8/21/2020

Change Passwords Regularly - A Myth And A Lie, Don'T Be Fooled, Part 1


TL;DR: different passwords have different protection requirements, and different attackers using various attacks can only be prevented through different prevention methods. Password security is not simple. For real advise, checking the second post (in progress).

Are you sick of password advices like "change your password regularly" or "if your password is password change it to pa$$w0rd"? This post is for you!

The news sites are full of password advises nowadays due to recent breaches. When I read/watch these advise (especially on CNN), I am usually pissed off for a lot of reasons. Some advises are terrible (a good collection is here), some are good but without solutions, and others are better, but they don't explain the reasons. Following is my analysis of the problem. It works for me. It might not work for you. Comments are welcome!

Password history

Passwords have been used since ancient times.


Because it is simple. When I started using the Internet, I believe I had three passwords. Windows login, webmail, and IRC. Now I have ~250 accounts/passwords to different things, like to my smartphone, to my cable company (this password can be used to change the channels on the TV), to my online secure cloud storage, to full disk encryption to start my computer, to my nude pictures, to my WiFi router, to my cloud server hosting provider, etc etc etc. My money is protected with passwords, my communication is protected with passwords/encryption, my work is protected with passwords. It is pretty damn important. But yet people tend to choose lame passwords. Pretty lame ones. Because they don't think it can be significant. But what is not essential today will be relevant tomorrow. The service you used to download music (iTunes) with the lame password will one day protect all your Apple devices, where attackers can download your backup files, erase all your devices, etc. The seven-character and one capital rule is not enough anymore. This advice is like PDF is safe to open, Java is secure. Old, outdated, untrue.

Now, after this lengthy prologue, we will deep dive into the analysis of the problem, by checking what we want to protect, against whom (who is the attacker), and only after that, we can analyze the solutions. Travel with me, I promise it will be fun! ;)

What to protect?

There are different services online, and various services need different ways to protect. You don't use the same lock on your Trabant as you do on your BMW.

Internet banking, online money

For me, this is the most vital service to protect. Luckily, most of the internet banking services use two-factor authentication (2FA), but unfortunately, not all of them offer transaction authorization/verification with complete transactions. 2FA is not effective against malware, it just complicates the attack. Transaction authorization/verification is better, but not perfect (see Zitmo). If the access is not protected with 2FA, better choose the best password you have (long, real random, sophisticated, but we will get to this later). If it is protected with 2FA, it is still no reason not to use the best password ;) This is what I call the "very high-level password" class.


Credit card data

This system is pretty fucked up bad. Something has to be secret (your credit card number), but in the meantime that is the only thing to identify your credit card. It is like your username is your password. Pretty bad idea, huh? The problem is even worse with a lot of different transaction types, especially when the hotel asks you to fax both sides of your CC to them. Unfortunately, you can't change the password on your credit card, as there is no such thing, but Verified by VISA or 3-D Secure with 2FA might increase the chances your credit card won't get hacked. And on a side note, I have removed the CVV numbers from my credit/debit cards. I only read it once from the card when I received it, I don't need it anymore to be printed there.
And sometimes, you are your own worst enemy. Don't do stupid things like this:


Work related passwords (e.g. Windows domain)

This is very important, but because the attack methods are a bit different, I created this as a different category. Details later.

Email, social sites (Gmail/Facebook/Twitter), cloud storage, online shopping

This is what I call the "high level password" class.
Still, pretty important passwords. Some people don't understand "why would attackers put any energy to get his Facebook account?" It is simple. For money. They can use your account to spread spam all over your Facebook wall. They can write messages to all of your connections and tell them you are in trouble and send money via Western Union or Bitcoin.


They can use your account in Facebook votes. Your e-mail, cloud storage is again very important. 20 years ago you also had letters you didn't want to print and put in front of the nearest store, neither want you to do that with your private photo album. On a side note, it is best to use a cloud storage where even the cloud provider admin can't access your data. But in this case, with no password recovery option, better think about "alternative" password recovery mechanisms.

Other important stuff with personal data (e.g. your name, home address)

The "medium level password" class. This is a personal preference to have this class or not, but in the long run, I believe it is not a waste of energy to protect these accounts. These sites include your favorite pizza delivery service, your local PC store, etc.

