Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Monday, November 5, 2018

University email accounts lack security and privacy

We should not forget that University emails are disposable, non-permanent and most importantly non-private. They should be treated with a lot of cautiousness, and distrust.


  • I have had university emails from the:
    • Lebanese American University (Permanent Email)
    • American University of Beirut (Temporarily for 1 year) 
    • Haigazian University (Permanent Email)
    • University of Southampton
    • University of Oxford
I often see my classmates, university researchers and instructors use their university emails to share private information such as emails with friends and uploading photos. Some of them use it as their primary email to sign up for Paypal and Social Media Apps (Facebook, Twitter, etc...).

This is often associated with two issues: breach of university password credentials and employee misuse.

Most universities use the same email password to authenticate to a wide range of University services, such as University Internet Services, Moodle/Blackboard access, Banner access and other endless services.

Just like any other software system in the world, those systems are not immune from breaches and in fact, they could have less scrutiny. There are hundreds of innovative ways an attacker can expose and obtain your university password.

You need to assume that this is entirely possible and make sure your email contains only trivial material that you don't give a fuck about.

What makes the situation worse, is that university email services of Office365 do not offer any multi-factor authentication feature. This has been the case for me for all the 5 different university emails I've used in the future. This was being discussed during my admission interview with Oxford University and it seems to be a current security problem.

As for the employee misuse problem, you would be surprised how easy it would be for University IT Staff to secretly gain access to your email and read every single email you've sent and received.

I have even spoken to IT officers/employees from the universities listed above and many of them illustrated to how easy the process of accessing an email is.

University emails should only be used for information that isn't sensitive and has insignificant value, examples include class assignments - communication with a supervisor or an instructor and communication with university staff. 

Similarly, any storage provided by University services such as OneDrive should only be used to store trivial academic material as well.

Personal email accounts (such as Gmail) should be used for any personal emails or files you have.

Share:

Friday, August 31, 2018

Increasing the security on my professional email

In 2016, I have decided to stop my personal emails for professional communication (eg: @gmail.com, @hotmail.com). I have changed my personal emails and I made sure they remain strictly confidential and shared only with close friends and family.



My professional email ends with @georgechalhoub.com now and is managed by me. It gives me total control over all the configuration and settings, and it is inaccessible via a login page. It gives me great power and control over my email and all the settings and configurations. Here are the security settings I use:

DKIM - DomainKeys Identified Mail

According to Zoho, "DKIM is an authentication method, which uses encryption with public/ private keys, to validate whether the emails are generated from the authorised servers, recognized and configured by the administrators of the sending domains."

This would prevent Email Spoofing and Email Backscattering. In DKIM, a public key is published as a TXT record for the my domain's DNS Manager which is managed by Cloudflare. Every outgoing email includes a distinct signature generated using the private key for my domain. The receiving email server uses this private-public key combination to validate the email source. If there is a validation failure, the recipient server may reject the email or classify it as Spam/ Forged email, based on the server behaviour.

SPF - Sender Policy Framework


According to Zoho, "Sender Policy Framework/ SPF is an Email validation system, to find out spoofed/ forged emails using a specific SPF record published for the domain with the details of hosts, that are permitted by the domain's administrators." 

Sender Policy Framework/ SPF Records is also published as a type of DNS record published in my domain's DNS which identifies the email servers that are permitted to send emails. The main goal of SPF records is to help the receiving server identify the spam emails, sent using my domain name by spoofing/ forging the From email addresses. 

Now, I have recently added DMARC:

DMARC - Domain-based Message Authentication, Reporting and Conformance


According to Wikipedia, "Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email-validation system designed to detect and prevent email spoofing. It is intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organizations. Specified in RFC 7489, DMARC counters the illegitimate usage of the exact domain name in the From: field of email message headers."

This is really great because now users cannot forge the 'From:' field of the email message headers. DMARC is capable of producing two separate types of reports which would allow me to find out who is trying to forge emails on my behalf.

Here are DMARC rows of an aggregate record shown in tabular form: 




Share:

Wednesday, July 18, 2018

Dealing with a security vulnerability

A few days ago, one of my websites which are run by an American startup, has received an email entailing details of a possible security vulnerability. The email was forwarded to me and I followed up on the situation.

