Ethical Hacking

Google Project Zero is a team of highly talented security analysts with a brief to uncover zero-day vulnerabilities. If a vulnerability is found, Project Zero reports to the vendor concerned and starts a 90-day countdown for a fix to be issued before full public disclosure is made. LastPass is also in the security business, being one of the most popular password management solutions with more than 16 million users, including 58,000 businesses. Project Zero has just disclosed that a security vulnerability left some of those 16 million users exposed to the risk of credential compromise as, in an ironic twist, LastPass could leak the last password used to any website visited.

https://www.forbes.com/sites/daveywinder/2019/09/16/google-warns-lastpass-users-were-exposed-to-last-password-credential-leak/#5e161ec64600

LastPass is a password manager that stores encrypted passwords online and provides users easy access to them through a web interface, browser plugins and smartphone apps. The vulnerability allowed an attacker to exploit a flaw in Chrome and Opera extensions to expose the last credentials filled by LastPass. It was eventually patched. To me, this vulnerability really highlights the biggest flaw of password managers. The tool that is supposed to protect you is actually the thing that can cause the most harm. I’m interested to know if anyone in class has experience with password managers and if you would recommend using one.

https://www.securityweek.com/lastpass-patches-bug-leaking-last-used-credentials

<https://www.youtube.com/watch?v=pSJScUhJgJI>

I used the Kali ISO image to build Linux in VMware Workstation, configured 2oGB disk and 4GB memory, and then followed all default choices throughout the process. However, I got stuck at booting screen with “_” flashing after the installation before log-in. I found this video and eventually got it fixed. When you get to the “GRUB boot loader” menu, you should choose “/dev/sda” instead of the default choice “Enter device manually”. If you got the same problem, that should solve it. Excuse me for not having tried VirtualBox and pre-built Kali image yet. Therefore, I have no solution to problem regarding those.

Social engineering and spear-phishing combined with malware and vulnerabilities show us guarding valuable data, systems with technologies are never sufficient. End-user training and cybersecurity awareness programs are equally important.

See the hack just came to light in recent years:

https://cybersguards.com/north-korean-hackers-infiltrate-the-atm-network-in-chile-following-an-interview-with-skype/ (Links to an external site.)

Such hacks would never happen if training and cybersecurity awareness programs are in place and required for all employees.

https://thehackernews.com/2019/04/xiaomi-antivirus-app.html

I have always been a fan of Android over iOS, but I found this headline to be too awesome to pass up. Certain Xiaomi phones come pre-loaded with an Antivirus app suite called Guard Provider. The main feature of Guard Provider is that it helps to facilitate you choosing an antivirus app, from a list of 3: Avast, AVL or Tencent. I supposed they did this, so that they didn’t have to develop an antivirus app themselves, but also didn’t want to prevent the customers from being able to have some flexibility in which AV app they wanted to use. Not sure why they would do this, since Android let’s you add and remove apps as you please, for the most part. The problem with Guard Provider is that it used an unsecure HTTP connection for downloading AV signature updates and it also allowed the 3 SDKs from the 3 AV apps to co-exist and talk to each other. This combination could allow an attacker to perform and man in the middle attacker over that HTTP connection and slip malware into the download. They also apparently found a way to exploit that connection, so that they could access the user’s pictures, videos and other data. The software has since been patched.