Not important stuff

This is the category other. I usually use one-time disposable e-mail to these services. Used for the registration, get what I want, drop the email account. Because I don't want to spread my e-mail address all over the internet, whenever one of these sites get hacked. But still, I prefer to use different, random passwords on these sites, although this is the "low level password" class.

Attackers and attack methods

After categorizing the different passwords to be protected, let's look at the different attackers and attack methods. They can/will/or actively doing it now:

Attacking the clear text password 

This is the most effective way of getting the password. Bad news is that if there is no other factor of protection, the victim is definitely not on the winning side. The different attack methods are:

  • phishing sites/applications,


  • social engineering,
  • malware running on the computer (or in the browser), 
  • shoulder surfing (check out for smartphones, hidden cameras), 
  • sniffing clear-text passwords when the website is not protected with SSL,
  • SSL MiTM,
  • rogue website administrator/hacker logging clear text passwords,
  • password reuse - if the attacker can get your password in any way, and you reuse it somewhere else, that is a problem,
  • you told your password to someone and he/she will misuse it later,
  • hardware keyloggers,
  • etc.

The key thing here is that no matter how long your passwords are, no matter how complex it is, no matter how often do you change it (except when you do this every minute ... ), if it is stolen, you are screwed. 2FA might save you, or might not.

Attacking the encrypted password 

This is the usual "hack the webserver (via SQL injection), dump the passwords (with SQLMap), post hashes on pastebin, everybody starts the GPU farm to crack the hashes" scenario. This is basically the only scenario where the password policies makes sense. In this case the different level of passwords need different protection levels. In some cases, this attack turns out to be the same as the previous attack, when the passwords are not hashed, or are just encoded.

The current hash cracking speeds for hashes without any iterations (this is unfortunately very common) renders passwords like Q@tCB3nx (8 character, upper-lowercase, digit, special characters) useless, as those can be cracked in hours. Don't believe me? Let's do the math.

Let's say your password is truly random, and randomly choosen from the 26 upper, 26 lower, 10 digit, 33 special characters. (Once I tried special passwords with high ANSI characters inside. It is a terrible idea. Believe me.). There are 6 634 204 312 890 620 different, 8 character passwords from these characters. Assuming a 2 years-old password cracking rig, and MD5 hash cracking with 180 G/s speed, it takes a worst case 10 hours (average 5) to crack the password, including upgrading your bash to the latest, but still vulnerable bash version. Had the password been 10 characters long, it would take 10 years to crack with today hardware. But if the password is not truly random, it can be cracked a lot sooner.

A lot of common hashing algorithms don't use protections against offline brute-force attacks. This includes LM (old Windows hashes), NTLM (modern Windows hashes), MD-5, SHA1-2-512. These hashing algorithms were not developed for password hashing. They don't have salting, iterations, etc. out of the box. In the case of LM, the problem is even worse, as it converts the lowercase characters to uppercase ones, thus radically decreasing the key space. Out of the box, these hashes are made for fast calculation, thus support fast brute-force.


Another attack is when the protected thing is not an online service, but rather an encrypted file or crypto-currency wallet.

Attacking the authentication system online

This is what happened in the recent iCloud hack (besides phishing). Attackers were attacking the authentication system, by either brute-forcing the password, or bypassing the password security by answering the security question. Good passwords can not be brute-forced, as it takes ages. Good security answers have nothing to do with the question in first place. A good security answer is as hard to guess as the password itself. If password recovery requires manual phone calls, I know, it is a bit awkward to say that your first dog name was Xjg.2m`4cJw:V2= , but on the other hand, no one will guess that!


Attacking single sign on

This type of attack is a bit different, as I was not able to put the "pass the hash" attacks anywhere. Pass the hash attack is usually found in Windows domain environments, but others might be affected as well. The key thing is single sign on. If you can login to one system (e.g. your workstation), and access many different network resources (file share, printer, web proxy, e-mail, etc.) without providing any password, then something (a secret) has to be in the memory which can be used to to authenticate to the services. If an attacker can access this secret, he will be able to access all these services. The key thing is (again) it does not matter, how complex your passwords are, how long it is, how often do you change, as someone can easily misuse that secret.