The email came from a gentleman from the Netherlands named Thijs who is a security research and a university student:


After doing further research, it was evident that the vulnerability is present on the site and affects search pages only. The vulnerability was resolved within hours.

The search page affected has resulted in 43 million search queries since 2016, it is highly likely that the security vulnerability has been exploited: 


I cannot reveal any further details of the vulnerability but I am glad that it was resolved. Thjis was rewarded with a small bounty of 100$:


Ethical white-hat security researchers like Thijs should be cherished. Have I been able to increase the bounty reward for Thijs, I would have done it. 
Share:

Thursday, July 12, 2018

How to increase security of confidential digital files

If you've ever had sensitive documents, files, or photos and you want to store them securely in a digital environment. The only way to do that store them in an environment (computer) that:


  • Has never been connected to the internet 
  • Doesn't have any Wifi, Ethernet, Bluetooth chips
  • Has its location undisclosed
  • No one is aware of its existence 
  • Is not connected to systems that have been connected to the internet
This is known as an air-gapped computer. If you ever decide to make your air-gapped computer, you should never discuss its existence with anyone, especially on the web. You should know that your air-gapped computer could be vulnerable to attacks so the first step is to not disclose its existence with anyone.

All the attacks I've been stumbled upon know where the location of the victim machine is, so you really need be careful with the secrecy.

Do not use any operating system other than Linux. Do not use Windows. I do recommend Centos 6 or 7 (Linux).

Do not buy commercial laptops to accomplish this task, instead build your own desktop PC, buy your own parts.

Air-gapped computers have been targeted by attacks in the past, so they are still not fully secure. You might want to strongly encrypt any files you add on those computers.

I've come to accept and understand that nothing I do online will be secure or private, it took me years to accept the concept, but I have adapted now.  Every email, photo, message, text you send and receive online no matter what companies brag about. Similarly, your online 'bank account' could be intercepted as well. Even things you do offline are not fully secure.

That doesn't mean that you shouldn't use the internet, but it means you should not never send or store anything you deem confidential on the web.
Share:

Wednesday, April 4, 2018

Monday, July 3, 2017

Recovering a hijacked Facebook account

I can without a doubt confirm that the most hijacked and hacked accounts worldwide belong to Facebook. I have been asked myself to recover more than 15 accounts belonging to my friends or mutual friends. I don't succeed most of the time.

For example, my best friend's girlfriend had her account hijacked 1 month ago. The girl noticed the change one month later. I was asked to remedy the situation, I was having trouble even locating her account, but when I did nothing could recover her account back. The hijackers set up trusted friends, new email, new phone, new photos and even a new name.

Recently, my friend's account was hijacked and I was asked to recover it. It was an immensely important account used to conduct business and had chats were supposed confidential, so I wasn't taking it lightly.

The password's been obviously changed and the email address (Hotmail) hijacked and two-step authentication set up (Confirmed from Hotmail's account recovery process). So, recovering the account was pretty much a dead-end confirmed with Facebook's horrid message:


So, I was really stuck. At this point, there is was no direct way to contact Facebook regarding hacked accounts. You can directly contact them for impersonation or copyright issues but not for hacked accounts. 

Then, after that, I have asked the victim to find any web browser where he's logged in on Facebook in the past (with the old password), screenshot he's sent:


After he has pressed on "click here", he has indicated that the Facebook account has been compromised, next photo:


After the victim clicked on "Secure My Account", he was taken to this page, the victim's Hotmail account was compromised so he clicked on "No longer have access to these?":



And surprisingly, and taken to this annoying and useless page, the victim has clicked on "I cannot access my email account":


Then, Facebook asked for a new email address:


At this stage, an email address that I operate was provided, this page below was shown; however, this page is not accessible for everyone. The URL for this page is the following https://www.facebook.com/help/contact/278918555806469/ but apparently will not be enabled for anyone unless they went through the recovery process (from a browser that they have logged in on in the past):


After the ID has been provided, Facebook Support directly sent me an email since the victim set up an email of mine as the contact email for the resolution of the issue:


