn't reuse them or have 2FA they just request a password reset or to have the 2FA sent to your email. They then could even lock you out of your own email and use their own device for the 2FA verification.

 

So the truth is your primary email is actually one of the most important things to guard. Most people don't understand just how much you can get with access to a users email.

[Metallus97]

Just now, AngryBeaver said:

Pretty much all of my passwords are now 32+ characters and vaulted. My vault uses biometric 2FA. So while in some cases someone can clone a sim card and get access to your 2fa on a phone... they cannot fake the biometric scan needed unless they have access to my finger prints.

 

So I would argue that depending on the implementation 2FA isn't even enough. A lot of 2FA setups let you use an email to receive a code and in most cases the email being compromised is where it starts. They get your email like the one example above... then use those creds on popular sites (most people reuse them) if you didn't reuse them or have 2FA they just request a password reset or to have the 2FA sent to your email. They then could even lock you out of your own email and use their own device for the 2FA verification.

 

So the truth is your primary email is actually one of the most important things to guard. Most people don't understand just how much you can get with access to a users email.

yes sir! Also these smart peeps who use one email to 2FA or even PW reset  and other one..... PERFECT PRACTICE

 

OR those cloud PW/2FA managers... I mean DUDE. There is even a service wich does both... denies the whole concept of 2FA

[AngryBeaver]

4 minutes ago, Metallus97 said:

yes sir! Also these smart peeps who use one email to 2FA or even PW reset  and other one..... PERFECT PRACTICE

 

OR those cloud PW/2FA managers... I mean DUDE. There is even a service wich does both... denies the whole concept of 2FA

I have seen password managers that use base64 to encrypt username and password... which for all intent and purposes might as well be plain text.

[Metallus97]

1 minute ago, AngryBeaver said:

I have seen password managers that use base64 to encrypt username and password... which for all intent and purposes might as well be plain text.

or welllll.... not so funny  

[AngryBeaver]

 

I mean wow that is super secure lol. There are techniques to obfuscate it, but in my line of work that is pretty trivial to crack as well. They just try to run several methods and hide some math/character shifting techniques or mix dex,hex,b64... in the end though not secure so not sure why some password vaults use it. Probably to give the user a false sense of security on a bad product.