 

Attacking 2FA

As already stated, 2 factor authentication raises the efforts from an attacker point of view, but does not provide 100% protection. 
  • one time tokens (SecurID, Yubikey) can be relayed in a man-in-the-middle attack
  • smartcard authentication can be relayed with the help of a malware to the attacker machine - or simply circumvented in the browser malware, 
  • text based (SMS) messages can be stolen by malware on the smartphone or rerouted via SS7, 
  • bio-metric protection is constantly bypassed,
  • SSH keys are constantly stolen,
  • but U2F keys are pretty good actually, even though BGP/DNS hijack or similar MiTM can still circumvent that protection,
  • etc. 


Others

Beware that there are tons of other attack methods to access your online account (like XSS/CSRF), but all of these have to be handled on the webserver side. The best you can do is to choose a website where the Bug Bounty program is running 24/7. Otherwise, the website may be full of low hanging, easy-to-hack bugs.

Now that we have covered what we want to protect against what, in the next blog post, you will see how to do that. Stay tuned. I will also explain the title of this blog post.

Related articles


  1. Hacker Tools List
  2. Hack Tools For Ubuntu
  3. Hackers Toolbox
  4. Bluetooth Hacking Tools Kali
  5. Pentest Tools Nmap
  6. Pentest Tools Bluekeep
  7. Hacking Tools Pc
  8. Hacker Tools For Ios
  9. Pentest Tools For Mac
  10. Hacker Tools Hardware
  11. Hackers Toolbox
  12. Hacking Tools Windows 10
  13. How To Install Pentest Tools In Ubuntu
  14. Hacker Tools List
  15. Hack Tools For Games
  16. Pentest Tools For Mac
  17. Hacking Tools And Software
  18. Hacker Tools 2020
  19. Tools For Hacker
  20. Hacker Tools Software
  21. Hacker
  22. Hacking Tools Kit
  23. Hacking Tools Download
  24. Pentest Tools For Android
  25. Pentest Tools
  26. Pentest Tools Subdomain
  27. Usb Pentest Tools
  28. Beginner Hacker Tools
  29. Hacking Tools Mac
  30. Hacking Tools 2020
  31. Pentest Tools Open Source
  32. Best Pentesting Tools 2018
  33. Pentest Box Tools Download
  34. What Are Hacking Tools
  35. Computer Hacker
  36. Pentest Tools Download
  37. Hacker Tools 2020
  38. Tools 4 Hack
  39. Pentest Box Tools Download
  40. Hacker Tools For Windows
  41. Hacker
  42. Hacking Tools Pc
  43. Hacker Tools Software
  44. New Hack Tools
  45. Tools For Hacker
  46. Hacking Tools For Beginners
  47. Pentest Tools Port Scanner
  48. Hack Rom Tools
  49. Hacking Tools 2019
  50. Github Hacking Tools
  51. Pentest Tools Subdomain
  52. Hacker Tools For Windows
  53. Pentest Tools For Android
  54. Hack And Tools
  55. Hacking Tools For Mac
  56. Tools Used For Hacking
  57. New Hack Tools
  58. Computer Hacker
  59. Growth Hacker Tools
  60. Hack Tools Download
  61. Hacker Tools Github
  62. Hacking Tools Download
  63. Hacker Tools List
  64. Hacking Tools Pc
  65. Pentest Tools Website
  66. Pentest Tools For Android
  67. How To Install Pentest Tools In Ubuntu
  68. Hacking Tools Online
  69. Ethical Hacker Tools
  70. Blackhat Hacker Tools
  71. Install Pentest Tools Ubuntu
  72. Hacker Tools List
  73. Hack Tools For Pc
  74. Hacker Tools Free
  75. New Hack Tools
  76. Pentest Tools Url Fuzzer
  77. Hacker Hardware Tools
  78. Pentest Reporting Tools
  79. Hacker Tools For Pc
  80. Hacking Tools Github
  81. Hacking Tools Windows 10
  82. Hacking Tools Github
  83. Hacking Tools
  84. Pentest Automation Tools
  85. Hacker Tools Linux
  86. Hacker Tools Free
  87. Hacker Security Tools
  88. Hack Tools
  89. Pentest Tools For Windows
  90. Hacks And Tools
  91. Hacking Tools Windows
  92. Usb Pentest Tools
  93. Hack And Tools
  94. Pentest Tools For Windows
  95. Physical Pentest Tools
  96. Pentest Tools Nmap
  97. Hacking Tools Name
  98. Pentest Tools Apk
  99. Underground Hacker Sites
  100. How To Hack
  101. Pentest Tools Github