Since the victim has uploaded his ID, I have briefly described the issue to Facebook:


One day later, the account was recoverable. Win:


But we were not done yet, I've had to reverse the damage. First, I've had to invalidate the old email and add another email for the victim. At this point, I've set up an email for him from my domain name and added it to his Facebook. The email had two-step authentication configured on it as well as a complex password, and no matter what I can recover it:



The email was confirmed:


Then, the account was logged out of all the devices: 
Added phone numbers, emails and apps were all removed:


Recent activity was checked as well for malicious posts added:


That's it, the account was recovered and two-step authentication was activated now; a step the victim didn't know existed in the first place. 
Share:

Thursday, June 29, 2017

Can you really hack a Chromebook and get 100K from Google?

It has been almost a year since the search and artificial intelligence giant just announced on its Blogger blog that it is are willing to pay USD100,000 to whoever can hack its Chromebook. In a blog post called, Get Rich or Hack Tryin', Google said:
Increasing our top reward from $50,000 to $100,000. Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven’t had a successful submission. That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.


In other technical words, 100,000USD is to be given to whoever can hack its operating system Chromium OS that is updated almost daily from the finest and most talented software engineers.

Sounds like a good deal, yeah? Actually, not.  It is worth noting that Google set extremely hard rules and the chance of winning the amount is close to 0. Yes, it is possible to hack a Chromebook but your chances are close to 0. Here is more information about the reward:
We have a standing $100,000 reward for participants that can compromise a Chromebook or Chromebox with device persistence in guest mode (i.e. guest to guest persistence with interim reboot, delivered via a web page).

What does it mean?
  • You need to find a bug in Chromium OS's sandboxing secure mechanism that has been evolving for four years. Sandboxing ensures that each Chrome Extension (they call them apps) is run in a restricted environment and is sandboxed (quarantined, imprisoned). In other words, you need to create a Google Extension and from that extension, you need to locate a bug in Chromium OS, if it does exist I assume.
  • Once you find this invisible bug, you create an extension that would take advantage of the bug so that it would escalade access and escape the sandbox. All that, you need to in Guest mode.
  • Once you escape the sandbox, you need to find a second bug that would allow you to tamper with the system and corrupt its files. That is, first, you need to find a third bug that would allow you to access the developer's mode from the guest mode.
  • One you gain access to the developer's mode from the guest mode, you need a way to break the administrator account inside of the "Linux-based" operating system from a non-privileged account.
  • Hold on, we're not done yet. It needs to be persistent. That means, once you edit the operating system files, you need to tamper secure boot scripts as well, which double checks the operating system files on boot to see if they were tampered with.
The hack, if found, is probably worth more than USD10,000,000 in the black market, the odds of getting a Chromebook hacked from the "guest" mode is about the same odds of winning the lottery. If you're looking for some quick cash, you might as well go buy a lottery ticket rather than go get a Chromebook and attempt the hacking.

The USD100,000 is just a tiny small amount from Google's pocket, but most importantly, it is a guarantee from Google that their Chromebook is safe, as long as no one wins the bounty, Google would smile and double the amount whenever they want.
Share:

Wednesday, January 4, 2017

Google's FIDO U2F Security Key: Taking two-step authentication to another level

A prominent Computer Science professor, Dr. Ramzi Haraty, said once "No system is fully and 100% secure". I was 18 years old when I heard that statement back then, and I didn't really take it seriously.

However, as I grew older, I realized how that statement was entirely true, beyond any reasonable doubt. Matter of fact, there isn't any service, login page, software, database or website that cannot be hacked and penetrated.

Even NSA's hidden and encrypted servers were hacked. However, each security system haps his own drastic security measures; some are challenging and tough to break into, and others are trivial.

One company that takes security extremely seriously is: "Google Inc." Behind this simple-looking login page you see on the right; there a monster security system that is beyond any person's imagination:

Matter of fact, if you can hack (not hijack) this page and access a consumer's account, your hack is worth at least: USD 25,000,000.

