SecurityHunk

While a major part of preventing all massive potential data intrusion damage or cyber security breaches lies in the preventative measures of secure code, updated security software, use of frequently updated applications and strong passwords for all access points to your data; sometimes cyber security breaches happen no matter how well you have protected yourself. When this happens, prevention no longer matters for the moment and purely defensive and sanitary measures are your best friend.

Definition of Data Breach.

In today's world we have huge amount of data available and that is a lot of information.

Having said that the data can be categorized broadly into private , public etc. These groups can be sub divided further into financial,medical,educations,military intelligence and so on.

Any kind of data that comes into the category that is restricted to public access and is to some extent confidential is  called as private data.These are the kind of data that are commonly hacked by hackers.When these private and confidential data are either made public or accessed by someone who is not authorized for it then this situation or scenario is called as data breach.

Example of social security identity theft and medical data theft is also of high concern.If you remember the Office TV show dialogue,"Identity theft is not joke,Jim".This truly hold good and should taken very seriously.

Example:data breach at experian

Now let’s cover some of these, as applied to assorted systems, including computers, hosting servers and your internal networks.At the end of this post we will also see the recent security breaches of 2019.
1.Make Sure you have been Hacked

Not all strange system behavior is a sign of third party or malware intrusion. Sometimes the complex systems we operate go haywire because of changes we ourselves have made to them without being aware of the consequences.

If your website, computer or network is behaving strangely, not loading properly or giving you blank displays where data or a visual interface should be visible, first think back to any recent changes you might have made that could be responsible for the differences.

In a website hosting system, for example, changing so much as a single parameter within a site’s MySQL database template can lead to a completely downed website even though all the internal data is perfectly safe.

So in other words be very sure that there is cyber security breach and need to prompt enough to take the actions, a minute late in this may result in serious repercussions.

2.Speak to your Support Team

As a follow up to step one above and as a part of general policy, you should speak to your technical support team as soon as you have noticed strange things about your system. If you’re a website owner, this could be the people who manage your IT and hosting servers and if you’re the owner of a business or organizational network, this could be your IT support staff.
They can not only tell you about any changes they may have done to provoke a system failure, they can also help you investigate the wider scope of the intrusion you may be suffering.

3.Image your Servers or Drive

Imaging software for computer hard drives and the same sort of software for servers should always be close at hand. In case of a breach, before proceeding with cleanup and removal of all malicious factors, you should first image your drives or servers immediately in the condition they have at the time of their hack.

This will preserve a large body of evidence which can later be examined through digital forensics techniques, and this evidence vitally needs to be preserved so that you can formulate a better future intrusion response. Knowing if you were the victim of a genuine virus, entry by a human hacker who’s been modifying your code or something as simple as some spyware is crucial.

4. Disconnect from the Web (if possible)

As soon as you have imaged your servers, hard drives and all data or code collections, you should immediately disconnect your servers or computers from the wider web if at all possible.

This may cause chaos and disruptions for clients if you’re running a business website, but as a preventative step it’s vital. By keeping your machines and servers connected, you’re allowing the malware or human intruders who have breached them to continue maintaining malicious access, keep stealing data or causing further damage.

Unless you’re running security scans that require a web connection to work, your systems should be offline while you recover.

5. Change all Passwords

In addition to imaging of all data storage media and disconnection from external access, you should also be moving quickly to change all of your access passwords. They may have been the cause of your security breach and by leaving them as they are, you’re inviting future attacks even after you repair and reinstall everything.

Your machine itself, your hosting server access, your MySQL databases and your FTP should all have their passwords and the passwords of any sub-accounts on them reset immediately.

6. Perform Security Scans

Antivirus software, anti-malware programs and network intrusion protection software should all be tools that you keep close at hand for intrusion incidents. Once your intrusion has been detected and the above steps taken, perform scans that cover all the major bases against malware, spyware, intruders and scripting attacks.

7.Remove all Malicious Files and Code

Through the assistance of your IT support team, your service providers and the security software you have been running, you can start slowly identifying and destroying all the malicious code you find on your network, servers or computer itself. This can be a tedious process and if you’re not sure that you have successfully removed everything, you probably need to do a full re-install.

8. Back up Everything

Back up all of your valuable data as soon as possible after a data breach. You may have already performed a full scale imaging process on your entire servers or drives but specific section backups of key databases and data volumes are also a good idea because they allow you to compartmentalize valuable information for later analysis through digital forensics.

9. Re-install as much as Necessary

If the breach was very severe and especially if the breach affected a lot of data or code, you might have to perform a full scale re-installation of all your software. In a computer, this will require you to format your entire hard drive and re-install your operating system.

On your website hosting servers, you’ll almost certainly need to re-install all o your database management software, LAMP (Linux, Apache, MySQL and PHP) applications along with any other third party software you were running for your website.

Always re-install to the newest versions of whatever software you need to replace.

10. Document Everything

Finally, document everything. Document all of the steps you took, the processes you followed and the files you erased, re-installed and used to clean your machine. Documentation is useful for future digital forensics (if needed) and it preserves a chain of evidence that can be used as a future prevention reference.