5 Páginas Para Crear Tus Propias Imágenes GIF

Los Gif animados se han convertido en el pan de cada día por las diferentes redes sociales y podemos ver la evolución y la importancia tecnológica que este formato proporciona a una página Web, dándole un aspecto moderno y dinámico. Los Gif son graphics geniales que a diario encontramos por la red y que brindan un aspecto enriquecedor siendo un tipo de archivo simple que nació en el año 1987 con pequeñas caricaturas o dibujos animados muy entretenidos soportando pequeños bits de pixeles y hasta 256 colores de paletas en dada frame.
Asimismo, estos pequeños Gifs son muy fáciles de editar y darle esa gracia elegante ya no es complejo gracias a muchos programas y páginas que nos ofrecen en la red. En este artículo queremos dar a conocer cinco páginas Web para que logres crear tus propias imágenes animadas y puedas compartirlas por las redes sociales.

5 sitios donde puedes crear tus propios GIF

https://www.dominatupc.com.co/
Compartiendo algo de la historia sobre este formato de animación damos paso a lo que realmente nos interesa, conocer algunas páginas que nos brinden la posibilidad de crear nuestro propio estilo y para ello hemos seleccionado las cinco mejores para este tipo de entretenimiento.
Permite crear de manera sencilla y gratuita Gif animados mediante su propia combinación de archivos de imagen separados como marcos, además nos da la posibilidad de poner música y lo mejor es que no es necesario registrarnos. Otra característica es pode subir archivos JPG, PNG, BMP, TIFF y otros tipos de imagen para poder dar un toque único, sin anuncios y con muy pocos clics.
Te da la posibilidad de crear Gif a partir de videos de YouTube o simplemente la URL del video que quieras convertir como preferido. De igual manera como la anterior Web no es necesario que te registres, simplemente esperar que cargue el vídeo previamente introducido. Luego el sistema nos pedirá algunos datos para completar la animación. Después de introducir todos los datos nos mostrará una vista previa para saber cómo está quedando nuestro Gif y pulsamos en "finish" para terminar y guardar nuestro proyecto.
Es un editor fácil de usar, ya que solo necesita la URL de cualquier vídeo para hacer tu propia animación. Esta herramienta nos da la facilidad de poder subir automáticamente a Imgur desde donde podemos compartir a cualquier lugar de la Web y en formato MP4 en lugar de guardar la extensión como Gif, de ahí en más es un servicio muy práctico para tener en cuenta.
Es una herramienta que te ayuda a ahorrar tiempo, ya que al copiar la URL del vídeo se convierte casi al instante, la única limitación es que graba solo de quince segundos igual que la herramienta Imgur, pero que podemos crear nuestros propios Gif sin necesidad de algún software adicional.
Es la plataforma diseñada para personas con capacidades artísticas, que permite hacer diseños de múltiples imágenes. Para poder acceder y ver todo su contenido debes registrarte y así obtener tu Gif sin marca de agua, para finalizar el proceso puedes descargar la imagen haciendo clic en "Download".
Te queremos recomendar estos cinco sitios Web de mucho interés, donde podrás dejar todo a tu imaginación y mostrar toda tu creatividad en las diferentes redes sociales donde son apetecidas. Si este artículo te llamo la atención puedes compartirlo. Visita también:(5 Páginas Web para crear animaciones y vídeos online)