What Google does to protect the consumer Gmail accounts of their members is astonishing. This includes but not limited:


1. Bug bounty programs: Google pays millions of dollars each year for hackers and security researchers that report bugs to their system. In return, Google would pay cash in exchange for the information. That does push bored and opportunist programmers to start searching for the bugs on the system for hoping to get paid. Eventually, as bugs get reported over the years. They get minimized.

2. Encrypting the web, literally. In summary, this means HTTPS. This encrypts your communications: including passwords, credit card numbers, with many websites, making your browsing more secure. Without HTTPS, anyone spying on your Wifi could get personal information from you.

3. Locking your Gmail if it is signed up via Tor or a different country. If you access your Gmail from another country, it will be locked.

4. Obsessing about the sandbox. Google's security system is designed in a way where they have multiple security layers. That is, if you find one bug inside Google's page and access one protected page, you'll have to find a bug in the next security layer, then move to the next security layer, and so on. So, your chances of getting bugs and breaking this page are close to 0.

Allowing users to set up two-step authentication on their account is another way Google Inc. implemented security on their website. That means, if you log in from a new device, you will have to receive a 6-digit code on your mobile to be able to access the account (the secret code can be provided by a phone call, SMS, or an application known as Google Authenticator or Authy).  That is, even if you know the password of one account, you will not be able to access the account unless you receive that 6-digit code.

That's cool, right?


Not really. Google recently realized, due to their advanced artificially intelligent technologies, that governments are targeting social activists and breaking into their account. So, the standard two-step authentication feature (mobile) would be weak too.

Wait, how come?


Very simple; I'll give you one example. Imagine that you have a Gmail account, and I figured out your password. However, you're an intelligent person and have set up two-step authentication by receiving a phone call.

So, I get stuck here. What do I do? I can impersonate you and go to your mobile provider and claim that I lost your phone number and receive a new SIM card with your phone number.

It might not work in a phone company like Version or AT&T, but in other third world country countries (like Lebanon, for example) it would apparently work due to their pathetic security checks (Alfa or Touch).

Now imagine this. 


A corrupt government targets a journalist or a rebel's Gmail and get his password by spying on him. They can, for example, get access to his phone number and reset the password very quickly by collaborating with the phone company. 

In fact, this has happened as Google announced in a blog spot that since 2012 users have been targeted by state-sponsored attackers.

It might not be the method that I alleged of but I highly suspect it does. They said that they can't reveal the tip-off because hackers can adapt but however they said "Enable two-factor authentication and set up a Security Key" which could highly mean that the attempt goes on by targeting the mobile phone.

Google said they've sent those notices to 0.1% of their users which is a huge number considering there are more than one billion users with Google accounts. 0.1% of 1 billion is 1 million.

Google ended their post with "The security of our users and their data is paramount." which is clear illustrated and because of that you should trust and respect Google more.


So what is a security key?

It is a small USB that can be plugged into your machine to allow access to an account. It is a two-step authentication code that doesn't require a phone number. The full name being "FIDO U2F Security Key"; the security key is based on a U2F is an open authentication standard that empowers two-factor authentication using specialized USB or NFC devices based on similar security technologies found in smart cards. It has been developed by Google and Yubico. U2F security keys can also be used on Dropbox, GitLab, and Bitbucket.

How does it work? 

Once you've got two-step verification enabled and configured the security key. Each time you log in on a new (or unsaved) device, you will be asked to input your own safety key inside the machine, and press a button.

While you may keep the phone call as a backup verification method, I do not recommend since it defeats the primary purpose of the security key.

It is wise to generate backup codes and memorize them (not write them down anywhere) in case you lose the security key or want to login on a mobile phone.

If you decide to use one for your own safety, it is wise not to inform anyone of your friends, colleagues or anyone that you're using this type of security mechanism.

Hackers will adapt to the security features in whatever shape and forms. Let them be surprised if they access your account instead of letting them plan ahead.

Do I use a security key?

Yes, definitely. I have purchased this item on July 14, 2016, and added on July 25, 2016. My experience has been phenomenal as I gradually reduced two-step authentication. I've treated the security as any other standard security key and implemented it as a regular key on a key ring. I've had a bit of a hard time explaining what is this to my family and friends but eventually they got used to it.