11.Report Identity theft to Police.
In case of any identity theft , the first thing we should do is freeze all the confidential information and if needed and possible  reset the information.Then reporting identity theft to Police is of foremost importance so that if in case those confidential information are misused then we have a police report in place.

Google Apps has indeed added a bit of ease to most of the people those who are on move,they can access there favourite google service from anywhere any time if they have access to internet.Suppose the device from where they are accessing the Google Apps account get stolen then the person possessing the device can open their account using the session cookies present in the browser without even knowing the authentication credentials(username & password).

Google really thinks about its user's security so,it has added a feature to reset the session sign-in cookies for a
particular user and that user needs new authentication to sign-in.


Step 1.
Login(As Administrator) in to the control panel of your Google Apps account and reach the dashboard as shown below.The control panel can be accessed from the link below.
( http://www.google.com/a/your-domain_name.com )

Step 2.
To avail this feature you need to have the "Next generation control panel".To do this follow the instructions shown in the image below.
Step 3.
Now click on the "Organisation and users" tab and click on the desired username for whom you want to reset the sign-in cookies as shown in the image below.
Step 4.
Now "User information" open up and you can see the "Reset sign-in cookies" option in the password section.Just click on it then the user has to re-authenticate again when they start a new browser session.

To remote wipe a mobile device visit here.

In one of my last post I wrote about "Firesheep Tutorial" which can be used to get control of user's session.Here in this tutorial I will discuss about a firefox addon called "Blacksheep" that can detect firesheep in the network.So lets start...

What is a Blacksheep?

It is a firefox addon that detects firesheep in an open or public wifi network.The credit goes to Zscaler  for bringing it out.It is made by using the source code of firesheep and taking into consideration the working of the same.


How it works?

As I explained in my post on firesheep that it traps the cookies of the user's session and uses the same to login to the listed websites.Here what the blacksheep does is that it has got the list of the same website in it so when it is the network it generates fake cookies of those sites listed in firesheep in every 5 minutes(you can change it)and if in case someone is using firesheep and traps the same fake cookie(of blacksheep) then blacksheep gives an alert with the IpAddress of the attacker system.It actually exploits the weakness of firesheep of not able to differentiate between fake cookies(of blacksheep) and the original(generated during user session).

 Note:Blacksheep wont protect session hijacking through firesheep rather will give an alert of its(firesheep) use in the network.

How to use it?

Warning: If "firesheep" is installed the same browser then disable it before using blacksheep.Because since firesheep also traps the cookie of the mother browser so the blacksheep may pop an alert with your own IpAddress.

Requirements:

1.Winpcap (Download)

2.Blacksheep Addon (Install)

3.Windows XP or later version (OS for this tutorial)

4.Firefox 3.5 or newer(32-bit)

5.Public or open WiFi (Suspecting Firesheep)


Configuration:

Step 1.Having set with all the requirements open up firefox.

Step 2.Disable firesheep if you have installed it as shown below.

Step 3.Follow the path Tools-->Add-ons in the top menu.

Step 4.Search for blacksheep in the add-ons list and click on options and change to your desired interval as shown below.
Working:

Here is the video from Zscaler on the working of blacksheep hope you will like it.




Credit : http://research.zscaler.com/

Recently Eric butler at Toorcon12 exposed and demonstrated the session hijacking problem (aka sidejacking) with the help of a selfmade addon of firefox called "Firesheep".Using this method the attacker can control the account of the victim even knowing the password .This tool can also be used to hack facebook account
,twitter etc.Today in this post I will discuss how this is carried out and the countermeasures needed to avoid this problem.So lets start....

I recommend readers if they abide by the blog's Disclaimer then they can proceed reading this post otherwise leave this page immediately.

What is Http Session hijacking(aka Sidejacking)?

In session hijacking an attacker hijacks(or controls) the user's session after the user has successfully logined or authenticated with the desired server.Here in this post the addon "firesheep" works like a sniffer and captures the cookies of the user on the same wireless network used to authenticate to few predefined webpages in the addon.This problem still persits in https websites also because it only encrypt the login of the users but after the rest of the session is left unencrypted.


Requirements:

1.Public Wifi access.

2.Winpcap (Download)

3.Firesheep (Download)

Procedure:

1.Download the "firesheep" from the above link and using the "openwith" option open it in Firefox.

2.Having installed it,restart the browser and follow the instruction in the image below.

3.Now you can see the firesheep has opened up in the sidebar then follow the instructions in the image below.

4.Then click on the "Start capturing" button at the top.Before doing this make sure that you are connect to an open wifi network say your college or campus wifi.

5.After doing that wait for few seconds and you will see the result will start appearing in the sidebar as shown below.Click on any result and the pre authenticated session will open in your browser.

So the users using public wifi like in airport or accessing internet in coffee shop need to be careful.Follow the below countermeasures

Countermeasures:

1.Https is not the solution to this problem rather you can use VPN to access public wifi.There are few paid services also look out in google.

2.You can also setup your own server using Cygwin and use the SSH client putty to use it and configure your browser to use socks proxy.Then access the desired website.