Related posts


  1. Pentest Tools For Android
  2. Termux Hacking Tools 2019
  3. Hackrf Tools
  4. Hackrf Tools
  5. Hacking Tools For Windows Free Download
  6. What Is Hacking Tools
  7. Best Pentesting Tools 2018
  8. Hacker Tools List
  9. Hacking Tools Kit
  10. Hacking Tools Download
  11. Hack Tools 2019
  12. Hacker
  13. Wifi Hacker Tools For Windows
  14. Hacker Tools Apk
  15. Hackrf Tools
  16. Hack Tools
  17. Hacking Tools
  18. Hacker Tools Software
  19. Android Hack Tools Github
  20. Pentest Tools Website
  21. Hackrf Tools
  22. Kik Hack Tools
  23. Hacking Tools Free Download
  24. Hack Tools Pc
  25. Hacking Tools Online
  26. Nsa Hack Tools Download
  27. Kik Hack Tools
  28. Hacker Tools
  29. World No 1 Hacker Software
  30. How To Install Pentest Tools In Ubuntu
  31. Growth Hacker Tools
  32. How To Make Hacking Tools
  33. Hack Tools For Pc
  34. Pentest Tools Alternative
  35. Pentest Tools For Ubuntu
  36. Hack Tool Apk
  37. Hack Tools For Windows
  38. Hacking Tools Windows
  39. Hack Tools For Mac
  40. Hack Tools 2019
  41. Hacker Security Tools
  42. Hack Tools 2019
  43. Pentest Tools Kali Linux
  44. Hacker Tools Github
  45. Pentest Tools Linux
  46. Hack Tools For Ubuntu
  47. Nsa Hacker Tools
  48. Hack Rom Tools
  49. Pentest Tools Github
  50. Hacker Tools 2019
  51. What Are Hacking Tools
  52. Hacking Tools Download
  53. Hacker Tools For Mac
  54. Wifi Hacker Tools For Windows
  55. Hack Tools For Games
  56. Hacker Security Tools
  57. Pentest Tools Android
  58. Hacking Tools Hardware
  59. Pentest Tools Open Source
  60. Hacking Tools Github
  61. Pentest Tools For Mac
  62. Hacking Tools For Kali Linux
  63. Hack Website Online Tool
  64. Game Hacking
  65. Hack Tool Apk
  66. Hack Tools Mac
  67. Hacker Tools Mac
  68. Wifi Hacker Tools For Windows
  69. Nsa Hack Tools
  70. Tools 4 Hack
  71. Hacker Search Tools
  72. How To Make Hacking Tools
  73. Hack Tools
  74. Pentest Tools Kali Linux
  75. Hacking Tools For Beginners
  76. Hacker Tools For Windows
  77. Hacking Apps
  78. Pentest Box Tools Download
  79. Kik Hack Tools
  80. Hacking Tools Pc
  81. Hacking Tools 2020
  82. Hacker Tools Hardware
  83. New Hack Tools
  84. Hack Tools For Pc
  85. Hack And Tools
  86. Nsa Hack Tools
  87. Hack And Tools
  88. Hack Tools
  89. Hacking Tools Download
  90. Black Hat Hacker Tools
  91. Pentest Tools Nmap
  92. Pentest Tools Kali Linux
  93. Android Hack Tools Github
  94. Hack Tools For Ubuntu
  95. Pentest Tools Kali Linux
  96. Hack App
  97. Hacker Security Tools
  98. Android Hack Tools Github
  99. Pentest Tools Free
  100. Bluetooth Hacking Tools Kali
  101. Hacking App
  102. Pentest Tools For Windows
  103. Hacker Tools Online

How To Start | How To Become An Ethical Hacker

Are you tired of reading endless news stories about ethical hacking and not really knowing what that means? Let's change that!
This Post is for the people that:

  • Have No Experience With Cybersecurity (Ethical Hacking)
  • Have Limited Experience.
  • Those That Just Can't Get A Break


OK, let's dive into the post and suggest some ways that you can get ahead in Cybersecurity.
I receive many messages on how to become a hacker. "I'm a beginner in hacking, how should I start?" or "I want to be able to hack my friend's Facebook account" are some of the more frequent queries. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend's Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems. Its time to change the color of your hat 😀

 I've had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have.

If you have no experience don't worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period.OK, so you have zero experience and limited skills…my advice in this instance is that you teach yourself some absolute fundamentals.
Let's get this party started.
  •  What is hacking?
Hacking is identifying weakness and vulnerabilities of some system and gaining access with it.
Hacker gets unauthorized access by targeting system while ethical hacker have an official permission in a lawful and legitimate manner to assess the security posture of a target system(s)

 There's some types of hackers, a bit of "terminology".
White hat — ethical hacker.
Black hat — classical hacker, get unauthorized access.
Grey hat — person who gets unauthorized access but reveals the weaknesses to the company.
Script kiddie — person with no technical skills just used pre-made tools.
Hacktivist — person who hacks for some idea and leaves some messages. For example strike against copyright.
  •  Skills required to become ethical hacker.
  1. Curosity anf exploration
  2. Operating System
  3. Fundamentals of Networking
*Note this sites





Related posts