Archivos de la categoría hacking

Creepy, where have you been?

Creepy is a geolocation OSINT tool that can be used as part of the footprinting phase. This tool is developed in python and it is a cross-platform. It has been developed for educational purposes to see how much geolocation information is contained in publications made with the location option on.

OSINT tools (Open-Source Intelligence) collect information from public sources that are accessible via Internet, i.e free and declassified information fonts.

Keeping this in mind, what Creepy does is to collect location data from those users considered as targets. This data is collected from publications on social networks like twitter, instagram or flicker whose users have their location on.

Below you’ll find some pictures showing how Creepy works and the results it shows.

  1. Once the objective has been specified a research is done in order to find every published location:

post 1 edit.png

We can appreciate that most part of the findings are in Spain and that there’s one in Belgium.

  1. Let’s approach the zoom to see the findings more in detail:

post 1 edit.png

post 1 edit.png

As you can see it is very easy to track someone who publishes their location on social networks, so it is important that you turn it off and turn it on only when needed.

Translated by Ana García Negrillo  (@ANAgarneg)

Have I Been Pwned?

The lack of awareness we have about our digital identities got our attention and it has always been of great interest to us here in Wh0s.

Since the popularization of internet we all exist in some way in it, and it is becoming difficult for many of us to know how many accounts we have, in fact, how many of us are able to know how many social networks, forums or websites we have registered on? What if we talk about applications? How many applications have you downloaded where you have to enter personal information such as your name, surname or email? Although it may seem unimportant, when we do a registration we are creating a digital identity, with which we are providing with some of our data to companies that record them in their databases. What if they lose this information? Maybe nothing or maybe your ID, address, etc. are freely surfing the web. And when something is on the Internet…it will be there forever.

When a case of information loss is given, it is known as pwned. In the hacker jargon, pwn means to compromise or control, specifically another computer (server or PC), web site, gateway device, or application against the owner desire, in these cases, it’s simple:

pwned.jpg

But, how important are these cases? It may sound a bit paranoid, but there have been more cases than we think, some of them even causing very serious information losses, such as PS3 or adobe (links to official news) that mainly because of ignorance they weren’t consider important at all.

As for us, we would like to talk about a web site: https://haveibeenpwned.com/ , where you can check if any of your account has been affected by these cases. (There are some more, but in our opinion this is the most complete one.)

HaveIBeenPwned.png

In @haveibeenpwned you will be able to follow every corrupted database update as they add them to the system. To conclude, we leave you a very curious case for you to check: admin@sony.com and some basic recommendations:

  1. Don’t ever give your real data unless it’s necessary.
  2. Don’t reuse any password, nor use the same identifiable pattern.
  3. Use double safety factors, or systems that add security such as the latch implementation we talked about earlier.

We hope that this post has been of interest to you, and if you know about any curious case like the one in admin@sony.com, don’t hesitate to leave a comment. J

Cheers!

Translated by Ana García Negrillo  (@ANAgarneg)

bWAPP: learning IT security with an app

Today we want to talk about bWAPP, an insecure web application with educational purposes, founded by Malik Masellem (@MME_IT).

There are more applications of this type, but we discovered this one in our stay in Belgium last week, and we found it interesting.

What is bWAPP?

bWAPP is an insecure open-source web application designed to improve the skills of students, developers or people interested in IT security in order to discover and prevent web vulnerabilities.

This app has more than 70 vulnerabilities such as SQL injection, Cross-Site Scripting (XSS) or Denial of Service (DoS).

We can install this app with two different steps:

  • We can download the bWAPP application and install it afterwards in our server (Apache/ISS) or in XAMPP or WAMPP.
  • In addition, we have the possibility of downloading ‘bee-box’, a virtual machine with bWAPP already installed. It takes up 7.3 Gb.

Once installed, it is time to play… here we have two examples of exploiting vulnerabilities:

XSS – Reflected:

1. We choose the vulnerability we want to exploit, in this case, ‘Cross-Site Scripting – Reflected (GET)

2. We write ‘<script>alert(“XSS”)</script>’ in ‘First name’:

3. Result:


SQL Injection:

1. Insert characters: in this case we have enough with an inverted comma  :

2. We receive the information from the database:

You can find all the information of this app, together with the download and the explanation in the following link:

http://itsecgames.com/

Here you have some other applications where you can learn hacking techniques without getting into trouble:

  • Gruyere, a project from Google. You can find more information about this in @fluproject.
  • WebGoat, an OWASP project.
  • Hack.me, an eLearnSecurity project where you can have access to several web applications with vulnerabilities to improve and learn pentesting techniques.

Time to enjoy playing and learning!

Translated by Cristina Serrano (@parole_errante)

White Hats, Black Hats… which are the differences between them?

There are still many people who ignore the differences between white hats and black hats…those evil geeks. We are going to try to explain what is what in order to stop with all the misunderstanding.

White Hats: these are the ones who try to demonstrate their computer skills to improve the security; they are also known as ethical hackers. They normally work for computer security companies and, if they find any vulnerability they inform the victim instead of attacking it, in order to solve the problem before someone with not as good intentions finds it.

Black Hats: a.k.a crackers, these are people with computer skills who use hacking techniques fraudulently. They show these skills attacking other people’s computers, infecting networks or causing denial of service (DoS). Every activity done by black hats is illegal and may end up in litigation.

As you can see, the hint lies on the intention, while hackers act with good intention, to improve the security systems;  all that crackers want is to break every security wall and look for holes to hurt people or/and profit.

This is a very worn-out theme but for most of the people hacker is synonymous with illegal activities, and when someone says that works as an ethical hacker everybody will think that he’s doing something illegal, but now we know that it’s not like that.

We hope we have shed some light on this because when something related to these words appears on the news it is normally treated wrong, generalizing and turning hackers into crackers.

And, as the proof is in the pudding, here you have a very recent new using the word “hacker” where they should use “cracker”.

http://pulsoslp.com.mx/2014/03/15/hackers-divulgan-falsas-noticias-sobre-hallazgo-de-avion/

[hackers disclose fake news about found plane]

Cheers!

Translate by: Ana García (@ANAgarneg)

Phishing in Google Drive

Hello there!

Today we have very interesting news about something we heard some days ago and that it is not being discussed. Symantec has informed about a phishing campaign that is used by Google Drive as bait for gaining information.

The trick is really simple, but very interesting at the same time, because it is very easy to be cheated. The user receives an email with a shared document. Once the user (that is being attacked) has clicked on the link, he is automatically redirected to a fake webpage that impersonates Google Drive’s login screen.

 

Phishing Google
Phishing Google

After entering the access credentials, this information is sent to a PHP script of a web server.

The special feature of this phishing is that the fake webpage is inside Google servers and it uses SSL (Secure Sockets Layer), so that you may think the webpage is real because is very similar to the original one.

Furthermore, after sending the access credentials, you are redirected to the real Google Drive in order to be unnoticed.

How do they do this? They have created a public folder in Google Drive and they have obtained a public URL by uploading a file. Thanks to this URL, they can send fraudulent messages.

Why do they attack Google and Gmail? Because both are very interesting for this kind of attacks, since the access to these services usually means the access to many other services where we are registered or where we have an account.

So if something similar happens to you, you should be suspicious. If you are already connected to your e-mail account, why do you have to put your credentials to access to Google Drive?

We hope you find this information useful.

Sources:

http://googlelizados.com/2014/03/14/phishing-google-drive/ (In Spanish)

http://thehackernews.com/2014/03/watch-out-scammers-targeting-google.html

Translate by: Cristina Serrano