How do I buy one?


You can purchase one from Amazon.com (provided by Yubico) for as cheap as $17.99. Configuration is easy and can be done easily on websites like Google or Dropbox.



In Summary

No matter where you go. You will never find anything as secure as your Google account: be it online bank accounts, Microsoft accounts, Facebook accounts, Akamai accounts, etc.  This company is obsessed security and breathes security. If you have sensitive information on your Google account or any critical material, it would be wise to purchase and configure a security key to take advantage of Google's security.
Share:

Thursday, March 17, 2016

It is 2016 and Payoneer still does not offer two-step authentication

In summary, this blog post is about Payoneer not offering two-step authentication for its members despite numerous requests.

As of March 17, 2016, Payoneer, a world-renowned company with more than 3 million customers, does not offer a two-step authentication protection for its members.

Founded in 2005, Payoneer provides financial services and online money transfer services worldwide. It is available in more than 200 countries and supports more than 150 currencies. 

Payoneer's concept is simple: you get an international credit card from Payoneer that allows you to get paid from any valuable american company. You will be able to use the credit card literally on any ATM machine anywhere in the world and withdraw the funds. You don't have to deal with banks, their headaches and contracts.

Payoneer had extreme success in the past and recently posted those stats on their website:


After massive success and being 10 years in business, the security department at Payoneer still doesn't get it: two-step authentication matters; all large and small tech giants include it such as: Apple, Amazon, Google, Amazon, Microsoft, etc...

Apparently, Payoneer is not aware that it is a company that handles financial accounts, not a social media accounts. Would thieves and hackers be interested to hack or hijack a simple social media account or a financial account that lets you gain access to a decent amount of cash? 

Computersolving.com said

Here goes my first criticism for Payoneer, besides no 2 factor authentication being available, I find it unbelievable that a company processing payments will not allow me to use special characters in my password, only letters and numbers are allowed, this will greatly help malicious hackers trying to break into my account using a brute force attack.

What Payoneer doesn't understand is that is not difficult to get to know someone's password, whether be it: installing some spyware on the victim's machine, standing behind the victim while s/he types  the password, or any type security vulnerability in the service's website and database. In addition to that, Payoneer does not force members to add characters in their passwords.

The community has been asking for this feature since forever, for example:




4. November, 2015: Security at Payoneer


I have personally contacted Payoneer's customer support team and this is the response I have received from them:

Thank you for contacting us. We understand your concern. Unfortunately the service is not available at present. We are working hard to make this available in future.

From this blog, I send a wake-up call to the security department of Payonner- it is time to fall out of the coma and straighten-up the security department.


Share:

Monday, September 14, 2015

Mia Khalifa's Instagram Account Hacked

Mia Khalifa, a Lebanese pornstar that I respect a lot, claimed that her Instagram account was hijacked or hacked by some members who posted Islamic content on her profile. By examining the evidence that was found online, it would be fair to say that her Instagram account got really hacked or hijacked. All being said, it would be worth mentioning that Mia Khalifa caused a lot of controversy in Lebanon, received death threats from ISIS and she was disowned completely by her family members.


On 14 September 2015, Mia Khalifa made this tweet to Instagram:
Apparently, Mia Khalifa's twitter account got hacked and its not a joke. Her username on Instagram was miakhalifa1, hackers changed it to miakhalifa_by_v.p_:


They've also linked her old username miakhalifa1 to another account:


One can easily understand her frustration, her account has 2.2 million followers, that's something; and she has the right for that account. Moreover, Instagram should act and give her back her Instagram account, regardless of Mia Khalifa's profession.

What is more disturbing is that the Islamic images/videos they have been posting, for example this one:
A photo posted by LoL (@miakhalifa_by_v.p_) on


It is good to note that those people may have not hacked Mia Khalifa's account, they might have just hijacked it. That means, they either guessed her password, or sent her some spyware to steal it. Facebook servers are extremely difficult to hack, though it is not impossible.

Maybe it is time that Instagram starts supporting or enforcing two-step authentication for its users. All in all, Mia Khalifa is a victim and Instagram should act.

Share: